Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1456
Views
0
Helpful
1
Replies

Multi-line matching in filter

edwin-alexander
Level 1
Level 1

‎05-31-2012 02:09 AM

Hi Experts

Currently tasked with seeing if our Ironports (C360 - v 7.5.1-028) can perform some of our PCI compliance criteria.

The request was as follows:

1. Any inbound email with credit card number present must have a notification sent to security group - done

2. The email must not go to the recipient(s) and also bounce back to the sender with a message stating we do not accept CC numbers through email - done

3. At no point should the CC number be included in any of the above emails - partially working

Using the advanced configuration guide I successfully created a filter in the CLI to perform these actions including changing the CC number to XXXX-XXXX-XXXX-XXXX BUT it only works on a single line. So if the CC number is not in the first line it ignores it.

I am using the "body-contains" rule and the guide does state "The  body-contains()  rule does not perform multi-line matching." however it also says "

When AsyncOS performs body scanning, it scans the body text and attachments for the regular expression"

So my question is basically how is it scanning the body text and at the same time cannot do mult-line matching??? I am confused

If there is a way to find a match on more than just the first line in the message body then please let me know.

Thanks in advance!

Ed

Labels:
0 Helpful
1 Reply 1

exMSW4319
Level 3
Level 3

‎06-05-2012 04:29 AM

Must you send the original e-mail back to the sender at all?

I'd do it the other way around; plonk the original message into a very limited-access quarantine and send a simple rejection back to the sender: "Dear colleague, your message $subject of $date appears to contain a credit card number contrary to [policy] and so cannot be delivered. Please see [intranet page URL] for advice." If you have reason to believe the sender's trying to be naughty with CC data, your quarantined message is your evidence for HR. If it's a false positive, you can release it. Your PCI rules may however dictate otherwise; you may want to double-check how much flexibility you really have here.

Having just read http://docs.python.org/dev/howto/regex.html#matching-characters I'd say that multiline matching means achieving a match from a phrase that extends over more than one line. However, that's an untested guess on my part.

0 Helpful
Customers Also Viewed These Support Documents