Creating A Regular Expression - Cisco 7604 Configuration Manual

Chapter 20 Using Modular Policy Framework
Where the application is the application you want to inspect. For supported applications, see the CLI
help for a list of supported applications or see
Inspection."
The class_map_name argument is the name of the class map up to 40 characters in length.
The match-all keyword is the default, and specifies that traffic must match all criteria to match the class
map.
The CLI enters class-map configuration mode, where you can enter one or more match commands.
(Optional) To add a description to the class map, enter the following command:
Step 3
hostname(config-cmap)# description string
Step 4 Define the traffic to include in the class by entering one or more match commands available for your
application.
To specify traffic that should not match the class map, use the match not command. For example, if the
match not command specifies the string "example.com," then any traffic that includes "example.com"
does not match the class map.
To see the match commands available for each application, see
Layer Protocol Inspection."
The following example creates an HTTP class map that must match all criteria:
hostname(config-cmap)# class-map type inspect http match-all http-traffic
hostname(config-cmap)# match req-resp content-type mismatch
hostname(config-cmap)# match request body length gt 1000
hostname(config-cmap)# match not request uri regex class URLs

Creating a Regular Expression

A regular expression matches text strings either literally as an exact string, or by using metacharacters
so you can match multiple variants of a text string. You can use a regular expression to match the content
of certain application traffic; for example, you can match a URL string inside an HTTP packet.
Use Ctrl+V to escape all of the special characters in the CLI, such as question mark (?) or a tab. For
example, type d[Ctrl+V]g to enter d?g in the configuration.
See the regex command in the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall
Services Module Command Reference for performance impact information when matching a regular
expression to packets.
As an optimization, the FWSM searches on the deobfuscated URL. Deobfuscation compresses multiple
Note
forward slashes (/) into a single slash. For strings that commonly use double slashes, like "http://", be
sure to search for "http:/" instead.
Table 20-1
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
OL-20748-01
Configuring Special Actions for Application Inspections (Inspection Policy Map)
lists the metacharacters that have special meanings.
Chapter 22, "Applying Application Layer Protocol
Chapter 22, "Applying Application
20-11