If you wanted to make sure that a regex matched only if a certain string was present at the start of a line, what would you do? The regex constructs we have seen so far do not provide any way of doing that. You could check for a newline followed by the string, but that would not work if the string was present in the first line of text, as it wouldn't be preceded by a newline. The solution is to use something called anchors, which are able to ascertain that the regex matches at a certain position in the string.
Two special characters are used in regexes to match "start of line or string" and "end of line or string". These are the caret (^) and dollar sign ($). The caret matches the start of any line or string, so the following regex makes a good example:
^Subject:
Since the regex starts with a caret, it will match only those instances of Subject: which are at the start of a line or string. Note how the caret does not actually match any character in a string—it only matches a position in a string. In essence, the caret means "make sure that at this position we are at the start of a line or string".
Similarly, the dollar sign matches "end of line or string". If we were to modify the regex so that it reads as follows, can you figure out what it will match?
^Subject:$
That's right, since there is now a dollar sign at the end of the regex, it will match only those lines or strings that consist of only the string Subject: and nothing else.
You may wonder why I keep saying "line or string". The reason is that the caret and dollar sign behave differently depending on how the regular expression library was compiled. In the case of PCRE, which is the library that ModSecurity uses, the way it works by default means that the caret and dollar sign only match at the beginning or end of the string being examined. So for example when examining a HTML response body by using the RESPONSE_BODY variable in a string, the dollar sign will only match at the very end of the string, and not at each linebreak within the HTML document.
Line anchors are often used in ModSecurity rules to ascertain that we are not matching against substrings. For example, if you wanted to have a rule trigger on the IP address 1.2.3.4 then you may be tempted to use the following:
SecRule REMOTE_ADDR 1\.2\.3\.4
However, this will also match the latter part of an IP address such as 121.2.3.4. Using the caret and dollar sign anchors solves the problem since it makes sure nothing else can come before or after the string we are matching against:
SecRule REMOTE_ADDR ^1\.2\.3\.4$
Make sure you get into the habit of using these anchors to avoid mishaps such as additional IP addresses matching.
Another anchor is the word boundary anchor, specified by using \b in a regex. Like the start-of-line and end-of-line anchors, it does not match a specific character in a string, but rather a position in a string. In this case the position is at a word boundary—just before or after a word.
Say you wanted to match against the word magic, but only if it appears as a stand-alone word. You could then use the regex \bmagic\b, which would match the last word in the sentence A lot like magic, but not against the magical in A magical thing.
As with \w (a word character) and its inverse \W, which means any non-word character, the non-word boundary \B is available, and means any position that is not a word boundary. So the regex A.?\Btest would match Atest, Attest,and others, but not A test, since in the latter, the position before the t in test is at a word boundary.