the "*" in the begging will match anything before your regex... The key point here is to know to use the "test regex" command
Use and abuse of this command as it is a life saver!!! -- Willians Barboza CCIE Security # 25629 ---------- Forwarded message ---------- From: Brandon Carroll <[email protected]> Date: 2010/4/5 Subject: Re: [OSL | CCIE_Security] Code red worm with NBAR To: Kingsley Charles <[email protected]> Cc: [email protected] You're right. If you use the ? and it refers to a regular expression then thats the way to go. If it wants a string, like this feature does, then I would use a * as a wildcard like they have done in the link you provided. I think you'll find most features are going to use regular expressions. I don't have a list of which use which but it sounds like it would make for a good blog post in the near future. :) Regards, Brandon Carroll - CCIE #23837 Senior Technical Instructor - IPexpert Mailto: [email protected] Telephone: +1.810.326.1444 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com On Apr 5, 2010, at 10:30 AM, Kingsley Charles wrote: This is where I always get confused. Can you please let me know the CCIE security features in which we will use ".*" and "*" as wild card mask. As far I know, features like IOS FW L7, ASA L7 inspection, ".*" will be used a wild card mask with regex. With regards Kings On Mon, Apr 5, 2010 at 10:55 PM, Brandon Carroll <[email protected]> wrote: > > Its a wildcard to match any other string characters in a URL. > http://192.168.1.1/mydirectory/default.ida > > > /mydirectory/ would be matched by the *. > > Regards, > Brandon Carroll - CCIE #23837 > Senior Technical Instructor - IPexpert > Mailto: [email protected] > Telephone: +1.810.326.1444 > Live Assistance, Please visit: www.ipexpert.com/chat > eFax: +1.810.454.0130 > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE > (R&S, Voice, Security & Service Provider) certification(s) with training > locations throughout the United States, Europe, South Asia and Australia. Be > sure to visit our online communities at www.ipexpert.com/communities and our > public website at www.ipexpert.com > > > On Apr 5, 2010, at 10:23 AM, Kingsley Charles wrote: > > I get your point Brandon. But I am not understanding the purpose of "*" in > this configuration. > > > With regards > Kings > > On Mon, Apr 5, 2010 at 10:49 PM, Brandon Carroll <[email protected]> > wrote: >> >> I don't think this is a string that matches the same as standard regular >> expressions that you would see in IPS or L7 class-maps on an ASA. Notice >> the phrasing: >> R6(config-cmap)#match protocol http url ? >> WORD Enter a string as the sub-protocol parameter >> R6(config-cmap)#match protocol http url >> Of course I've never actually used a full-on regular expression here but my >> understanding is that you are only matching a string in a url which is why >> you do three lines like this: >> >> Router(config-cmap)#match protocol http url "*default.ida*" >> Router(config-cmap)#match protocol http url "*cmd.exe*" >> Router(config-cmap)#match protocol http url "*root.exe*" >> >> rather than one like this: >> >> Router(config-cmap)#match protocol http url >> "*default.ida*|*cmd.exe*|*root.exe*" >> >> Regards, >> Brandon Carroll - CCIE #23837 >> Senior Technical Instructor - IPexpert >> Mailto: [email protected] >> Telephone: +1.810.326.1444 >> Live Assistance, Please visit: www.ipexpert.com/chat >> eFax: +1.810.454.0130 >> IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, >> Audio Tools, Online Hardware Rental and Classroom Training for the Cisco >> CCIE (R&S, Voice, Security & Service Provider) certification(s) with >> training locations throughout the United States, Europe, South Asia and >> Australia. Be sure to visit our online communities at >> www.ipexpert.com/communities and our public website at www.ipexpert.com >> >> >> On Apr 5, 2010, at 10:11 AM, Kingsley Charles wrote: >> >> Hi Brandon >> >> a*b will match aaaab, b, aab, ab. >> >> *b is invalid as there is no character before "*" to repeat >> >> >> Can you please explain what will [match protocol http url "*cmd.exe*] match? >> >> With regards >> Kings >> >> On Mon, Apr 5, 2010 at 10:34 PM, Brandon Carroll <[email protected]> >> wrote: >>> >>> Kings, >>> I dont think you need the "." before or after. The "*" should account for >>> that. >>> Regards, >>> Brandon Carroll - CCIE #23837 >>> Senior Technical Instructor - IPexpert >>> Mailto: [email protected] >>> Telephone: +1.810.326.1444 >>> Live Assistance, Please visit: www.ipexpert.com/chat >>> eFax: +1.810.454.0130 >>> IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, >>> Audio Tools, Online Hardware Rental and Classroom Training for the Cisco >>> CCIE (R&S, Voice, Security & Service Provider) certification(s) with >>> training locations throughout the United States, Europe, South Asia and >>> Australia. Be sure to visit our online communities at >>> www.ipexpert.com/communities and our public website at www.ipexpert.com >>> >>> >>> On Apr 5, 2010, at 9:43 AM, Kingsley Charles wrote: >>> >>> * >> >> > > _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
