Cisco Cisco Firepower Management Center 4000

Page of 1844
 
28-29
FireSIGHT System User Guide
 
Chapter 28      Detecting Specific Threats
  Detecting Sensitive Data
The preprocessor treats characters entered directly, instead of as part of a regular expression, as literal 
characters. For example, the data pattern 1234 matches 
1234
.
The following data pattern example, which is used in predefined sensitive data rule 138:4, uses the 
escaped digits character class, the multiplier and option-specifier metacharacters, and the literal dash (-) 
and left and right parentheses () characters to detect U.S. phone numbers:
(\d{3}) ?\d{3}-\d{4}
Exercise caution when creating custom data patterns. Consider the following alternative data pattern for 
detecting phone numbers which, although using valid syntax, could cause many false positives:
(?\d{3})? ?\d{3}-?\d{4}
Because the second example combines optional parentheses, optional spaces, and optional dashes, it 
would detect, among others, phone numbers in the following desirable patterns:
  •
(555)123-4567
  •
555123-4567
  •
5551234567
However, the second example pattern would also detect, among others, the following potentially invalid 
patterns, resulting in false positives:
  •
(555 1234567
  •
555)123-4567
  •
555) 123-4567
Consider finally, for illustration purposes only, an extreme example in which you create a data pattern 
that detects the lowercase letter 
a
 using a low event threshold in all destination traffic on a small 
company network. Such a data pattern could overwhelm your system with literally millions of events in 
only a few minutes.
Configuring Custom Data Types
License: 
Protection
You configure essentially the same data type options for custom data types that you configure for 
predefined data types. See 
 for information on 
setting options that are common to all data types. In addition, you must also specify the name and data 
pattern for custom data types.
Note that creating a custom data type also creates an associated custom sensitive data preprocessing rule, 
which you must enable in each policy where you want to use that data type. See 
 for information on enabling rules in your intrusion policy.
To create or modify a custom data type:
Access: 
Admin/Intrusion Admin
\w
Matches any ASCII alphanumeric character
Note that, unlike PCRE regular expressions, this does 
not include an underscore (_).
a-zA-Z0-9
\W
Matches any byte that is not an ASCII alphanumeric 
character
not a-zA-Z0-9
Table 28-13
Sensitive Data Pattern Character Classes (continued)
Character Class
Description
Character Class 
Definition