IronPort ESA DLP regular expression

Khaim_Helms1 · ‎05-05-2015

Since the built in SSN classifiers on the ESAs have a lot of false positives, Cisco support suggested creating regular expressions when creating DLP policies. I am trying to develop a custom DLP policy using a regular expression in a custom classifier using the following rules rules:

A Social Security number CANNOT :

Contain all zeroes in any specific group (e.g 000-##-####, ###-00-####, or ###-##-0000)
Begin with ‘666’.
Begin with any value from ‘773-999′
Be ‘078-05-1120′
Be ‘219-09-9999′
Be ‘123-45-6789′

Her is my regex:

^(?!000|666|77[3-9]|8[0-9]{2})[0-9]{3}\-(?!00)[0-9]{2}\-(?!0000)[0-9]{4}$

It works with regex testers, but my ESA does not catch valid test data. Any suggestions?

Tom Foucha · ‎05-07-2015

Your formula does not work with my regex tester. I tested using 435-11-2356, testing with ^(?!000)(?!666)(?!9)\d{3}([- ]?)(?!00)\d{2}\1(?!0000)\d{4}$ does work. Now I haven't added any of your other variables but you can work around it.

http://regexlib.com/Search.aspx?k=ssn

Khaim_Helms1 · ‎05-08-2015

Thanks for the reply Tommy!

I put your regex to the test and it does work with a tester. However, when I test it with the ESA, it doesn't work. Thoughts?

Tom Foucha · ‎05-08-2015

Are you testing with an inbound or outbound content filter applied to the policy?

Khaim_Helms1 · ‎05-08-2015

No. I am testing a custom DLP policy with a custom identifier. Then the DLP policy is applied to Outgoing Mail Policies

ESA Product Support \| ESA Guided Setup \| SMA Product Support \| Encryption Product Support Email Submission and Tracking Portal \| Cisco Talos Reputation Center Support \| CRES \| Talos Cisco: Open a Support Case \| Support & Downloads \| Worldwide Contacts \| Bug Search \| Notification Service	ESA:	13.5.1-277
	SMA:	13.6.2-023
	Email Plug-in (Reporting):	1.1.0.133
	Email Plug-in (Encryption):	1.2.1.151