Video Screencast Help

Regular Expressions (RegEx) within Correlation rules

Created: 30 Jan 2013 | 6 comments
Phife35's picture

Trying to determine the proper regex format/strcuture that SSIM uses.  I have used regex in the past with much success in other applications and event filters.

However, the SSIM rules seems to have a different allowable regex format.  Example below.

Came across a malware streams with a specific format.


where the .php?info= and the _ are all in the same place with random letters and number within the URL.

A quick and dirty Regex to match this is the following.


The SSIM rules match is not catching any of the URLs with the pattern.  I tried incrementally adding the pieces and get to the special characters ? = and _ with varying degrees of success using \ and \\ prior to the ? but not the other characters.

Comments 6 CommentsJump to latest comment

lukaszfr's picture

Did you used 'matches' operator?

If yes, and it didn't worked then try this:


Phife35's picture

I did use 'matches'.  I will try the suggested regex.

SK Ooi's picture

Regular Expression is default in greedy mode. So you can't typical translate the sentence into regex in a one for one method.  Try this


I know it looks complex but that RegEx, before and after encryption, they look the same


Laszlo2's picture


When you try SK Ooi's solution use the ^regex$ format as antilles said. If that does not work try this one:



mathell's picture

The regex has to match the entire value being compared to trigger.  That's why your regex didn't work. Becaue your matching the whole value, I'm not what a ^ at the begining or $ at the end does for you, although it shouldn't hurt any.


Just to get it started, you might just try:


Assuming that works for you as a test, then you can replace the dot asterick at the beginning with something more efficient.

SK Ooi's picture

Thanks for pointing that out, Laszlo2 and mathell.

Just in case the attack string starts to mutate and start using "/" or "\". Let's make a cryptic RegEx look even better :)


I did try out the above on a RegEx engine.

Hope this helps