3 Replies Latest reply on Jul 16, 2012 8:45 AM by Regis

    Network DLP regular expressions

      Hello, anyone has experience with creating custom concepts in NDLP (9.2) using regex?

       

      The only info I have is in Product guide dlp_920_pg_linux_en-us.pdf, Revision A, page 102 and it is not very clear. For example:

       

      \K enables Perl/POSIX set range restrictions – what does it mean?

       

      \ literal backslash (transforms metacharacters into ordinary characters). Examples: \\ \.\& \[ \] \<space> \* \+  – from that it seems for example characters * and + have special meaning. But when I try to use them as quantifiers (attempt to match the preceding token zero/one or more times), it does not work. They act as ordinary characters.

       

      Is it possible to use quantifiers in NDLP regular expressions at all? Without them to match some patterns is very difficult or even not possible at all.

       

      For example I need to monitor if someone is sending national bank account numbers. In POSIX syntax I would write simply \d{0,6}-\d{2,10}/\d{4}. How can I do that in NDLP?

       

      Or I need to know if someone is sending vast amount of email contacts. In POSIX regex I would write for example \b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}\b. How can I do that in NDLP?

       

      Another question is related to “Algorithm” field used in concept definition. If I understand it correctly for example the algorithm for IBAN checks whether the number is a valid (modulo 97 check).

       

      Is it possible to create own custom check algorithms? From release notes for DLP 9.0 it seems it is:

       

      Concept checks added

      Algorithms that correspond to specific user-defined concepts can be implemented to detect and correct  transcription errors at runtime, decreasing reports of false positives.

       

      https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/ 22000/PD22647/en_US/Release_Notes_for_Data_Loss_Prevention_90.pdf, page 2

       

      Any help (even confirming it is simply not possible) will be appreciated!

        • 1. Re: Network DLP regular expressions
          Regis

          I haven't gotten that far down this route with my client, however, when support dropped the bombshell on me about unified network and host DLP going away before it makes some sort of triumphant return in who knows how many months or years, I recall some mention about some regex differences and limitations being brought up.  I don't recall the details, however, I have found support to be useful.  A case may get you where you want to go faster than trying to rely on the rather non-specific documentation that's provided.  

           

          Good luck!  Be sure to let us know how it resolves.

          • 2. Re: Network DLP regular expressions

            Well, when I raised a service request trough standard support I was told they can help me only with the default concepts, if I want to help with creating custom ones I should pay for consulting.

             

            I am already in contact with local McAfee consultant and he told me he could not find anything regarding NDLP regex but will ask his collegues. One week and still nothing.

             

            I am afraid there is no documentation and even if it is the NDLP is not capable to match some more complex patterns like HDLP does.

             

            Thanks anyway and I will pin here a post if I find out something.

            • 3. Re: Network DLP regular expressions
              Regis

              Delightful.  LOL.      Sherman42, I feel your pain.

               

              So apparently it's too much to ask support for a working example of a single custom concept?   I'd raise hell with sales contacts and make sure the product manager for this steaming delight of NDLP knows what a crock of loveliness that puts customers in when support plays this card.   What support probably doesn't even know is that there's a black hole in consulting too... because those guys and gals are winging it and teaching themselves this stuff as well it seems.   The mcafee consultant we ended up with onsite wasn't nearly as sharp at this as he should've been and seemed to lean on support a lot.   Wonder if they'd have told him the same thing.  "But... I AM the McAfee consultant!"    Sales loves to sell us on how flexible and customizeable the product is to meet our needs, but that doesn't do us much good when the documentation fails to give you sufficient clues on how to do it.    In twitter parlance:

               

              @McAfeeNDLP If your support folks have to say the word "consulting" too often, your documentation and their training needs help.  #proTip 

               

              Maybe if you and I took the NDLP course they'd cover this piece of functionality in the tool?  Oh wait--that doesn't exist.  

               

              Mcafee:  I hope someone is lurking and escalating these concerns to someone empowered to do something about it.   Your DLP customer experience is currently rather broken I'm afraid.