regexpcresnortsuricata

Regex PCRE matching on an URL with multiple parameters random values


Sample GET request I want to match on with regex PCRE:

random.php?blue=value1&green=value2&red=value3&orange=value4&grey=value5&black=value6

Facts:

random.php - The filename is random, only the ".php?" is fixed

I have about 10 colors defined as parameters

No specific order to the colors - .php?blue=[a-zA-Z0-9]{1,20}

Can be just 2 colors as parameters, or all the 10, but I want to match on all GET requests, multiple parameters are joined with \&

Values are always between 1-20 and with alphanumerical - .php?blue=[a-zA-Z0-9]{1,20}

How would you approach this?


Solution

  • Perhaps something like:

    [^\s/?]+\.php\?((?:blue|orange|red|black)=[a-zA-Z0-9]{1,20})(?:&(?1)){1,9}(?:$|#.*)
    

    (complete with the colours you want)

    (?1) is a reference to the first capture group subpattern.

    I added a support for an eventual anchor part #.*. Feel free to remove it if you don't need or want it.