Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 10 subscribers
  • Views 1724 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Expression to set up DLP for a specified number of digits

Kayode Odeyinka

Hi all, Please i need help on setting up a DLP policy that blocks plain texts or mails in form of attachment for 16 digits only. The following expression worked:[[:digit:]0-9 ], however it blocks numbers with 8 digits upward. Kindly assist in this regards.



This thread was automatically locked due to age.
  • 0

    Hi  

    I have checked this with our team, this will require in-depth investigation along with certain logs and the policy configured. I would request you to open a support case and PM me the case details. 

    Shweta

    Community Support Engineer | Sophos Technical Support
    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
    The New Home of Sophos Support Videos! - Visit Sophos Techvids
  • 0

    Hello Kayode Odeyinka,

    it's basically a Perl5 regex question but in the context of DLP there's more to it.
    If I'm not mistaken this is an Advanced Content Control List. The documentation is IMO not very clear. Before examining the expression some details. The CCL has a Trigger score and the individual expressions have both their Score and Maximum count. The Trigger Score is missing from the example in the doc (I assume it should be 8). Thus whether your rule triggers or not not only depends on the expression but also on its Score and Max count. Just for completeness, if there are other CCLs or content rules in addition to your CCL all must match (the latter in the specified quantity).

    Now to your expression: Wonder why it apparently matches from 8 digits upward? What Score, Max count and Trigger Score do you use?
    [[:digit:]0-9 ] is redundant and the same as [0-9 ] or [0-9 0-9]. It seems you have set a Trigger Score because your expression matches any single digit or blank, if your numbers are surrounded by blanks the add to the count as well and thus already 8 digits trigger DLP. What's more, this expression simply counts digits and blanks and you get 16 matches on Th15 s7r1ng m47ch35 51x733n. While (simple) regular expressions aren't rocket science you have to make yourself familiar with the basics.

    Must say I'm not sure what you mean by in form of attachment. Assuming it is plain text and that you are interested (i.e. want to block) that contain strings of exactly 16 digits the basic expression would be [0-9]{16} - that is 16 consecutive digits. The string could be immediately preceded or followed by some character though - this might or might not be ok - but it would also give two matches in a string of 32 digits. If it's delimited by blanks you could use [ ][0-9]{16}[ ] but the explicit blank is not the best choice. There might be other white space, particularly tab, and the match will also fail if the string is followed by just a new line. \s is better than [ ] but falls short on lines that have the string at the start and on the last line when it ends with the string. To cover these an expression like (\s|^)[0-9]{16}(\s|$) could be used (the expressions in parentheses meaning either a white space or the start/end of the line respectively).

    Sorry for the lengthy post, I hope it helps (and hope I didn't make a mistake, very long since I used regexes). BTW: If you want to test your expressions there are free online tools like regex101.com.  

    Christian 

Unfiltered HTML