Cisco Cisco FirePOWER Appliance 8250
28-29
FireSIGHT System User Guide
Chapter 28 Detecting Specific Threats
Detecting Sensitive Data
The preprocessor treats characters entered directly, instead of as part of a regular expression, as literal
characters. For example, the data pattern 1234 matches
characters. For example, the data pattern 1234 matches
1234
.
The following data pattern example, which is used in predefined sensitive data rule 138:4, uses the
escaped digits character class, the multiplier and option-specifier metacharacters, and the literal dash (-)
and left and right parentheses () characters to detect U.S. phone numbers:
escaped digits character class, the multiplier and option-specifier metacharacters, and the literal dash (-)
and left and right parentheses () characters to detect U.S. phone numbers:
(\d{3}) ?\d{3}-\d{4}
Exercise caution when creating custom data patterns. Consider the following alternative data pattern for
detecting phone numbers which, although using valid syntax, could cause many false positives:
detecting phone numbers which, although using valid syntax, could cause many false positives:
(?\d{3})? ?\d{3}-?\d{4}
Because the second example combines optional parentheses, optional spaces, and optional dashes, it
would detect, among others, phone numbers in the following desirable patterns:
would detect, among others, phone numbers in the following desirable patterns:
•
(555)123-4567
•
555123-4567
•
5551234567
However, the second example pattern would also detect, among others, the following potentially invalid
patterns, resulting in false positives:
patterns, resulting in false positives:
•
(555 1234567
•
555)123-4567
•
555) 123-4567
Consider finally, for illustration purposes only, an extreme example in which you create a data pattern
that detects the lowercase letter
that detects the lowercase letter
a
using a low event threshold in all destination traffic on a small
company network. Such a data pattern could overwhelm your system with literally millions of events in
only a few minutes.
only a few minutes.
Configuring Custom Data Types
License:
Protection
You configure essentially the same data type options for custom data types that you configure for
predefined data types. See
predefined data types. See
for information on
setting options that are common to all data types. In addition, you must also specify the name and data
pattern for custom data types.
pattern for custom data types.
Note that creating a custom data type also creates an associated custom sensitive data preprocessing rule,
which you must enable in each policy where you want to use that data type. See
which you must enable in each policy where you want to use that data type. See
for information on enabling rules in your intrusion policy.
To create or modify a custom data type:
Access:
Admin/Intrusion Admin
\w
Matches any ASCII alphanumeric character
Note that, unlike PCRE regular expressions, this does
not include an underscore (_).
not include an underscore (_).
a-zA-Z0-9
\W
Matches any byte that is not an ASCII alphanumeric
character
character
not a-zA-Z0-9
Table 28-13
Sensitive Data Pattern Character Classes (continued)
Character Class
Description
Character Class
Definition
Definition