Forum Discussion
uni
Altocumulus
AltocumulusQuestion mark in regex
I have the following rule, which I've just moved over from a 4.5 system to 9.1.1:
rule JTS_olgc-prod_http_10 {
when HTTP_REQUEST {
if { [HTTP::host] == "xxx.com.au"
and ( [matchclass [HTTP::uri] ends_with $::JTS_FileTyp]
or [matchclass [HTTP::uri] equals $::JTS_AbsoluteURI]
or [HTTP::uri] starts_with "/images/"
or [HTTP::uri] matches_regex "^/default\.asp\?(action|menu|page|text_only)="
or [HTTP::uri] matches_regex "^/(general|gaming|pdf|calendar.html).*"
or [HTTP::uri] matches_regex "^/(splash|src/js)/.*\.js$" ) } {
}
else {
log local2.notice "Denied: Source: [HTTP::header value X-Forwarded-For] Method: [HTTP::method] Host: [HTTP::host] URI: [HTTP::uri]"
use pool jts-utility-pool
}
}
}I am having problems with the line
or [HTTP::uri] matches_regex "^/default\.asp\?(action|menu|page|text_only)="The expression will not match the question mark (?), whether I precede it with an escape \ or not. In the end I have replaced it with a dot (.).
An example of a URI which I thought should match, but doesn't, is/default.asp?page=casino.casino.htm&menu=casino
Is there a special meaning for the question mark in v9?
5 Replies
- There shouldn't be anything preventing this usage that I know of. I'll try to reproduce and examine the results.
-Colin 
Michael_Welch_6Nimbostratus
I'm running into this too. Anybody have a solution?- I had to enclose the regex expression in {} and save as a variable, then reference that for a regsub I was working on for URI re-writes. You might try a similar approach:
set orig_string {/portal/.+\?} set new_string "&ID=$ID\\&" regsub -all $orig_string $payload $new_string payload
HTH
/deb - Michael_Welch_6Excellent - thanks for your help.
/Mike 
uniEnclosing the character in square brackets works too...$uri matches_regex ".*/.*\.(JSP)\[?\]"
