HP Host Intrusion Detection System (HIDS) manual Unix Regular Expressions, Examples, 126

NOTE

Examples

NOTE

UNIX Regular Expressions

UNIX regular expressions are supported to specify template directory and file properties.

Template properties that specify pathnames (e.g.: pathnames_to_watch,

pathnames_to_not_watch, pathnames_X, programs_X, etc.) are interpreted as UNIX regular expressions. See the regexp(5) man page for a description of regular expressions and pattern matching notations. To match a specific file, you must use the anchor characters ^ and $ (e.g.: ^/etc/passwd$). To match any file in a particular directory, you must use the ^ anchor character and a trailing backslash (e.g.: ^/stand/).

Care must be taken to correctly specify pathnames using regular expressions. For instance, if the regular expression /var/t/* is changed to /var/t*, then the new regular expression will match any pathname that contains the substring /var/ because the * operator matches 0 or more occurences of the t character. Likewise, if the regular expression ^/opt” is changed to /opt, the new regular expression will be significantly different and much more encompassing. The regular expression /opt will match any pathname that contains the /opt substring including those pathnames that do not start with /opt, such as /dir1/opt2/file1, and those pathnames that do not start with /opt.

The following examples illustrate the nuances of regular expressions:

•The regular expression /home matches any file that contains "/home" in its pathname, such as /dir1/home, /dir1/hometown, /dir1/home2 and /home2/file1.

•The regular expression ^/home matches any file whose pathname starts with "/home", such as /hometown, /home/file1, and /home2/file2.

•The regular expression ^/home/ matches any file under the "/home" directory, such as

/home/file1 and /home/dir1/file2.

•The regular expression ^/home$ exactly matches the /home directory or file.

•The regular expression /.rhosts matches any file on the system that contains a slash followed by rhosts, such as /dir1/arhosts, /1rhosts, /.rhosts and /home/<user>/.rhosts.

•The regular expression /\.rhosts$ matches any .rhosts file on the system, such as /.rhosts and /home/<user>/.rhosts. Notice the use of the backslash character to escape the special dot (.) character.

•The regular expression ^/\.rhosts$ exactly matches the .rhosts file in the root directory

•The regular expression ^/home/[^/]*/\.rhosts$ matches all /.rhosts files in home directories.

The special pattern matching scheme in previous versions of HIDS is no longer supported.