From OSSEC Wiki
Regular Expression Syntax for Rules and Decoders
Copyright (c) 2004-2007 Daniel B. Cid <dcid@ossec.net>
OSSEC, os_regex Library.
Fast and simple library for regular expressions in C. Available with OSSEC: http://www.ossec.net
This library is designed to be simple, but support the most common regular expressions. It was designed with intrusion detection systems in mind, where having all options is not crucial, but speed is.
The following expressions are supported:
\w -> A-Z, a-z, 0-9 characters \d -> 0-9 characters \s -> For spaces " " \t -> For tabs. \p -> ()*+,-.:;<=>?[] (punctuation characters) \W -> For anything not \w \D -> For anything not \d \S -> For anything not \s \. -> For anything
Each regular expression can be followed by:
+ -> To match one or more times (eg \w+ or \d+) * -> To match zero or more times (eg \w* or \p*)
The following special characters are also supported:
^ -> To specify the beginning of the text. $ -> To specify the end of the text. | -> To create an "OR" between multiple patterns.
Any of the following characters must be escaped with a "\" before use:
$ -> \$ ( -> \( ) -> \) \ -> \\
The os_regex library is used by the following options:
- regex (inside rules)
- if_matched_regex (inside rules)
- prematch (inside decoders)
- regex (inside decoders)
OSSEC, os_match library
Faster than the os_regex library, but only supports simple string matching. Available with OSSEC: http://www.ossec.net
Each pattern can have:
^ -> To specify the beginning of the text. $ -> To specify the end of the text. | -> To create an "OR" between multiple patterns.
The os_match library is used by the following tags:
- match (inside rules)
- user (inside rules)
- url (inside rules)
- id (inside rules)
- status (inside rules)
- hostname (inside rules)
- program_name (inside rules)
- srcport (inside rules)
- dstport (inside rules)
- ignore (inside syscheck ignore fields as type="sregex")
These tags are much faster than the "regex" ones and should be used whenever possible.