Using Regular Expressions
Overview
For various configuration options within Zeus Application server you can use regular expressions to define criteria. Regular expressions provide powerful and complex pattern matching functions. This guide is intended to supplement the original configurations documentation, where differences appear, the original documentation should be assumed correct.
Regular Expressions in Zeus Applications
Extended regular expressions are a powerful means of matching textual patterns. They are used extensively in dynamic configuration files for matching DNS names, IP numbers, files and directories. Regular expressions can provide finer control than simple wildcards, but unless constructed correctly can leave holes in your system. This document is not intended as a full tutorial on regular expressions, nor is it a regular expression reference. It is a simple guild to using regular expressions to safely match the typical patterns encountered in the dynamic configuration files, especially IP numbers and DNS names.For a full explanation of extended regular expressions users should consult a good tutorial such as Mastering Regular Expressions by Jeffrey E. F. Friedl published by O'Reilly Associates, ISBN 1-56592-257-3
Extended Regular Expression Syntax
Extended regular expressions are made up of a sequence of text characters, in which some characters have a special meaning. The special characters are outlined below.
ABC Literal "ABC" (ABC|DEF) Literal "ABC" or Literal "DEF" [0-6] 1 or 2 or 3 or 4 or 5 or 6 [a-z] Any lower case letter [XYZ] X or Y or Z . any character x* 0 or more x's x+ 1 or more x's ^ Anchor to start of line $ Anchor to end of line \. Escaped to give a "." Character \* Escaped to give a "*" character \+ Escaped to give a "+" character \^ Escaped to give a "^" character \$ Escaped to give a "$" character \\ Escaped to give a "\" character Escaped Characters
As the characters ".", "*", "+", "^", "$" and "\" have special meanings within the extended regular expression, they are escaped if required as themselves. This is done by prefixing a "\" character before they are used. This becomes important when specifying IP numbers and DNS names which use the "." character as separators. A common error is to use an unescaped "." which will match any character.Example
Using 192.123.2.[1-254] to match the local subnet 10.0.0.255 might appear reasonable, but it will also match the subnet 192.123.21.255, 192.123.22.255, 192.123.23.255, right up to 192.123.254.255. This occurs because the "." matches any character, including additional numbers. The correct extended regular expression should have been 192\.123\.2\.[1-254]Using Anchors
Anchors allow the regular expression to be tied to the start or end of the text to be searched. This is particularly significant for DNS names, without anchoring your extended regular expression the expression may match hosts outside of your specification.Example
Using the extended regular expression \.smith\.com to protect documents within the smith.com isn't sufficient. A malicious individual, who controls their own domain, could create a host called smith.com.mycompany.com which would also match. Using the "$" anchor (\.smith\.com$) would insist that smith.com was the end of the line.Using 10\.0\.0\.14$ isn't sufficient to match 10.0.0.14 either, as it allows 110.0.0.14, and 210.0.0.14. The start of the extended regular expression needs to be anchored using the "^" character to give ^10\.0\.0\.14$. Anchoring both the start and end of the expression is good practice when possible.
Be Precise
When creating extended regular expressions, especially for access control and authentication, you should be as precise as possible. Any holes left in the extended regular expressions could allow unauthorised clients access to your information. Better to be too precise and relax the expressions when needed, than to be too relaxed and end up paying the price.Simple Examples
To help you create your own access policies we'll list some examples which you can use as starting points.IP Addresses
To restrict access to: Extended regular expression single host 10.0.0.14 ^10\.0\.0\.14$ hosts 10.0.0.14 and 10.0.0.15 ^10\.0\.0\.[14|15]$ the 10.0.0.255 subnet ^10\.0\.0\.[1-254]$ DNS Names
To restrict access to: Extended regular expression single host pc1.zeus.co.uk ^pc1\.zeus\.co\.uk$ hosts pc1 and pc2 at zeus.co.uk ^pc[12]\.zeus\.co\.uk$ hosts pc1 to pc10 at zeus.co.uk ^PC1[0-9]\.zeus\.co\.uk$ any host at zeus.co.uk .+\.zeus\.co\.uk$ any host at zeus.co.uk or partner.co.uk .+\.(zeus|partner)\.co\.uk$ The last two examples are not anchored at the start of the expression because the "." will match any character. Although anchoring the expression would still result in a match, it is pointless and could lead to ambiguity or a false sense of security.