matchsig

Checks whether the string value of the field is included in the specified pattern group and outputs the result.

Syntax

matchsig [OPTIONS] guid=SIG_GUID field=FIELD
Required Parameters
guid=SIG_GUID
GUID of the pattern group
field=FIELD
Target field name. The value of the target field must be a string, and any other key value is considered a search failure.
Optional Parameters
invert=t
Option to invert the result of matching the value specified by the field option against the parttern group (default: f).
  • t: Returns the result only if the value of the target field is not included in the pattern group.
  • f: Returns the result if the string value of the target field matches at least one of the patterns in the specified pattern group.
verify=f
Option to activate the validation for the port group at the query parsing stage (default: t).
  • t: validates the pattern group at the query parsing stage.
  • f: NOT validate the pattern group at the query parsing stage. This option prevents the system from issuing syntax errors at the policy synchronization stage.

Description

The pattern group uses the Aho-Corasick algorithm to test thousands of keywords or more simultaneously, like network intrusion detection devices. By first matching all keywords belonging to the pattern group for the input string at once and then executing the filter expression of the selected patterns sequentially, the command eventually returns the rule name that matches the pattern.

Example of patterns

expr (required)expr2 (optional)rule (required)
Keyword pattern: Primary high-speed detectionBoolean expression: Secondary filteringPattern name
"addextendedproc" and "xp_cmdshell" xp_cmdshell
"REMOTE_ADDR" and ("fputs" or "fwrite")path == "lib.php"zb now_connect

For example, if you set pattern "REMOTE_ADDR" and ("fputs" or "fwrite"), filter expression path == "lib.php", rule zb now connect, the command checks whether the REMOTE_ADDR string and the fputs or fwirte string are searched at the same time in the target field value, and then checks whether the path field value matches the lib.php string.