000035347 - Cannot use the semicolon character in regular expressions with RSA Web Threat Detection

Document created by RSA Customer Support Employee on Jan 13, 2018
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000035347
Applies ToRSA Product Set: Web Threat Detection
RSA Product/Service Type: Mitigator
RSA Version/Condition: 5.x, 6.x
IssueRSA Web Threat Detection looks to have an issue when the semicolon (;) character is included in a regex for a register, as shown in the example below.

Register Type: IP Register Name: idevice Register Value: Txn('HEADERS')=~/((?:iphone|ipad)\;.{2,30})/ic

When entering a rule it will not accept the rule with the semicolon. RSA Web Threat Detection will accept the rule entry if the semicolon character is removed.  
ResolutionRSA Web Threat Detection only supports a certain flavor of regex syntax. 
If you look in the help sections you will see a reference to the boost.org syntax that is used with RSA Web Threat Detection, which is Perl-based regex.  See the references below.
You can search online for a website or tool that can evaluate Perl-based regex syntax. 
Look over the documents to see how you could express in the Perl syntax as defined by boost.org.  If you are having problems then contact RSA Customer Support and quote this article number for further assistance.