mpsearch
Matches thousands or more keyword patterns simultaneously. When the pattern specified in the subquery is detected in the field subject to be matched, it assigns a list of all detected patterns to the _mp_result field.
Syntax
mpsearch FIELD [ SUBQUERY ]
Required Parameter
FIELD
- Name of field to match multi-patterns.
[ SUBQUERY ]
- Subquery to load the list of keyword patterns to be searched, enclosed in a pair of square brackets (
[ ]
).
Description
The output of the subquery must contain the expr, expr2, and rule string fields.
- expr (required): Write it by combining strings into a boolean expression. The command quickly detects the corresponding string from the values of the strings of the field to be scanned and then checks whether it matches the expression.
- expr2 (optional): If the boolean expression in the expr field is true, this selectively provides an opportunity to match further using the values in other fields.
- rule (required): Provide the pattern identifier or name.
Examples of patterns are as follows:
Examples of pattern
expr (required) | expr2 (optional) | rule (required) |
---|---|---|
"addextendedproc" and "xp_cmdshell" | xp_cmdshell | |
"REMOTE_ADDR" and ("fputs" or "fwrite") | path == "lib.php" | zb now_connect |
If only the xp_cmdshell
pattern is detected, the value of the _mp_result field is as follows:
[ { "expr": "\"addextendedproc\" and \"xp_cmdshell\"", "rule": "xp_cmdshell" } ]
Usage
Match multi-patterns to the signature field by loading the pattern list from the external DB.
mpsearch signature [
dbquery RULE_DB select rule, expr, expr2 from web_rules
]