Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Custom IPS and Application Control Signature Syntax Guide

    Home IPS Engine 7.2.0 Custom IPS and Application Control Signature Syntax Guide
    7.2.0
    7.6.0
    7.4.0
    7.2.0
    7.1.0
    7.0.0
    6.4.0
    6.2.0
    5.2.0
    3.6.0

    pcre

    pcre

    Use the pcre keyword to specify the content to match using Perl Compatible Regular Expression (PCRE). For the PCRE syntax, please refer to http://perldoc.perl.org/perlre.html.

    The pattern to be matched must be enclosed in double quotation marks and followed by a semicolon. Certain special characters must be written as noted in the table below.

    Special character

    Expression

    "

    \x22

    ;

    \x3B or \x3b

    /

    \x2F or \x2f
    Note

    The IPS Engine handles PCRE a lot slower compared to normal pattern matching. PCRE should be used very carefully, especially for signatures that detect traffic from HTTP servers or traffic that does not specify a port.
    Syntax:
    --pcre [!]"/<regular expression>/[<op>]";

    The optional use of [!] indicates the content is matched if it does not appear.

    <op>

    Description

    i

    Case insensitive

    s

    Include new lines in the dot (.) meta character

    m

    By default, the string is treated as one big line of characters. ^ and $ match at the beginning and ending of the string. When you set m, ^ and $ match immediately following or immediately before any new line in the buffer, as well as the very start and very end of the buffer.

    x

    White space data characters in the pattern are ignored except when escaped or inside a character class.

    A

    The pattern must match only at the start of the buffer (same as ^).

    E

    Set $ to match only at the end of the subject string. Without E, $ also matches immediately before the final character if it is a newline, but not before any other newlines.

    G

    Inverts the greediness of the quantifiers so that they are not greedy by default, but become greedy if followed by "?".
    Example:
    --pcre "/\sLIST\s[^\n]*?\s\{/smi";
    Previous
    Next

    pcre

    pcre

    Use the pcre keyword to specify the content to match using Perl Compatible Regular Expression (PCRE). For the PCRE syntax, please refer to http://perldoc.perl.org/perlre.html.

    The pattern to be matched must be enclosed in double quotation marks and followed by a semicolon. Certain special characters must be written as noted in the table below.

    Special character

    Expression

    "

    \x22

    ;

    \x3B or \x3b

    /

    \x2F or \x2f
    Note

    The IPS Engine handles PCRE a lot slower compared to normal pattern matching. PCRE should be used very carefully, especially for signatures that detect traffic from HTTP servers or traffic that does not specify a port.
    Syntax:
    --pcre [!]"/<regular expression>/[<op>]";

    The optional use of [!] indicates the content is matched if it does not appear.

    <op>

    Description

    i

    Case insensitive

    s

    Include new lines in the dot (.) meta character

    m

    By default, the string is treated as one big line of characters. ^ and $ match at the beginning and ending of the string. When you set m, ^ and $ match immediately following or immediately before any new line in the buffer, as well as the very start and very end of the buffer.

    x

    White space data characters in the pattern are ignored except when escaped or inside a character class.

    A

    The pattern must match only at the start of the buffer (same as ^).

    E

    Set $ to match only at the end of the subject string. Without E, $ also matches immediately before the final character if it is a newline, but not before any other newlines.

    G

    Inverts the greediness of the quantifiers so that they are not greedy by default, but become greedy if followed by "?".
    Example:
    --pcre "/\sLIST\s[^\n]*?\s\{/smi";
    Previous
    Next