Cisco "String Signature" oddity...

From: Mark Amos (
Date: 11/29/01

From: "Mark Amos" <>
Subject: Cisco "String Signature" oddity...
Message-Id: <>
Date: Thu, 29 Nov 2001 13:24:56 -0800

I've been trying to set up a "String Signature" but can't get
it to fire, for some reason. The Cisco documentation says that
the string matching is done with regular expressions, but there
doesn't appear to be a document describing what the regular expression
syntax is for the product (CSPM)

I'm trying to detect the string ".pif" on port 80 as a test.
Here are the "regular expressions" I've tried, with no success...


(I found some documentary evidence that the [] act as an escape
for special characters in their regular expression syntax.)

Anyone have any advice (or a link to somewhere that defines Cisco's
IDS regular expression syntax. I couldn't find it on their web

I'm using CSPM 2.3.3 talking to a 4210 probe running 2.5(0)S0

Thanks in advance,