Product Documentation

Using Pattern Sets and Data Sets

Aug 31, 2016

Default syntax policy expressions that take pattern sets or data sets as an argument can be used to perform string matching operations.

The usage is as follows:
<text>.<operator>("<name>")

where,

  • <text> is the expression that identifies a string in a packet. Example: HTTP.REQ.HEADER("Host").
  • <operator> is one of the operators described in the following table.
    Table 1. Operators for pattern sets and data sets
    Operator Description
    <text>.CONTAINS_ANY(<name>) Returns true if the target text contains one or more of the patterns defined in the specified pattern set or data set.
    <text>.SUBSTR_ANY(<name>) Returns the first string that matches any pattern defined in the specified pattern set or data set.
    <text>.BEFORE_STR_ANY(<name>) Returns the text that is present before the first occurrence of any of the patterns defined in the specified pattern set or data set.
    <text>.AFTER_STR_ANY(<name>) Returns the text that is present after the first occurrence of any of the patterns defined in the specified pattern set or data set.
    <text>.EQUALS_ANY (<name>) Returns true if the target text exactly matches any of the patterns defined in the specified pattern set or data set.
    <text>.ENDSWITH_ANY(<name>) Returns true if the target text ends with any of the patterns that are defined in the specified pattern set or data set.
    <text>.STARTSWITH_ANY(<name>) Returns true if the target text starts with any of the patterns that are defined in the specified pattern set or data set.
    <text>.STARTSWITH_INDEX(<name>) Evaluates whether the target text starts with any of the patterns that are defined in the specified pattern set or data set. If a match is found, the index of the matching pattern is returned. Otherwise, 0 is returned.
    <text>.ENDSWITH_INDEX(<name>) Evaluates whether the target text ends with any of the patterns that are defined in the specified pattern set or data set. If a match is found, the index of the matching pattern is returned. Otherwise, 0 is returned.
    <text>.CONTAINS_INDEX(<name>) Evaluates whether the target text contains any of the patterns that are defined in the specified pattern set or data set. If a match is found, the index of the matching pattern is returned. Otherwise, 0 is returned.
    <text>.EQUALS_INDEX(<name>) Evaluates whether the target text exactly matches any of the patterns that are defined in the specified pattern set or data set. If an exact match is found, the index of the pattern is returned. Otherwise, 0 is returned.
  • <name> is the name of the pattern set or data set

For sample usage, see "Sample Usage."