Regular Expression Syntax

Currently OSSEC supports two regex syntaxes:

  • OS_Regex or regex
  • OS_Match or sregex

OS_Regex/regex Syntax

Fast and simple library for regular expressions in C.

This library is designed to be simple, but support the most common regular expressions. It was designed with intrusion detection systems in mind, where having all options is not crucial, but speed is.

Supported expressions:

\w  ->  A-Z, a-z, 0-9, '-', '@' characters
\d  ->  0-9 characters
\s  ->  For spaces " "
\t  ->  For tabs.
\p  ->  ()*+,-.:;<=>?[]!"'#$%&|{} (punctuation characters)
\W  ->  For anything not \w
\D  ->  For anything not \d
\S  ->  For anything not \s
\.  ->  For anything

Modifiers:

+  ->  To match one or more times (eg \w+ or \d+)
*  ->  To match zero or more times (eg \w* or \p*)

Special Characters:

^ -> To specify the beginning of the text.
$ -> To specify the end of the text.
| -> To create an "OR" between multiple patterns.

Characters Escaping

To utilize the following characters they must be escaped:

$ -> \$
( -> \(
) -> \)
\ -> \\
| -> \|

OS_Match/sregex Syntax

Faster than the OS_Regex/regex, but only supports simple string matching and the following special characters.

Special Characters:

^ -> To specify the beginning of the text.
$ -> To specify the end of the text.
| -> To create an "OR" between multiple patterns.

Table Of Contents

Previous topic

Syntax and Options

Next topic

Log Analysis Syntax: Rules and Decoders