pcre Example Keyword Values
The following examples show values that you could enter for
pcre, with descriptions of what each example would
match.
-
/feedback[(\d{0,1})]?\.cgi/U
This example searches packet payload for
feedback, followed by zero or one numeric character,
followed by
.cgi, and located only in URI data.
This example would match:
-
feedback.cgi -
feedback1.cgi -
feedback2.cgi -
feedback3.cgi
This example would not match:
-
feedbacka.cgi -
feedback11.cgi -
feedback21.cgi -
feedbackzb.cgi
-
/^ez(\w{3,5})\.cgi/iU
This example searches packet payload for
ez at the beginning of a string, followed by a word of
3 to 5 letters, followed by
.cgi. The search is case-insensitive and only searches
URI data.
This example would match:
-
EZBoard.cgi -
ezman.cgi -
ezadmin.cgi -
EZAdmin.cgi
This example would not match:
-
ezez.cgi -
fez.cgi -
abcezboard.cgi -
ezboardman.cgi
-
/mail(file|seek)\.cgi/U
This example searches packet payload for
mail, followed by either
file or
seek, in URI data.
This example would match:
-
mailfile.cgi -
mailseek.cgi
This example would not match:
-
MailFile.cgi -
mailfilefile.cgi
-
m?http\\x3a\x2f\x2f.*(\n|\t)+?U
This example searches packet payload for URI content for a tab
or newline character in an HTTP request, after any number of characters. This
example uses
m?regex? to avoid using
http\:\/\/ in the expression. Note that the colon is
preceded by a backslash.
This example would match:
-
http://www.example.com?scriptvar=x&othervar=\n\..\.. -
http://www.example.com?scriptvar=\t
This example would not match:
-
ftp://ftp.example.com?scriptvar=&othervar=\n\..\.. -
http://www.example.com?scriptvar=|/bin/sh -i|
-
m?http\\x3a\x2f\x2f.*=\|.*\|+?sU
This example searches packet payload for a URL with any number
of characters, including newlines, followed by an equal sign, and pipe
characters that contain any number of characters or white space. This example
uses
m?regex? to avoid using
http\:\/\/ in the expression.
This example would match:
-
http://www.example.com?value=|/bin/sh/ -i| -
http://www.example.com?input=|cat /etc/passwd|
This example would not match:
-
ftp://ftp.example.com?value=|/bin/sh/ -i| -
http://www.example.com?value=x&input?|cat /etc/passwd|
-
/[0-9a-f]{2}\:[0-9a-f]{2}\:[0-9a-f]{2}\:[0-9a-f]{2}\:[0-9a-f]{2}\:[0-9a-f]{2}/i
This example searches packet payload for any MAC address. Note that it escapes the colon characters with backslashes.