Wildcard Patterns
Pattern MatchingPattern matching syntax for IPS rules using wildcards.
Wildcard Characters
| Character | Meaning | Example |
|---|---|---|
| * | Match zero or more characters | *.exe matches notepad.exe |
| ? | Match exactly one character | cmd?.exe matches cmd1.exe |
Pattern Examples
Process Names
powershell.exeExact match
power*.exepowershell.exe, powerpoint.exe
*.exeAny .exe file
File Paths
*\Temp\*Any file in any Temp folder
C:\Users\*\Downloads\*.exeAny .exe in any user's Downloads
*\AppData\*\*.dllAny DLL in AppData
Registry Keys
*\Run\*Any Run key
*\Services\*Any service key
DNS Domains
*.ruAny .ru domain
*malware*Domain containing "malware"
*.example.comAny subdomain of example.com
IP Addresses
192.168.1.*192.168.1.0/24 subnet
10.*.*.*10.0.0.0/8 subnet
Case Sensitivity
Pattern matching is case-insensitive by default:
PowerShell.exe = powershell.exe = POWERSHELL.EXE
Tips
- • Use
*at the start to match any path prefix - • Use
*at the end to match any suffix - • Combine multiple
*for flexible matching - • Use
?when you need to match exactly one character - • Test patterns with the Preview feature before saving