Toronto Data Loss Prevention User Group

 View Only
  • 1.  Not able to generate incidents based on the Email Regex through DLP

    Posted Jan 25, 2018 11:36 AM

    Hello

    I m working on a policy that will generate incident on capture of email addresses in the e-mail ,being sent outside the network. I have come up with a regex for that

    ^((?!From)|(?!Sent)|(?!To)|(?!Cc)|(?!Subject)*)+(?:[A-Za-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*|"(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21\x23-\x5b\x5d-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])*")@(?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?|\[(?:(?:(2(5[0-5]|[0-4][0-9])|1[0-9][0-9]|[1-9]?[0-9]))\.){3}(?:(2(5[0-5]|[0-4][0-9])|1[0-9][0-9]|[1-9]?[0-9])|[a-z0-9-]*[a-z0-9]:(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21-\x5a\x53-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])+)\])

    This regex basically ignores From, Sent, To, Cc header then checks the only Body part for email addresses, which is my objective . The test of this regex was giving desired results. On using the regex in the policy was    not able to generate an incident. I don't know if there is an issue with the regex. I was using Content matches Regular Experession as detection method.

    Please help.



  • 2.  RE: Not able to generate incidents based on the Email Regex through DLP

    Trusted Advisor
    Posted Jan 26, 2018 04:52 PM

    Vishnu,

    This will NOT work at all.

    You are using a complicated REGEX with too many options.. in addition this version of REGEX is not supported by DLP. There are different forms of REGEX (java, Perl, etc) DLP uses a specific one and you will need to test it out bit by bit.

    I am not sure the exclusion of To From etc.. supported logic in that section..

    Also keep in mind that the Regex and DI used on the endpoints is different as well.. https://www.symantec.com/connect/forums/endpoint-protect-and-data-identifiers

     

    you may just want to look for @ and the .com or .org as the regex and ONLY in the body. Make sure to test this out.

    \w+@\w+\.[a-zA-Z]{3}

    (?i)[-a-z0-9~!$%^&*_=+}{\'?]+(\.[-a-z0-9~!$%^&*_=+}{\'?]+)*@([a-z0-9_][-a-z0-9_]*(\.[-a-z0-9_]+[a-z][a-z])|([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}))(:[0-9]{1,5})?

    Also.. https://www.symantec.com/connect/forums/dlp-di-pattern-questionemail-address

     

    Good Luck,

    Ronak

    PLEASE MARKED SOLVED WHEN POSSIBLE



  • 3.  RE: Not able to generate incidents based on the Email Regex through DLP
    Best Answer

    Trusted Advisor
    Posted Jan 26, 2018 04:56 PM

    Also..

    https://www.symantec.com/connect/forums/exclude-all-email-com

    (?:[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*|"(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21\x23-\x5b\x5d-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])*")@(?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?|\[(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?|[a-z0-9-]*[a-z0-9]:(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21-\x5a\x53-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])+)\])

     

    https://www.symantec.com/connect/forums/help-regular-expressions

    (?i)\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,6}\b 

     

    Good Luck,

    Ronak

    PLEASE MARKED SOLVED WHEN POSSIBLE



  • 4.  RE: Not able to generate incidents based on the Email Regex through DLP

    Trusted Advisor
    Posted Jan 27, 2018 12:36 AM

    hello

     if you want to look only at body part of email, select it in component which will be analyzed by DLP, this will allow you to get a lighter regex at the end.

     When it comes to regex as it is never so easy to know which engine are supported and how it works, testing is really important.

    if you are looking for email addresses in body email part, take care about user signature which may contains an email address.

     Try to keep your regex as simple as possible.

     

     regards



  • 5.  RE: Not able to generate incidents based on the Email Regex through DLP

    Posted Feb 15, 2018 02:27 PM

    Thank you DLP Solution 2.