matchsig()

The matchsig() function returns true if one or more patterns defined in a specified pattern group match the target string.

Syntax

matchsig(STR_GUID, STR_EXPR)

Parameters

STR_GUID: The GUID of the pattern group. Must be a valid pattern group identifier. If a non-existent GUID is specified, an error occurs at query parse time.
STR_EXPR: The target string expression to search. The evaluated value must be a string type. If the value is not a string type, false is returned.

Description

The matchsig() function returns true if one or more patterns in the specified pattern group match the value of STR_EXPR, or false if no patterns match.

If STR_EXPR is not a string type, false is returned.

Logpresso Sonar uses the Aho-Corasick algorithm to search thousands of patterns simultaneously at high speed. It first searches the input string for keywords (first pass), and if a verification expression is set on a pattern, that expression is additionally evaluated to determine the final match (second pass).

A pattern consists of a required keyword condition and an optional verification expression.

#	Pattern name	Pattern (required): first-pass fast detection	Verification expression (optional): second-pass filter
1	xp_cmdshell	`sp_addextendedproc` and `xp_cmdshell`
2	zb_now_connect	`REMOTE_ADDR` and (`fputs` or `fwrite`)	`path == "lib.php"`

Pattern groups are managed in the Sonar web console under Policies > Pattern Groups.

Error codes

N/A

Usage examples

Check whether patterns in the specified pattern group match the value of the raw field

json "{'raw': 'GET /index.php HTTP/1.1'}"
| eval result = matchsig("550e8400-e29b-41d4-a716-446655440000", raw)
| # result: false

STR_EXPR value is not a string type

json "{'raw': 12345}"
| eval result = matchsig("550e8400-e29b-41d4-a716-446655440000", raw)
| # result: false

Compatibility

matchsig() has been available since before Sonar 4.0.