mpsearch

Matches thousands or more keyword patterns simultaneously. When the pattern specified in the subquery is detected in the field subject to be matched, it assigns a list of all detected patterns to the _mp_result field.

Syntax

mpsearch FIELD [ SUBQUERY ]
Arguments
FIELD
Name of field to match multi-patterns.
[ SUBQUERY ]
Subquery to load the list of keyword patterns to be searched, enclosed in a pair of square brackets ([ ]).

Description

The output of the subquery must contain the expr, expr2, and rule string fields.

  • expr (required): Write it by combining strings into a boolean expression. The command quickly detects the corresponding string from the values of the strings of the field to be scanned and then checks whether it matches the expression.
  • expr2 (optional): If the boolean expression in the expr field is true, this selectively provides an opportunity to match further using the values in other fields.
  • rule (required): Provide the pattern identifier or name.

Examples of patterns are as follows:

Examples of pattern

expr (required)expr2 (optional)rule (required)
Keyword pattern: Primary high-speed detectionBoolean expression: Secondary filteringPattern name
"addextendedproc" and "xp_cmdshell" xp_cmdshell
"REMOTE_ADDR" and ("fputs" or "fwrite")path == "lib.php"zb now_connect

If only the xp_cmdshell pattern is detected, the value of the _mp_result field is as follows:

[ { "expr": "\"addextendedproc\" and \"xp_cmdshell\"", "rule": "xp_cmdshell" } ]

Usage

Match multi-patterns to the signature field by loading the pattern list from the external DB.

mpsearch signature [
    dbquery RULE_DB select rule, expr, expr2 from web_rules
]