Custom data pattern

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Custom data pattern

L4 Transporter

How do you create a working custom data pattern file?

1 accepted solution

Accepted Solutions

Has to be a document upload not a url and in some cases dycryption has to be used

View solution in original post

12 REPLIES 12

Community Team Member

Here's one example :

 

RegEx-Pattern-for-Danish-SSN-in-Data-Filtering-Profile

 

Hope it helps,

-Kim.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Thanks I already found that one, it didn't help

Maybe if you provide what you're actually trying to match on?

It's a customer pattern - testregex weight 1, alert threshold 1, block threshold 0

Does it have to be credit card and SS info? Does it have to be in a document? Can it be just a word for it to look for?

Community Team Member

Hi,

 

No it does not have to be CC or SSN info.

The admin guide provides another example where it matches on custom pattern 'confidential' :

 

set-up-data-filtering

 

In the profile you can select the file type.  By selecting 'any' it will NOT block all possible file types ... just the ones listed :

 

File Types
Specify the file types to include in the filtering rule:
Choose any to apply the filter to all of the listed file types. This selection does not block all possible file types, just the listed ones.
Click Add to specify individual file types.

 

Cheers,

-Kim.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

I believe I have it all set up as recommended in the article and its still not working. It even shows the rule as being hit but not showing up in in the data filtering logs or the traffic logs

What protocol? Is the session encrypted maybe? 

I have it set for any service, any application and to filter on the word testregex and regextest. My boss wanted me to see if it would key on this url http://servername/testregex and it does not. But the rule that I created and applied the filter is seeing ssh traffic when I connect to the server. My first thought is that I need to upload some kind of file that I cannot use a url. Anyone currently doing data filtering if you can let me know how you are testing that would be helpful. TAC has also tested the data pattern I created and they said it worked.

imho that should work

a bit weird you're seeing ssh as that is a completely different protocol

 

have you set up a server to actually respond to your request ? you will need to have a live server set up so you're able to reach the stage where the string is passed: you first need to have the 3 way handshake establish a connection before the client requests the url/path

 

C                            S

   SYN ->

   <-SYN/ACK

   ACK->

   GET servername/testregex->

   <-webpage

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Reaper old buddy, I am seeing the ssh traffic on the rule I created with the data filtering profile on it Yes trying it with a live server using a url with the regex in it to that live server and its not alerting on the rule. But it is returning a page cannot be found. I was thinking maybe the data filtering portion wasn't working because I was using a url not a file with the text in the bocy

Has to be a document upload not a url and in some cases dycryption has to be used

  • 1 accepted solution
  • 4878 Views
  • 12 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!