Video Screencast Help

How to use a RegEx in an Exception

Created: 27 Apr 2012 • Updated: 06 Nov 2012 | 4 comments
This issue has been solved. See solution.

I am using the Credit Card Number data identifier, but it matches on some "repeating 4 digit numbers" like 4692469246924692.

I would like to add a regex exception like the following:  !(\d{4})\1{3}

Can anyone tell me where/how to add this?

Thanks in advance

Bob.

Comments 4 CommentsJump to latest comment

Keith Reynolds - ExchangeTek's picture

Exception would be the wrong way to go about that.  You'd essentially except any message where that pattern was found (the entire message, not just the matched element), which could result in false negatives.  What you need is a script validator on the CCN policy.  That string you show looks like one of those Double-Click ID numbers, right?  I have a script validator to eliminate those.

$l1 = datalength($normalizedMatch);

if ($l1 == 17)
{
$s1 = getIntegerAt($normalizedMatch, 0x0, 4);
$s2 = getIntegerAt($normalizedMatch, 0x4, 4);
$s3 = getIntegerAt($normalizedMatch, 0x8, 4);
$s4 = getIntegerAt($normalizedMatch, 0xC, 4);

if ($s1 == $s2)
{
if ($s2 == $s3)
{
if ($s3 == $s4)
{
assertTrue(0 != 0);
}
}
}
}

~Keith

SOLUTION
bob_b's picture

Thanks! 

Yes Keith - you must be a prophet.  They are the Double Click numbers.   I am looking for more documentation on the scripting language... until then, I can probably figure it out from your example.  Why is the initial length 17 though?  We are seeing 16 digit numbers...

 

Are you ever in Minneapolis?

ShawnM's picture

Keith's example above may work as expected. I just wanted to outline that the place you would do this is under the Data Identifier section. You could add in an "exception" to each of the data breadths for the CCN Data Identifier, which would ignore that number as opposed to ignore any incident where that pattern is found. Using a script as Keith outlined is generally a better way to do it as long as you understand what to do with the scripts.

Symantec Corporation | Sr Systems Engineer | CISSP, CCSK, VCP

If a post solves your problem, please flag it as solved.

If you like an item, please give it a thumbs up vote.

kishorilal1986's picture

Hi BOb,

 

Try to use inbuilt data indentifier for your requirement and dont try script modification for each exception. Symnatec DLP having already predefined CCN i.e credit card no data identifier which will reduce the above errror.

 

Regards

Kishorilal