REGEX – What a pain…

As I have embarked on my path towards the CCIE I have come across a lot that I am not familiar with.  One of those that has given me great pause has been regex.  At its surface it seems simple enough text matching.  As I have gone through my studies it has been anything but.  I am still learning all of the nuances of this and luckily I have had some projects at work that have helped strengthen that knowledge.  So here are some of the regex’s that I have been working on for work and why I did them.

We are whitelisting allowed websites on our Websense appliance initially I went with this webex:

(http://|https://) *.facebook.com

Yes we do allow Facebook from our registers, we are a hip social company and our stores need to be able to inform the kids as to what is going on.

However I ran into an issue when some did something like this and was able to bypass the whitelist or I guess I should say was able to use the whitelist to get out:

http://www.yahoo.com/?www.facebook.com

I then did some looking and realized what I needed to do was disallow special characters before the domain.  DNS doesn’t allow for certain special characters to be in the domain name and they should never show up between http:// or https:// and the domain name, so I then came up with this:

(http://|https://)[^/?//()]*.facebook.com

That managed to fix everything, the pen tester’s weren’t able to get past it and it managed to save us a fair bit of trouble.  However I ran into one additional problem, what happens if the website or the user didn’t put a subdomain in front of facebook.com?  Well then it would fail.  So I ended up going with this regex which has solved all of my problems and everything seems to be working fine now.

(http://|https://)[^/?//()]*facebook.com

Throughout all of this I was using the ASA as my primary vehicle for testing the regex expressions.  With the command:

Test regex (regex) (pattern to match)

caasa1(config)# test regex http://www.facebook.com “(http://|https://)[^///()]*facebook.com”
INFO: Regular expression match succeeded.

caasa1(config)# test regex http://www.yahoo.com/?www.facebook.com “(http://|https://)[^///()?]*facebook.com”
INFO: Regular expression match failed.

The only main gotcha with this is remember to hit ctrl+v before you put in the ? or the ASA will think you are querying for help and take you to the help menu.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.