Apologies but both my emails yesterday were via a webmail client that kept deleting special characters, including \'s
I did get this to work by \'ing a " " rather than \'ing % So the string that worked for me was: ".*select\ .*" to achieve filtering of select%20 in a url. On a side note I still had to log a TAC as I have an unusual issue where if a "?" is in the url before the match it will let the url slip through, however if it is after the match it will still catch it. Ie www.bla.com/test?=select%20.asp will make it through, www.bla.com/test=select%20bla?.asp will get caught. And on top of that there is reaaaaaaallly poor use of regexp memory when using a prefixed wildcard on your regex ".*", it causes regexp memory to fill up with only 5 regex's and the 6th one will blow the 1MB regexp over the limit and start blocking everything, not ideal behaviour! Cheers Ben -----Original Message----- From: Lincoln Dale [mailto:[EMAIL PROTECTED] Sent: Monday, 25 August 2008 5:23 PM To: [EMAIL PROTECTED] Cc: Christian Koch; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] ACE Regex filtering for url match trouble with % [EMAIL PROTECTED] wrote: > FWIW I did manage to get this to match by telling it to match an > ASCII space instead ie .*selectx20.* however this is more of a hack > for my original request so I will still chase up with TAC. > i haven't looked at the ACE source code / firmware, but it may well be that it does a first-pass of converting "%(something)" to a non-encoded value first (in this case, a " "), because otherwise it would be trivial for a hacker to bypass said filter(s). you could see if regex ".*select\s.*" works too. cheers, lincoln. _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/