Checks whether the string value of the field is included in the specified pattern group and outputs the result.
- Pattern group GUID
- Target field name. The value of the target field must be a string, and any other key value is considered a search failure.
- Option to invert the result of matching the value specified by the
fieldoption against the parttern group (default:
t: Returns the result only if the value of the target field is not included in the pattern group.
f: Returns the result if the string value of the target field matches at least one of the patterns in the specified pattern group.
- Option to activate the validation for the port group at the query parsing stage (default:
t: validates the pattern group at the query parsing stage.
f: NOT validate the pattern group at the query parsing stage. This option prevents the system from issuing syntax errors at the policy synchronization stage.
The pattern group uses the Aho-Corasick algorithm to test thousands of keywords or more simultaneously, like network intrusion detection devices. By first matching all keywords belonging to the pattern group against the input string at once and then executing the filter expression of the selected patterns sequentially, the command eventually returns the rule name that matches the pattern.
Example of patterns
|expr (required)||expr2 (optional)||rule (required)|
|Keyword pattern: Primary high-speed detection||Boolean expression: Secondary filtering||Pattern name|
For example, if you set pattern
"REMOTE_ADDR" and ("fputs" or "fwrite"), filter
expression path == "lib.php", rule
zb now connect, the command checks whether the
REMOTE_ADDR string and the
fwirte string are searched at the same time in the target field value, and then checks whether the path field value matches the