Regular Expressions

Bl8ckr0uter

Any one use Regular Expressions for IDS/IPS rule creation? I have come across these in my studies and I am wondering if studying them is something I should invest some time into in the future.

Met44

A couple years ago I created some Snort rules using regular expressions for a Limewire/peer-to-peer traffic detection system. iptables also supports regex matching, meaning the two Linux-based IPSes you are most likely to encounter both have support for it. It is certainly useful if you want to get more meaningful with application layer stuff, however Snort has lots of pre-built rules for most of the typical application attacks, and there is a utility (fwsnort) out there to convert Snort rules into iptables match strings -- meaning you wouldn't really have to know anything about regular expressions to get a pretty good baseline of security against the common application layer attacks for whatever services you are running.

Personally, I use regular expressions daily simply for productivity reasons. Beyond IDS/IPS rules, regex is a tidy skill to have for lots of other situations (as I am sure you already know). I see the Linux+ is "on deck" for you... a thorough grounding in using Linux will lead you to regex on its own. The powerful text parsing utilities all support regular expressions (which is a good part of why they are powerful). If you start using them in the course of day to day work, it really is not hard to build a working knowledge of the common things you will use, and you will be amazed at how much time even the simplest regex can save you on the right task. The best part is that they are not difficult to get your head around once you understand what the characters mean (just be aware that different regular expression engines with different twists do exist...). If or when you are interested, Regular-Expressions.info - Regex Tutorial, Examples and Reference - Regexp Patterns is a great reference.

As to whether or not you may want to invest the time into learning about it, even in Ciscoland having regex knowledge would be very useful as a complementary skill. Good practices would tell you to use a remote syslog server to log IOS system messages, and knowing how to effectively search through a blob of text efficiently can save you or your department lots of time -- and maybe lots of money, too. You could even script something up to catch important events and make it run regularly as a cronjob. That could underscore your "useful and unique skills" at your yearly review... and a well-written script will never miss something because it hasn't had its coffee yet.

^Lots of good reasons to learn.$

HeroPsycho

PowerShell is another technology that can leverage RegEx.

Plus, once you learn it, you get to wear the shirt...

xkcd store

Slowhand

C'mon, now HeroPsycho. If you're going for the xkcd joke, go all the way.

Forsaken_GA

pickup a copy of the O'Reiley book sed & awk, you can usually find it used on amazon for between 5 and 10 bucks. Not only will it teach you two of the most powerful unix commandline tools, it'll also give you a very thorough grounding in regex

RobertKaucher

Forsaken_GA wrote: »

pickup a copy of the O'Reiley book sed & awk, you can usually find it used on amazon for between 5 and 10 bucks. Not only will it teach you two of the most powerful unix commandline tools, it'll also give you a very thorough grounding in regex

They also have a wonderful book on regular expressions and a pocket guide. Good stuff. I actually loled with those comics, guys. Nice!

Forsaken_GA

RobertKaucher wrote: »

They also have a wonderful book on regular expressions and a pocket guide. Good stuff. I actually loled with those comics, guys. Nice!

Interesting, I wasn't aware of the O'Reiley regex book, looks like it's a fairly recent release. It seems to have excellent reviews. I may have to pick that up myself, I know enough regex well enough to get by, but never hurts to learn more

RobertKaucher

Forsaken_GA wrote: »

Interesting, I wasn't aware of the O'Reiley regex book, looks like it's a fairly recent release. It seems to have excellent reviews. I may have to pick that up myself, I know enough regex well enough to get by, but never hurts to learn more

No, the 3rd edition was released on 2006. I think I got my copy in 2004. It deserves the reviews. A very good book. I regularly use what I learned from in when doing stuff in PowerShell and C# and I have not picked it up in quite a while... so what it teaches really sticks to the ribs.

Claymoore

There are two books that work well together: Mastering Regular Expressions and Regular Expresssions Cookbook. The cookbook came out in June so that must be the new book to which you are referring. I have both books but I have only read a few chapters of the Mastering book and just glanced at the Cookbook. Regex is a necessary skill for writing transport rules in Exchange and a skill that I honestly need to improve.

Bl8ckr0uter

Thanks guys. I am putting reg exp on my to study list. I think I willl pick up those books mention along with the sed and awk books.


Thanks.

RobertKaucher

Microcenter may have a very good deal on them. They usually have older editions of Oreilly books on sale at a good price.