This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Albin_Petersson
Contributor
‎2021-01-28 08:53 AM

any guide available for checkpoint regexp?

helloes.

 

I've looked into creating some regexp rules, and they worked fine on R80.30 but not on R80.10. After some troubleshooting we gave up and have to do a different kind of syntax. But in the process i found sk165094 where a regexp is described, that at least i would say isn't a valid syntax. I'm not an expert on regexp though, so maybe it's a valid syntax?

 

are there any manual or documentation on "special" syntaxes that checkpoint has, or regexp in checkpoint in general?
That works on all R80 gateways independent of version?

0 Kudos
7 Replies
PhoneBoy
Admin
Admin
‎2021-01-28 01:06 PM

It's fairly standard regexp and should be the same across versions.
The main difference between R80.10 and R80.30 is the lack of SNI support.

0 Kudos
Albin_Petersson
Contributor
‎2021-01-29 04:22 AM
In response to PhoneBoy

well.. why does "\/" mean the same thing as ".*\." then? Or does it mean ".+\,"?
Is there anything internally that makes "\/" perform better?

I'm mostly confused. 😶

0 Kudos
PhoneBoy
Admin
Admin
‎2021-01-29 09:32 AM
In response to Albin_Petersson

Regular expressions are a double-edged sword: they are very powerful but can come with a significant performance impact if they are made too broad.
The more precise your regex is, the better.

I suspect your definition of “perform better” is “match what I want it to match.”
Precise examples would be helpful.

Note that any differences may also be related to bugs in the relevant release versus differences in regexp syntax.

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2021-01-29 12:55 AM

RegEx has nothing to do with CheckPoint and is the same everwhere it is used. My best loved RegEx sites are these:

Online regex tester and debugger: PHP, PCRE, Python, Golang and JavaScript

RegExr: Learn, Build, & Test RegEx

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Bob_Zimmerman
Authority
Authority
‎2021-01-29 10:09 AM
In response to G_W_Albrecht

Part of the problem there is I haven't yet seen documentation saying which regular expression syntax Check Point uses. Basic? POSIX Extended? Linux Extended? PCRE? Java? This affects which characters are actually metacharacters (and therefore need to be escaped) and which character classes are available.

0 Kudos
PhoneBoy
Admin
Admin
‎2021-01-29 10:58 AM
In response to Bob_Zimmerman

I know the answer to that from past internal discussions: PCRE.
More specifically, PCRE-DFA mode.
Some suggested sites for regex creation:

 

Bob_Zimmerman
Authority
Authority
‎2021-01-29 07:20 AM

I have been requesting information about Check Point's regular expression engine for a few years.

The match is definitely case-sensitive. There was an option to make it case-insensitive back in the R77 family, but it seems to have been removed in R80 and up. Plan for lots of [cC][hH][aA][rR][aA][cC][tT][eE][rR] [aA][lL][tT][eE][rR][nN][aA][tT][iI][oO][nN].

While I know it seems to construct an entire URL including scheme and path, I don't yet know if there is any normalization performed when constructing the URL. For example, is the name always lowercase? No idea. Domain names are case-insensitive, but paths are case-sensitive, so this kind of implementation detail determines how we can write expressions.

The match is definitely run against the whole URL including path, as when a coworker tried to use "\.[aA][rR]" to block access to Argentinian domains, it caught files such as "right.arrow.png" on otherwise allowed sites.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events