Character classes provide a way to specify that exactly one of a group of characters should be matched against. Character classes are denoted by square brackets—[]—that contain characters or ranges of characters to match against.
As an example, the character class [abc] will match either a, b, or c exactly once, so the first match when matching against the string Brothers in arms would be the a in arms.
Character classes can contain ranges of characters, specified by using a hyphen. One example is the common character class [a-z], which denotes any character between a and z. A similar class is [a-zA-Z] which means any character between a and z, or A and Z, matching characters regardless of their case. Note how the first range is a-z, and the second range A-Z is specified immediately following it without any space or other character in-between.
Ranges work equally well for digits, and [0-9] means any digit, whereas [0-3] means only the digits 0, 1, 2, and 3.
You can negate a character class by specifying a caret immediately following the opening bracket. This means that the character class should match only characters not present inside the brackets. For example, the character class [^a-z] matches anything that isn't a letter from a through z.
Another thing to keep in mind is that there is no regular expression construct to negate matching of anything more than a single character. So for example it's not possible to have a regex that specifies that any other color than red should match in the string Roses are red, unless you want to resort to the regex Roses are [^r][^e][^d].*. (There is something called negative lookahead which can be handy if you really do want to assert that something is not present at a particular position in a regex, but lookaheads are beyond the scope of this book. A simple Google search will enlighten you if you really need this sort of regex.)
ModSecurity does have inverted rule matching using the exclamation mark operator, and this allows you to specify that a rule should match when a regex isn't present in the variable being matched against. The following rule, for example, will match if the string Firefox isn't in the user-agent string:
There are a number of shorthand notations for common character classes, such as whitespace or digits. These consist of a backslash followed by a letter, and provide a simple way to use a character class without having to type it out in full each time. For example, the class shorthand \w means "part-of-word character" and is equivalent to [a-zA-Z0-9_], and will thus match a single letter, digit, or underscore character.
The following table lists the most common shorthand notations available.
|
Shorthand |
Description |
|---|---|
|
|
Matches any digit. Equivalent to |
|
|
Matches any character that is not a digit. Equivalent to |
|
|
Matches a word character. Equivalent to |
|
|
Matches anything that is not a word character. Equivalent to |
|
|
Matches whitespace (space, tab, newline, form feed, and so on.) |
|
|
Matches anything that is not whitespace. Equivalent to |
Note that the character class shorthands are case sensitive, and how the upper-case version usually means negation of the character class—for example \d means a digit whereas \D means any non-digit.