cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1080
Views
0
Helpful
4
Replies
Highlighted
Beginner

IronPort ESA DLP regular expression

Since the built in SSN classifiers on the ESAs have a lot of false positives, Cisco support suggested creating regular expressions when creating DLP policies. I am trying to develop a custom DLP policy using a regular expression in a custom classifier using the following rules rules:

A Social Security number CANNOT :

  • Contain all zeroes in any specific group (e.g 000-##-####, ###-00-####, or ###-##-0000)
  • Begin with ‘666’.
  • Begin with any value from ‘773-999′
  • Be ‘078-05-1120′ 
  • Be ‘219-09-9999′ 
  • Be ‘123-45-6789′

 Her is my regex:

^(?!000|666|77[3-9]|8[0-9]{2})[0-9]{3}\-(?!00)[0-9]{2}\-(?!0000)[0-9]{4}$

It works with regex testers, but my ESA does not catch valid test data. Any suggestions?

4 REPLIES 4
Highlighted
Cisco Employee

Your formula does not work with my regex tester. I tested using 435-11-2356, testing with ^(?!000)(?!666)(?!9)\d{3}([- ]?)(?!00)\d{2}\1(?!0000)\d{4}$ does work. Now I haven't added any of your other variables but you can work around it.

 

http://regexlib.com/Search.aspx?k=ssn

Highlighted

Thanks for the reply Tommy!

I put your regex to the test and it does work with a tester. However, when I test it with the ESA, it doesn't work. Thoughts?

Highlighted

Are you testing with an inbound or outbound content filter applied to the policy?

Highlighted

No. I am testing a custom DLP policy with a custom identifier. Then the DLP policy is applied to Outgoing Mail Policies

Content for Community-Ad