uni
Mar 27, 2006Altostratus
Question mark in regex
I have the following rule, which I've just moved over from a 4.5 system to 9.1.1:
rule JTS_olgc-prod_http_10 {
when HTTP_REQUEST {
if { [HTTP::host] == "xxx.com.au"
and ( [matchclass [HTTP::uri] ends_with $::JTS_FileTyp]
or [matchclass [HTTP::uri] equals $::JTS_AbsoluteURI]
or [HTTP::uri] starts_with "/images/"
or [HTTP::uri] matches_regex "^/default\.asp\?(action|menu|page|text_only)="
or [HTTP::uri] matches_regex "^/(general|gaming|pdf|calendar.html).*"
or [HTTP::uri] matches_regex "^/(splash|src/js)/.*\.js$" ) } {
}
else {
log local2.notice "Denied: Source: [HTTP::header value X-Forwarded-For] Method: [HTTP::method] Host: [HTTP::host] URI: [HTTP::uri]"
use pool jts-utility-pool
}
}
}
I am having problems with the line
or [HTTP::uri] matches_regex "^/default\.asp\?(action|menu|page|text_only)="
The expression will not match the question mark (?), whether I precede it with an escape \ or not. In the end I have replaced it with a dot (.).
An example of a URI which I thought should match, but doesn't, is/default.asp?page=casino.casino.htm&menu=casino
Is there a special meaning for the question mark in v9?