03-28-2016 12:00 PM
How do you create a working custom data pattern file?
04-01-2016 09:35 AM
Has to be a document upload not a url and in some cases dycryption has to be used
03-29-2016 12:03 AM
Here's one example :
RegEx-Pattern-for-Danish-SSN-in-Data-Filtering-Profile
Hope it helps,
-Kim.
03-29-2016 06:03 AM
Thanks I already found that one, it didn't help
03-29-2016 06:28 AM
Maybe if you provide what you're actually trying to match on?
03-29-2016 06:58 AM
It's a customer pattern - testregex weight 1, alert threshold 1, block threshold 0
03-29-2016 12:11 PM
Does it have to be credit card and SS info? Does it have to be in a document? Can it be just a word for it to look for?
03-30-2016 12:09 AM
Hi,
No it does not have to be CC or SSN info.
The admin guide provides another example where it matches on custom pattern 'confidential' :
In the profile you can select the file type. By selecting 'any' it will NOT block all possible file types ... just the ones listed :
|
Cheers,
-Kim.
03-30-2016 05:58 AM
I believe I have it all set up as recommended in the article and its still not working. It even shows the rule as being hit but not showing up in in the data filtering logs or the traffic logs
03-31-2016 11:02 PM - edited 03-31-2016 11:03 PM
What protocol? Is the session encrypted maybe?
04-01-2016 05:47 AM
I have it set for any service, any application and to filter on the word testregex and regextest. My boss wanted me to see if it would key on this url http://servername/testregex and it does not. But the rule that I created and applied the filter is seeing ssh traffic when I connect to the server. My first thought is that I need to upload some kind of file that I cannot use a url. Anyone currently doing data filtering if you can let me know how you are testing that would be helpful. TAC has also tested the data pattern I created and they said it worked.
04-01-2016 06:04 AM
imho that should work
a bit weird you're seeing ssh as that is a completely different protocol
have you set up a server to actually respond to your request ? you will need to have a live server set up so you're able to reach the stage where the string is passed: you first need to have the 3 way handshake establish a connection before the client requests the url/path
C S
SYN ->
<-SYN/ACK
ACK->
GET servername/testregex->
<-webpage
04-01-2016 06:50 AM
Reaper old buddy, I am seeing the ssh traffic on the rule I created with the data filtering profile on it Yes trying it with a live server using a url with the regex in it to that live server and its not alerting on the rule. But it is returning a page cannot be found. I was thinking maybe the data filtering portion wasn't working because I was using a url not a file with the text in the bocy
04-01-2016 09:35 AM
Has to be a document upload not a url and in some cases dycryption has to be used
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
