Farsight Compatible Regular Expressions (FCRE)

DNSDB Farsight Compatible Regular Expressions (FCRE) provides regular expression (regexp) functionality for searching DNS hostnames and rdata values in DNSDB. The regexp searches are evaluated against the DNS master file form of the hostnames and rdata values, which by design contains only printable ASCII characters. All non-printable characters, including octets outside the ASCII range, are converted to “\DDD” escape sequences, where “DDD” is a three digit decimal number per RFC 1035 (https://tools.ietf.org/html/rfc1035). This is only applicable to RData (RHS) queries.

For this limited use case, DNSDB FCRE provides a simplified subset of the POSIX Extended Regular Expression syntax, with the most notable restrictions being:

  1. Only printable characters are allowed in a regexp.
  2. Hexadecimal or octal escape sequences are not allowed in a regexp.
  3. Only special characters may be escaped with ‘\’. Note that ‘]’ and ‘}’ are not considered special characters, but ‘[’ and ‘{‘ are.
  4. POSIX collating elements (e.g., [=ch=], [.a.]) in character classes are not supported. The sequences [= and [. are not allowed in character classes.
  5. As in POSIX regexps, the character ‘\’ has no special meaning within a character class, so the class [\w] matches the characters ‘\’ or ‘w’.
  6. Capturing groups and backreferences are not supported.

Note that restriction (3) means that PCRE extensions such as ‘\w’ and ‘\d’ are not allowed in FCRE regexps.

Regexp Syntax

A regular expression is a string of printable characters, with the following characters given special meaning:

Character Class Syntax

A character class is a set of characters enclosed between an opening ‘[’ and a closing ‘]’. Within the character class, the following characters are handled specially:

The sequences [. and [= are not allowed between the opening [or [^ and the closing ], to prevent confusion with unsupported POSIX collation sequences and collation classes.

If the sequence [: appears in a character class, it must be the beginning of one of the following POSIX character classes:

The above named character classes must appear inside an enclosing [ and ], e.g. [[:digit:][:punct:]] to match a digit or punctuation character. Without the enclosing braces, [:digit:] will match the characters :, d, i, g, or t.

Neither the above character classes nor a character range may begin or end a character range. For example, the character class expressions [0-[:alpha:]] and [a-n-z] are invalid.

All other characters between the opening [ or [^ and the closing ] are added to the character class, including the backslash \ character.

There is no way to express a character class containing a single ^ character: an escaped \^ should be used instead of a character class.

Important notes

Examples

Some example regular expressions and some of the matching values

Additional Information

About Farsight Security

Farsight Security, Inc. is the world’s largest provider of historical and real-time DNS intelligence solutions. We enable security teams to qualify, enrich and correlate all sources of threat data and ultimately save time when it is most critical - during an attack or investigation. Our solutions provide enterprise, government and security industry personnel and platforms with unmatched global visibility, context and response. Farsight Security is headquartered in San Mateo, California, USA. Learn more about how we can empower your threat platform and security team with Farsight Security passive DNS solutions at www.farsightsecurity.com or follow us on Twitter: @FarsightSecInc.