How do I Create a dlp policy to detect private IPs using Regular Expressions or what Regular expression should I used for data pattern

opco-dm — Sat, 18 Jan 2014 00:23:15 GMT

Re: How do I Create a dlp policy to detect private IPs using Regular Expressions or what Regular expression should I used for data pattern

cchristiansen — Thu, 23 Jan 2014 03:00:20 GMT

I am not sure what your goal is, so there may be a much better way to accomplish what your are trying to accomplish.. That being said, here is a link to the admin guide for 5.0:

https://live.paloaltonetworks.com/servlet/JiveServlet/previewBody/4118-102-7-19329/PA-5.0_Administrators_Guide.pdf

On pages 235 and 236 the "regex" rules are described. This is not full blown regex as you are likely used to. It is a very cut down version.

Here are some "regex(s)" that I have come up with as an example. The rules state that your data pattern "regex" must be at least 7bytes long. This is constrained to the string you are searching for and not anything between brackets (so no tricking the system with logic (and, or, etc.). In these examples I am keying on HTML form post data - so, uploading a file via a web form. As you can see, the "string" here is "form-data":

Any IP:

.*(form\-data).*((([0-9])|([0-9][0-9])|([1][0-9][0-9])|([2][0-5][0-5]))\.(([0-9])|([0-9][0-9])|([1][0-9][0-9])|([2][0-5][0-5]))\.(([0-9])|([0-9][0-9])|([1][0-9][0-9])|([2][0-5][0-5]))\.(([0-9])|([0-9][0-9])|([1][0-9][0-9])|([2][0-5][0-5]))).*

RFC 1918 (10/8) IP:

.*(form\-data).*(([10])\.(([0-9])|([0-9][0-9])|([1][0-9][0-9])|([2][0-5][0-5]))\.(([0-9])|([0-9][0-9])|([1][0-9][0-9])|([2][0-5][0-5]))\.(([0-9])|([0-9][0-9])|([1][0-9][0-9])|([2][0-5][0-5]))).*

RFC 1918 (172.16/12) IP:

.*(form\-data).*(([172])\.((1[6-9])|(2[0-9])|(3[0-1]))\.(([0-9])|([0-9][0-9])|([1][0-9][0-9])|([2][0-5][0-5]))\.(([0-9])|([0-9][0-9])|([1][0-9][0-9])|([2][0-5][0-5]))).*

RFC 1918 (192.168/16) IP:

.*(form\-data).*(([192])\.([168])\.(([0-9])|([0-9][0-9])|([1][0-9][0-9])|([2][0-5][0-5]))\.(([0-9])|([0-9][0-9])|([1][0-9][0-9])|([2][0-5][0-5]))).*

NOTE:

For looking in email, you might use the string "subject" as a key word. The "regex" would then look like this:

Any IP:

.*(subject).*((([0-9])|([0-9][0-9])|([1][0-9][0-9])|([2][0-5][0-5]))\.(([0-9])|([0-9][0-9])|([1][0-9][0-9])|([2][0-5][0-5]))\.(([0-9])|([0-9][0-9])|([1][0-9][0-9])|([2][0-5][0-5]))\.(([0-9])|([0-9][0-9])|([1][0-9][0-9])|([2][0-5][0-5]))).*

!!!WARNING!!!:

This will slow down your commit times, and if you use all of these at the same time, your commit may fail. This is because there is a limited memory space for compiling custom signatures. The more complex the signature, the more memory the compile takes. I tested these on a PA-200 and the commits failed for the most part. I was able to get the smaller ones to commit and work, but again, this is not recommended.

I hope this helps.

-chadd.

topic How do I Create a dlp policy to detect private IPs using Regular Expressions or what Regular expression should I used for data pattern in Automation/API Discussions

How do I Create a dlp policy to detect private IPs using Regular Expressions or what Regular expression should I used for data pattern

Re: How do I Create a dlp policy to detect private IPs using Regular Expressions or what Regular expression should I used for data pattern