Hi all Can we use IPS sigs to match ASCII? The following snippet claims it.
Snippet from http://www.cisco.com/web/about/security/intelligence/ips_custom_sigs.html Content and Perl-Compatible Regular Expressions vs. Cisco IPS Regular Expressions The *content* keyword in Snort is used for text and binary content matching. Binary content matching is enclosed in the pipe (|) character. Perl-compatible regular expressions (PCRE) support regular expression matching. The key difference between binary content matching and PCRE is the ability to specify offsets when using the *content* parameter. Offsets cannot be applied to the PCRE section of a Snort signature. Cisco signatures rely exclusively on regexes for matching ASCII and hex characters, and the signatures use and apply offsets to these matches. Offsets play an important role in reducing false positives. Regular expression support in Cisco IPS signatures is limited to the keywords specified at the following link: http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_signature_engines.html#wp1408334 With regards Kings
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
