According to the POSIX spec, parentheses around a regexp defines a "capture group" which can be recalled later using "\n" notation (e.g., "\1", "\2" ..)
Do any layer7 IP rule matchers allow the captured pattern to be used elsewhere in the rule?

I have an HTTP transaction forwarded through the router with a custom header of the form -
X-Tarpit: <ip address>

For example,
X-Tarpit: 172.35.46.88

I would like to add a firewall rule to [1]detect this pattern, and [2]add the ip address to an IP address list.

TIA!