01-22-2019 06:03 PM
Hello community,
I'm having trouble with the following regular expressions in PaloAlto version 7.1.21.
It works on different platforms, but not on the FW.
I have managed to make it work in part, in the following way:
. * ((SensitiveData) | (518497) | (518472) | (518536))
But the parameters that follow do not know how to unite them.
Can someone give me a hand please?
{6}) ([0-9] {10}
I've been almost 5 hours of mistakes, I'm frustrated.
help me please....
according to the page https://regex101.com/ I'm fine, but the FW Palo Alto only gives me errors.
01-23-2019 06:54 AM
Maybe I'm missing something, I'm not the most savvy on writing reg ex, but what are you actually trying to accomplish?
Are you trying to use this in data filtering, in user-agent or somewhere else within the product?
01-23-2019 07:50 AM
I need to block sensitive information through data filtering.
The requirement that I have is:
Block all documents that contain the following regular expression:
• ([503441] {6}) ([0-9] {16})
Credit card.
All documents that contain the following regular expression:
• ([518497 | 518472 | 518536] {6}) ([0-9] {10})
01-23-2019 09:58 AM
Looking at the "context sensitive help menu" for Data Filtering and regex this is how things should be formated (sorry the copy paste doesn't format well):
Syntax for Regular Expression Data Patterns
When creating a regular expression data pattern, the following general requirements apply:
•The pattern must have string of at least seven bytes to match. It can contain more than seven bytes but not fewer.
•The string match may or may not be case-sensitive, depending on which decoder you use. When you need case-sensitivity, define patterns for all possible strings to match all variations of a term. For example, to match any documents designated as confidential, you must create a pattern that includes “confidential”, “Confidential”, and “CONFIDENTIAL”.
The regular expression syntax in PAN-OS® is similar to traditional regular expression engines but every engine is unique. The following table describes the syntax supported in PAN-OS.
Pattern Rules Syntax Description
. Match any single character.
? Match the preceding character or expression 0 or 1 time. The general expression MUST be inside a pair of parentheses.Example: (abc)?
* Match the preceding character or expression 0 or more times. The general expression MUST be inside a pair of parentheses. Example: (abc)*
+ Match the preceding character or regular expression one or more times. The general expression MUST be inside a pair of parentheses.Example: (abc)+
| Equivalent to “or”.Example: ((bif)|(scr)|(exe)) matches “bif”, “scr” or “exe”.The alternative substrings must be in parentheses.
- Used to create range expressions.Example: [c-z] matches any character between c and z, inclusive.
[ ] Match any.Example: [abz]: matches any of the characters a, b, or z.
^ Match any except.Example: [^abz] matches any character except a, b, or z.
{ } Min/Max number of bytes.Example: {10-20} matches any string that is between 10 and 20 bytes. This must be directly in front of a fixed string, and only supports “-”.
\ To perform a literal match on any one of the special characters above, it MUST be escaped by preceding them with a ‘\’ (backslash).
& & is a special character, so to look for the “&” in a string you must use “&” instead.
01-23-2019 11:49 AM
The expression you've listed doesn't work the way you're intending.
([518497|518472|518536]{6})([0-9]{10})
The way a regex works when it comes to square brackets is a list, not a string. Every digit 1-9 is included in the three values you provided (highlighted in red below):
[518497|518472|518536]
So the regex as it's written above is essentially the same as:
[1-9]{6}[0-9]{10}
Which is to say that it matches any of the following:
1112221234567890
9999999999999999
5371627591995601
The regex to match what you want may be:
518497|518472|518536[0-9]{16}
That won't work on the firewall though, it needs 7 non-token characters to start the match, and the values you provided are only six characters. Additionally, you added "503441" to your first reply to @Brandon_Wertz so there may be more you're trying to match against.
If you can put some of the actual strings you want to match it may help.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
