06-14-2013 09:11 AM
Using the built-in non-delimited SSN data pattern generates too many false positives to be useful for us. I therefore want to build a regex that will accomplish the same thing. It appears that the regex engine in the Palo Alto is very limited in what it can handle. For example, it does not recognize "\b", any "(?" construct, or "{n}" pattern counts. How can I create a regex that will look for valid SSNs that are word-boundary delimited? Note that due to the nature of my business, I cannot count on any specific text string appearing in a file that contains SSNs. There are various characteristics I can likely count on, but they all require variable and optional pattern matching.
Also, what is the actual overhead associated with checking outbound documents using a regex? Will I see a significant performance hit?
06-17-2013 01:54 AM
Hi,
Making test on my side and for your request it seem that regex which are today implemented in the PA will be not enough for your need.
Maybe you can make a feature request to your local Pa SE.
In https://live.paloaltonetworks.com/docs/DOC-4118 you will be able to find info concerning data pattern limitation.
v.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
