3 Replies Latest reply on Dec 30, 2016 3:56 PM by ahawke

    Ignore pattern match if proceeded or trailed by a special character with DLP 10.

    nicholas.klebs

      I want to match a 9 digit number - but not if there is a special character in front of or behind it.

      I am using \b\d{9}\b, and trying to figure out how to ignore matching the 9 digit number for strings like:

      -456123568

      321548795.

      *546123587

      $123456789

      123456789#

       

      In DLPe 9.3 is used (?!) to get the job done.

      DLP 9.4/10 uses Google RE2 regex engine; which doesn't support "before text not matching" (?!), and "after text not matching" (?<!).

       

      The suggestion is to use "Ignored Expressions".

      https://kc.mcafee.com/agent/index?page=content&id=KB88260

      This doesn't work, as the ignored pattern has a larger number of characters than the matched pattern.

       

      Anyone have thoughts or suggestions?  End of the day I want to match on 9 digit numbers, but only if they are not proceeded by a special character.

        • 1. Re: Ignore pattern match if proceeded or trailed by a special character with DLP 10.
          ahawke

          Have you tried adding special character proximity condition?

          That's probably your best bet.

           

          Out of curiosity, why are you using such a general pattern?

          • 2. Re: Ignore pattern match if proceeded or trailed by a special character with DLP 10.
            nicholas.klebs

            Is the proximity condition set in the Classification Rule ?

            Is there the ability to do a negative condition, "not next to special character"?

             

            General pattern is being used primarily as an example.

            • 3. Re: Ignore pattern match if proceeded or trailed by a special character with DLP 10.
              ahawke

              Prefacing my response by noting that I have not tested the following but I think its the most efficient way to accomplish your use case.

               

              1. Create a new Dictionary Definition:

              - Create a separate line item for each special char and Click Starts With for each char and Score = 1for each

               

              2. Create a new Classification > Add Classification Criteria > Select: Proximity > Click the button [...]

              Once you are in the Proximity Operator set the following (pop-up box after clicking button mentioned above):

               

              Proximity between: Dictionary > Select the Dictionary Definition created in # 1

              and: Adv Pattern > Select your adv pattern with the 9 digit regex string

              Closeness: is less than 1 characters

              Match count: and found at least 1 times

              Click OK

               

              Save Classification Criteria

               

              3. Create a Data Protection Rule

              - Condition: Use your initial Adv Pattern classification that contains the regex only

              - Exception: Add Exception Rule - Select the newly created Classification with Proximity

                           Configure the other parameters of the rule as desired

               

              Sorry, my instructions are formatted very neat but these steps should be able to get you to where you want to be. Give it a test and let me know, may need to tweak a bit.

               

              As a side-note: I am not a huge fan of using built-ins on rules in production but they are extremely helpful references when building your own rules. They are also make it easy to create POC/demo rules to show functionality as decrease lead time in configuring.

               

              Finally, I totally understand using general as an example, no reason to go over the top. That said, save yourself a migraine or 2 and never deploy a rule like that across the environment, especially if you are collecting evidence. You will instantly drown incident manager (and yourself) in a bazillion false positives.

               

              LMK if the above solution works for you, it will be good to know definitively!

              Alex