Just found something interesting out, have a ticket open for it already and I think I'll wait on their response also.
Making a rule to figure out whether "no mop enabled" is on all Ethernet interfaces on our routers for security compliance. I think the generic rule just looks for it in the config in general, not on each interface like it should be needed.
So, I create a rule to look in a config block for either "no mop enabled" or "shutdown" (since I don't need to have it on an interface that is shut down!). I have it look in config blocks that are started by the pattern
and ended by
The first pattern looks for all GigabitEthernet, FastEthernet or just plain Ethernet interfaces. They can be followed by any number of digits or '\''s, but not any '.' (periods). This is so it will match the main interface, like "GigabitEthernet0/0/1", but not a sub-interface like "Gigabit0/0/1.50". This is because "no mop enabled" isn't valid on sub-interfaces. I tested these regexp's in an online regex tester and they worked like a champ. Furthermore, if I cut and pasted part or all of a configuration from a device into the "TEST" / "Paste a config to test against" in the rule creation part of Compliance manager it also worked like a champ. However, if I instead selected a config using "Select a config to view violation results in the next step", it would fail. From the way the error message was structured, I was guessing it wasn't even finding the config blocks (ie: no config blocks were mentioned in the error), but I was stumped as to why.
For some reason today I decided to change the above pattern and replace "$" with "\r", not sure why I decided to try this, but it actually worked when I loaded a config or ran the rule!! However, now it stopped working when I cut and pasted the config rather than load it...
So, at least for now, if you're testing via cut-n-paste, use "$" but if you're running the rule and you want to match the end of line, use "\r".
I'll try and get some clarification from SW tech support as to why this is and will also push to make it a bug that needs to be fixed. IMHO whether you choose to load a config or cut/paste it shouldn't matter when testing out a rule. Personally I prefer "$" vs "\r", but it might be best if both worked...
Ticket #794448 in case anyone from SW is listening!