Network World
Saturday, November 22, 2008
DNSstuff.com
Get information about your IP
IP Information
50+ On-demand DNS and network tools

Author Expert: Brandon Carroll

Cisco Subnet
NetworkWorld.com > Community > Author Expert: Brandon Carroll

Navigation

Testing Regular Expressions

By brandon on Sun, 04/13/2008 - 8:16am.

When using the MPF you can use regular expressions to add functionality. You see this in application policies that let you filter file names and such. I came up with the idea for this post after I read a post on lifehacker that talked about a website that can test regular expressions. That site is here.

I thought I'd show how to test regular expressions on an ASA using the CLI. Well here it goes.

Lets say you want to match a file name, something like reallybad.jpg. You could write a regular expression like this:

"reallybad.jpg"

That would work but thats the only file name that could be matched. You could make it more broad with some special regular expression characters. For example

".+\.jpg" could match any jpeg. Here is how it works:

the . means that you want to match a single character. It doesnt matter what it is, just that there is a character there. The + means that you want to match one or more of the previous characters. So, .+ would match any number of characters as long as there is at least 1 character. Therefore "r" would match the expression .+ and so would "reallybad"

The \ Character tells the regular expression system that the very next character doesn't have any special meaning, and that we just want to look for what the character is. So in the abover regular expressions ".+\." we are looking for any number if characters followed by a "."

Therefore "reallybad." would match and so would "reallygood." and "r."

The rest of the regular expression matched the extension jpg.

Not something most us us do every day so if you need to learn more about regular expression you can look at the Cisco documentation for the ASA in the MPF chapter.

But now to the testing part, which is really what this post is about. From the CLI you can test a regex before you impliment it like this:

First test the reallybad.jpg to our regular expression:

asa1(config)# test regex reallybad.jpg ".+\.jpg"

INFO: Regular expression match succeeded.

As you can tell it was a success. Next test the reallygood.jpg:

asa1(config)# test regex reallygood.jpg ".+\.jpg"

INFO: Regular expression match succeeded.

Again we have a match. Now for just the letter "r" .jpg:

asa1(config)# test regex r.jpg ".+\.jpg"

INFO: Regular expression match succeeded.

Good to go. And finally lets test a .gif:

asa1(config)# test regex reallybad.gif ".+\.jpg"

INFO: Regular expression match failed.

asa1(config)#

An we can see, it did not work!

Well I hope this helps. Thanks for reading.

Permalink
Tags:

regex dictionaries for MPF

Useful answer?
0
By Matt Dreyer (not verified) on Mon, 04/14/2008 - 12:18pm.

MPF is an awesome piece of technology that really starts showing its power when fed with a regular expression dictionaries. The dictionary below enables the administrator to monitor or control a number of image file types as they pass through the firewall.


!
! Cisco ASA 5500 Series
! Regular Expression Dictionary: Image File types
!
! Matt Dreyer
! July 23, 2007
!
regex _ADRG ".+\.[Aa][Dd][Rr][Gg]"
regex _ADRI ".+\.[Aa][Dd][Rr][Ii]"
regex _AGP ".+\.[Aa][Gg][Pp]"
regex _AI ".+\.[Aa][Ii]"
regex _AI3 ".+\.[Aa][Ii][33]"
regex _AI4 ".+\.[Aa][Ii][44]"
regex _AI5 ".+\.[Aa][Ii][55]"
regex _AI6 ".+\.[Aa][Ii][66]"
regex _AI7 ".+\.[Aa][Ii][77]"
regex _AI8 ".+\.[Aa][Ii][88]"
regex _ART ".+\.[Aa][Rr][Tt]"
regex _BMP ".+\.[Bb][Mm][Pp]"
regex _BW ".+\.[Bb][Ww]"
regex _CADRG ".+\.[Cc][Aa][Dd][Rr][Gg]"
regex _CDR ".+\.[Cc][Dd][Rr]"
regex _CGM ".+\.[Cc][Gg][Mm]"
regex _CIN ".+\.[Cc][Ii][Nn]"
regex _CPI ".+\.[Cc][Pp][Ii]"
regex _CPT ".+\.[Cc][Pp][Tt]"
regex _CRW ".+\.[Cc][Rr][Ww]"
regex _DCR ".+\.[Dd][Cc][Rr]"
regex _DIB ".+\.[Dd][Ii][Bb]"
regex _DPX ".+\.[Dd][Pp][Xx]"
regex _DXF ".+\.[Dd][Xx][Ff]"
regex _EMF ".+\.[Ee][Mm][Ff]"
regex _EPS ".+\.[Ee][Pp][Ss]"
regex _EXR ".+\.[Ee][Xx][Rr]"
regex _FH ".+\.[Ff][Hh]"
regex _FLA ".+\.[Ff][Ll][Aa]"
regex _FLC ".+\.[Ff][Ll][Cc]"
regex _FLI ".+\.[Ff][Ll][Ii]"
regex _FLM ".+\.[Ff][Ll][Mm]"
regex _FPX ".+\.[Ff][Pp][Xx]"
regex _GIF ".+\.[Gg][Ii][Ff]"
regex _ICB ".+\.[Ii][Cc][Bb]"
regex _IFF ".+\.[Ii][Ff][Ff]"
regex _IGS ".+\.[Ii][Gg][Ss]"
regex _ILBM ".+\.[Ii][Ll][Bb][Mm]"
regex _INT ".+\.[Ii][Nn][Tt]"
regex _INTA ".+\.[Ii][Nn][Tt][Aa]"
regex _JP2 ".+\.[Jj][Pp][22]"
regex _JPE ".+\.[Jj][Pp][Ee]"
regex _JPEG ".+\.[Jj][Pp][Ee][Gg]"
regex _JPG ".+\.[Jj][Pp][Gg]"
regex _JPG2 ".+\.[Jj][Pp][Gg][22]"
regex _MNG ".+\.[Mm][Nn][Gg]"
regex _MRW ".+\.[Mm][Rr][Ww]"
regex _MYD ".+\.[Mm][Yy][Dd]"
regex _MYV ".+\.[Mm][Yy][Vv]"
regex _NEF ".+\.[Nn][Ee][Ff]"
regex _ODG ".+\.[Oo][Dd][Gg]"
regex _ORF ".+\.[Oo][Rr][Ff]"
regex _PBM ".+\.[Pp][Bb][Mm]"
regex _PCD ".+\.[Pp][Cc][Dd]"
regex _PCF ".+\.[Pp][Cc][Ff]"
regex _PCT ".+\.[Pp][Cc][Tt]"
regex _PCX ".+\.[Pp][Cc][Xx]"
regex _PDF ".+\.[Pp][Dd][Ff]"
regex _PDP ".+\.[Pp][Dd][Pp]"
regex _PGM ".+\.[Pp][Gg][Mm]"
regex _PIC ".+\.[Pp][Ii][Cc]"
regex _PICT ".+\.[Pp][Ii][Cc][Tt]"
regex _PNG ".+\.[Pp][Nn][Gg]"
regex _PPD ".+\.[Pp][Pp][Dd]"
regex _PPM ".+\.[Pp][Pp][Mm]"
regex _PS ".+\.[Pp][Ss]"
regex _PSD ".+\.[Pp][Ss][Dd]"
regex _PSP ".+\.[Pp][Ss][Pp]"
regex _PX ".+\.[Pp][Xx]"
regex _PXR ".+\.[Pp][Xx][Rr]"
regex _RAF ".+\.[Rr][Aa][Ff]"
regex _RAW ".+\.[Rr][Aa][Ww]"
regex _RGB ".+\.[Rr][Gg][Bb]"
regex _RGBA ".+\.[Rr][Gg][Bb][Aa]"
regex _RLE ".+\.[Rr][Ll][Ee]"
regex _SCT ".+\.[Ss][Cc][Tt]"
regex _SGI ".+\.[Ss][Gg][Ii]"
regex _SVG ".+\.[Ss][Vv][Gg]"
regex _SVGZ ".+\.[Ss][Vv][Gg][Zz]"
regex _SWF ".+\.[Ss][Ww][Ff]"
regex _SXD ".+\.[Ss][Xx][Dd]"
regex _TGA ".+\.[Tt][Gg][Aa]"
regex _TIF ".+\.[Tt][Ii][Ff]"
regex _TIFF ".+\.[Tt][Ii][Ff][Ff]"
regex _UFO ".+\.[Uu][Ff][Oo]"
regex _VDA ".+\.[Vv][Dd][Aa]"
regex _VST ".+\.[Vv][Ss][Tt]"
regex _WBM ".+\.[Ww][Bb][Mm]"
regex _WBMP ".+\.[Ww][Bb][Mm][Pp]"
regex _WMF ".+\.[Ww][Mm][Ff]"
regex _XAML ".+\.[Xx][Aa][Mm][Ll]"
regex _XAR ".+\.[Xx][Aa][Rr]"
regex _XBM ".+\.[Xx][Bb][Mm]"
regex _XCF ".+\.[Xx][Cc][Ff]"
regex _XPM ".+\.[Xx][Pp][Mm]"
!
class-map type regex match-any ImageFileTypes
match regex _ADRG
match regex _ADRI
match regex _AGP
match regex _AI
match regex _AI3
match regex _AI4
match regex _AI5
match regex _AI6
match regex _AI7
match regex _AI8
match regex _ART
match regex _BMP
match regex _BW
match regex _CADRG
match regex _CDR
match regex _CGM
match regex _CIN
match regex _CPI
match regex _CPT
match regex _CRW
match regex _DCR
match regex _DIB
match regex _DPX
match regex _DXF
match regex _EMF
match regex _EPS
match regex _EXR
match regex _FH
match regex _FLA
match regex _FLC
match regex _FLI
match regex _FLM
match regex _FPX
match regex _GIF
match regex _ICB
match regex _IFF
match regex _IGS
match regex _ILBM
match regex _INT
match regex _INTA
match regex _JP2
match regex _JPE
match regex _JPEG
match regex _JPG
match regex _JPG2
match regex _MNG
match regex _MRW
match regex _MYD
match regex _MYV
match regex _NEF
match regex _ODG
match regex _ORF
match regex _PBM
match regex _PCD
match regex _PCF
match regex _PCT
match regex _PCX
match regex _PDF
match regex _PDP
match regex _PGM
match regex _PIC
match regex _PICT
match regex _PNG
match regex _PPD
match regex _PPM
match regex _PS
match regex _PSD
match regex _PSP
match regex _PX
match regex _PXR
match regex _RAF
match regex _RAW
match regex _RGB
match regex _RGBA
match regex _RLE
match regex _SCT
match regex _SGI
match regex _SVG
match regex _SVGZ
match regex _SWF
match regex _SXD
match regex _TGA
match regex _TIF
match regex _TIFF
match regex _UFO
match regex _VDA
match regex _VST
match regex _WBM
match regex _WBMP
match regex _WMF
match regex _XAML
match regex _XAR
match regex _XBM
match regex _XCF
match regex _XPM

Regex Configs for dropping torrents/gnutella &other "Evil Stuff"

Useful answer?
0
By Tim (not verified) on Tue, 04/29/2008 - 5:14pm.

Bring on more samples and dictionaries etc for eradicating the production networks of"Evil" traffic. URL-Filtering can only do so much. Let's see some articles on complicated use of MPF. That kind of stuff would be very welcome to read.

Thanks,
Tim

Regex Dictionary

Useful answer?
0
By Joe Harris (not verified) on Thu, 10/16/2008 - 6:15am.

Hi Tim,

You can find more examples here:

http://6200networks.com/2008/08/06/asa-regular-expressions-files/

Joe

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <i> <b> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <blockquote> <br /> <br> <p>
  • Lines and paragraphs break automatically.
  • You can use BBCode tags in the text.
  • Web page addresses and e-mail addresses turn into links automatically.

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.

About Brandon Carroll

Brandon Carroll, a certified Cisco Systems Instructor for over 7 years, splits time between writing for Cisco Press and teaching classes for Ascolta. In the networking industry for nearly 11 years, he has worked in the areas of routing and switching as well as network security.

His publications include the areas of AAA, and CCSP certification. His most current title is CCSP SNPA Quick Reference (Digital Short Cut) (read a sneak peek from the book here).

RSS feed

Brandon Carroll's archive

Cisco Subnet

We have 15 copies of the Digital Short Cut to give away. Go here for details on how to enter. Rate your favorite Cisco Press books.

The opinions expressed in this Weblog are those of the writer and may not represent the opinions of Network World.

Advertisement: