Cisco "String Signature" oddity...

From: Mark Amos (mark.amos@toast.net)
Date: 11/29/01


To: focus-ids@securityfocus.com
From: "Mark Amos" <mark.amos@toast.net>
Subject: Cisco "String Signature" oddity...
Message-Id: <291101333.48295@webbox.com>
Date: Thu, 29 Nov 2001 13:24:56 -0800


I've been trying to set up a "String Signature" but can't get
it to fire, for some reason. The Cisco documentation says that
the string matching is done with regular expressions, but there
doesn't appear to be a document describing what the regular expression
syntax is for the product (CSPM)

I'm trying to detect the string ".pif" on port 80 as a test.
Here are the "regular expressions" I've tried, with no success...

.*\.pif$
\.pif$
[.]pif

(I found some documentary evidence that the [] act as an escape
for special characters in their regular expression syntax.)

Anyone have any advice (or a link to somewhere that defines Cisco's
IDS regular expression syntax. I couldn't find it on their web
site.)

I'm using CSPM 2.3.3 talking to a 4210 probe running 2.5(0)S0

Thanks in advance,

Mark