0

I am trying to build a signature based intrusion detection system but when matching regex against payloads, I encountered an expression beginning with a caret ^ which means match at the beginning of a line in regular expression.

What I wanted to be sure of is should this be at the beginning of the entire payload or simply anywhere in the payload after a newline \n.

Robin
  • 9,415
  • 3
  • 34
  • 45
ashish
  • 21
  • 3

1 Answers1

1

By default, ^ stands for the beginning of the string.

So assuming you're treating your whole payload (newline included) as a single string, ^ will mean at the beginning of the payload.

If you want to change this behavior you need to turn on the multiline flag m by adding (?m) at the beginning of your regex (depending on the language you're using, there might be other ways of doing so).

This flag will make ^ and $ match the beginning and end of a line, the beginning and end of the string becoming available with \A and \Z.

Robin
  • 9,415
  • 3
  • 34
  • 45
  • Thanks for the reply. I am actually writing my own parser to match regular expressions so i needed to make sure I am doing it right. – ashish Mar 18 '14 at 15:32