Creating A Regular Expression - Cisco FirePOWER ASA 5500 series Configuration Manual

Configuring Special Actions for Application Inspections
Some traffic matching commands can specify regular expressions to match text inside a packet. Be sure
to create and test the regular expressions before you configure the policy map, either singly or grouped
together in a regular expression class map.
The default inspection policy map configuration includes the following commands, which sets the
maximum message length for DNS packets to be 512 bytes:
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
There are other default inspection policy maps such as policy-map type inspect esmtp
Note
_default_esmtp_map. These default policy maps are created implicitly by the command inspect
protocol. For example, inspect esmtp implicitly uses the policy map "_default_esmtp_map." All the
default policy maps can be shown by using the show running-config all policy-map command.
This section describes how to create additional inspection policy maps, and includes the following
topics:
•
•
•
•

Creating a Regular Expression

A regular expression matches text strings either literally as an exact string, or by using metacharacters
so you can match multiple variants of a text string. You can use a regular expression to match the content
of certain application traffic; for example, you can match a URL string inside an HTTP packet.
Use Ctrl+V to escape all of the special characters in the CLI, such as question mark (?) or a tab. For
example, type d[Ctrl+V]g to enter d?g in the configuration.
See the regex command in the Cisco Security Appliance Command Reference for performance impact
information when matching a regular expression to packets.
Table 21-1
Table 21-1
Character Description
.
(exp)
Cisco Security Appliance Command Line Configuration Guide
21-6
Creating a Regular Expression, page 21-6
Creating a Regular Expression Class Map, page 21-8
Identifying Traffic in an Inspection Class Map, page 21-9
Defining Actions in an Inspection Policy Map, page 21-10
lists the metacharacters that have special meanings.
regex Metacharacters
Dot
Subexpression
Chapter 21
Notes
Matches any single character. For example, d.g matches
dog, dag, dtg, and any word that contains those
characters, such as doggonnit.
A subexpression segregates characters from surrounding
characters, so that you can use other metacharacters on
the subexpression. For example, d(o|a)g matches dog
and dag, but do|ag matches do and ag. A subexpression
can also be used with repeat quantifiers to differentiate
the characters meant for repetition. For example,
ab(xy){3}z matches abxyxyxyz.
Using Modular Policy Framework
OL-10088-01