cancel
Showing results for 
Search instead for 
Did you mean: 
cnorborg
Level 16

Compliance rules - EOL or '\r' vs '$'

Just found something interesting out, have a ticket open for it already and I think I'll wait on their response also.

Making a rule to figure out whether "no mop enabled" is on all Ethernet interfaces on our routers for security compliance.  I think the generic rule just looks for it in the config in general, not on each interface like it should be needed.

So, I create a rule to look in a config block for either "no mop enabled" or "shutdown" (since I don't need to have it on an interface that is shut down!).   I have it look in config blocks that are started by the pattern

^interface (Gigabit|Fast|)Ethernet[\/0-9]+$

and ended by

^!$

The first pattern looks for all GigabitEthernet, FastEthernet or just plain Ethernet interfaces.   They can be followed by any number of digits or '\''s, but not any '.' (periods).   This is so it will match the main interface, like "GigabitEthernet0/0/1", but not a sub-interface like "Gigabit0/0/1.50".  This is because "no mop enabled" isn't valid on sub-interfaces.    I tested these regexp's in an online regex tester and they worked like a champ.  Furthermore, if I cut and pasted part or all of a configuration from a device into the "TEST" / "Paste a config to test against" in the rule creation part of Compliance manager it also worked like a champ.  However, if I instead selected a config using "Select a config to view violation results in the next step", it would fail.  From the way the error message was structured, I was guessing it wasn't even finding the config blocks (ie: no config blocks were mentioned in the error), but I was stumped as to why.

For some reason today I decided to change the above pattern and replace "$" with "\r", not sure why I decided to try this, but it actually worked when I loaded a config or ran the rule!!   However, now it stopped working when I cut and pasted the config rather than load it...

So, at least for now, if you're testing via cut-n-paste, use "$" but if you're running the rule and you want to match the end of line, use "\r".

I'll try and get some clarification from SW tech support as to why this is and will also push to make it a bug that needs to be fixed.  IMHO whether you choose to load a config or cut/paste it shouldn't matter when testing out a rule.  Personally I prefer "$" vs "\r", but it might be best if both worked...

Ticket #794448 in case anyone from SW is listening!

Labels (1)
5 Replies
cvachovecj
Level 18

Re: Compliance rules - EOL or '\r' vs '$'

Yep, I'm looking . Let's see what the engineers tell you.

Jiri

0 Kudos
greg.remer
Level 10

Re: Compliance rules - EOL or '\r' vs '$'

That's crazy as I picked this up today.

I have a regex that goes through each interface and looks for various snmp and logging commands.

When I copy and paste the configuration it works like a charm, but if I then try it from selecting the same configuration I get the wrong results. I'll try changing it like you described and report back.

Hopefully this may be fixed in npm v12 and ncm v7.5

Highlighted
jkrenzien
Level 12

Re: Compliance rules - EOL or '\r' vs '$'

I have never had much luck with using $ as a EOL. My favorite is (\n|\r)\s*

For those who are less familiar with regex it is saying look for either a new line or a return carriage and then any amount of whitespace. I love to use this when doing ACL policy checks and anything else where command order affects the outcome.

greg.remer
Level 10

Re: Compliance rules - EOL or '\r' vs '$'

Hey all,

After further investigation I found that when you look at the config file in a HEX editor you can see it does an "\r\n"

I then modified config block and regex statements to include this.

Even though I did that it still didn't work, but caused it to fail when I "Cut & Pasted" the config.

I then persisted to make sure i had the correct statements in the correct order and BOOM! finally go it sorted.

The screenshot basically looks for any interface without a description and has the top 3 fields, and need to look for the below 3 commands.

Access Ports logging.PNG

0 Kudos

Re: Compliance rules - EOL or '\r' vs '$'

I know this is an old post, but it solved my NCM compliance rules woes with end of line $. I even had a support case opened and they couldn't figure it out.

Thank you!!

0 Kudos