Fortinet black logo

Custom IPS and Application Control Signature Syntax Guide

Home IPS Engine 3.6.0 Custom IPS and Application Control Signature Syntax Guide
3.6.0
7.4.0
7.2.0
7.1.0
7.0.0
6.4.0
6.2.0
5.2.0
3.6.0

pcre

pcre

Use the pcre keyword to specify the content to match using Perl Compatible Regular Expression (PCRE). For the PCRE syntax, please refer to http://perldoc.perl.org/perlre.html.

The pattern to be matched must be enclosed in double quotation marks and followed by a semicolon. Certain special characters must be written as noted in the table below.

Special character

Expression

"

\x22

;

\x3B or \x3b

/

\x2F or \x2f
Note

The IPS Engine handles PCRE a lot slower compared to normal pattern matching. PCRE should be used very carefully, especially for signatures that detect traffic from HTTP servers or traffic that does not specify a port.
Syntax:
--pcre [!]"/<regular expression>/[<op>]";

The optional use of [!] indicates the content is matched if it does not appear.

<op>

Description

i

Case insensitive

s

Include new lines in the dot (.) meta character

m

By default, the string is treated as one big line of characters. ^ and $ match at the beginning and ending of the string. When you set m, ^ and $ match immediately following or immediately before any new line in the buffer, as well as the very start and very end of the buffer.

x

White space data characters in the pattern are ignored except when escaped or inside a character class.

A

The pattern must match only at the start of the buffer (same as ^).

E

Set $ to match only at the end of the subject string. Without E, $ also matches immediately before the final character if it is a newline, but not before any other newlines.

G

Inverts the greediness of the quantifiers so that they are not greedy by default, but become greedy if followed by "?".
Example:
--pcre "/\sLIST\s[^\n]*?\s\{/smi";
Previous
Next

pcre

Use the pcre keyword to specify the content to match using Perl Compatible Regular Expression (PCRE). For the PCRE syntax, please refer to http://perldoc.perl.org/perlre.html.

The pattern to be matched must be enclosed in double quotation marks and followed by a semicolon. Certain special characters must be written as noted in the table below.

Special character

Expression

"

\x22

;

\x3B or \x3b

/

\x2F or \x2f
Note

The IPS Engine handles PCRE a lot slower compared to normal pattern matching. PCRE should be used very carefully, especially for signatures that detect traffic from HTTP servers or traffic that does not specify a port.
Syntax:
--pcre [!]"/<regular expression>/[<op>]";

The optional use of [!] indicates the content is matched if it does not appear.

<op>

Description

i

Case insensitive

s

Include new lines in the dot (.) meta character

m

By default, the string is treated as one big line of characters. ^ and $ match at the beginning and ending of the string. When you set m, ^ and $ match immediately following or immediately before any new line in the buffer, as well as the very start and very end of the buffer.

x

White space data characters in the pattern are ignored except when escaped or inside a character class.

A

The pattern must match only at the start of the buffer (same as ^).

E

Set $ to match only at the end of the subject string. Without E, $ also matches immediately before the final character if it is a newline, but not before any other newlines.

G

Inverts the greediness of the quantifiers so that they are not greedy by default, but become greedy if followed by "?".
Example:
--pcre "/\sLIST\s[^\n]*?\s\{/smi";
Previous
Next