Data Pattern Regex

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Data Pattern Regex

L0 Member

Hello community,

 

I'm having trouble with the following regular expressions in PaloAlto version 7.1.21.

 

  • (518497 | 518472 | 518536] {6}) ([0-9] {10})
  • ([503441] {6}) ([0-9] {16})

It works on different platforms, but not on the FW.

I have managed to make it work in part, in the following way:

 

. * ((SensitiveData) | (518497) | (518472) | (518536))

 

But the parameters that follow do not know how to unite them.

Can someone give me a hand please?

 

{6}) ([0-9] {10}

 

I've been almost 5 hours of mistakes, I'm frustrated.

help me please....

 

according to the page https://regex101.com/ I'm fine, but the FW Palo Alto only gives me errors.

 

4 REPLIES 4

L6 Presenter

Maybe I'm missing something, I'm not the most savvy on writing reg ex, but what are you actually trying to accomplish?

 

Are you trying to use this in data filtering, in user-agent or somewhere else within the product?

I need to block sensitive information through data filtering.

 

The requirement that I have is:

 

Block all documents that contain the following regular expression:
• ([503441] {6}) ([0-9] {16})

 

Credit card.
All documents that contain the following regular expression:
• ([518497 | 518472 | 518536] {6}) ([0-9] {10})

Looking at the "context sensitive help menu" for Data Filtering and regex this is how things should be formated (sorry the copy paste doesn't format well):

 

 

Syntax for Regular Expression Data Patterns

When creating a regular expression data pattern, the following general requirements apply:
•The pattern must have string of at least seven bytes to match. It can contain more than seven bytes but not fewer.
•The string match may or may not be case-sensitive, depending on which decoder you use. When you need case-sensitivity, define patterns for all possible strings to match all variations of a term. For example, to match any documents designated as confidential, you must create a pattern that includes “confidential”, “Confidential”, and “CONFIDENTIAL”.
The regular expression syntax in PAN-OS® is similar to traditional regular expression engines but every engine is unique. The following table describes the syntax supported in PAN-OS.

 

Pattern Rules Syntax Description

 

. Match any single character.

 

? Match the preceding character or expression 0 or 1 time. The general expression MUST be inside a pair of parentheses.Example: (abc)?

 

* Match the preceding character or expression 0 or more times. The general expression MUST be inside a pair of parentheses. Example: (abc)*

 

+ Match the preceding character or regular expression one or more times. The general expression MUST be inside a pair of parentheses.Example: (abc)+

 

|   Equivalent to “or”.Example: ((bif)|(scr)|(exe)) matches “bif”, “scr” or “exe”.The alternative substrings must be in parentheses.

 

-   Used to create range expressions.Example: [c-z] matches any character between c and z, inclusive.

 

[ ]   Match any.Example: [abz]: matches any of the characters a, b, or z.

 

^     Match any except.Example: [^abz] matches any character except a, b, or z.

 

{ }    Min/Max number of bytes.Example: {10-20} matches any string that is between 10 and 20 bytes. This must be directly in front of a fixed string, and only supports “-”.

 

\             To perform a literal match on any one of the special characters above, it MUST be escaped by preceding them with a ‘\’ (backslash).

 

&amp         & is a special character, so to look for the “&” in a string you must use “&amp” instead.

L7 Applicator

The expression you've listed doesn't work the way you're intending.

 

([518497|518472|518536]{6})([0-9]{10})

 

The way a regex works when it comes to square brackets is a list, not a string. Every digit 1-9 is included in the three values you provided (highlighted in red below): 

[518497|518472|518536]

 

So the regex as it's written above is essentially the same as:

[1-9]{6}[0-9]{10}

 

Which is to say that it matches any of the following:

1112221234567890

9999999999999999

5371627591995601

 

The regex to match what you want may be:

518497|518472|518536[0-9]{16}

 

 

That won't work on the firewall though, it needs 7 non-token characters to start the match, and the values you provided are only six characters. Additionally, you added "503441" to your first reply to @Brandon_Wertz so there may be more you're trying to match against.

 

If you can put some of the actual strings you want to match it may help. 

  • 5495 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!