Cisco Cisco Email Security Appliance X1050 Guía Del Usuario
9-20
AsyncOS 9.1.2 for Cisco Email Security Appliances User Guide
Chapter 9 Using Message Filters to Enforce Email Policies
Message Filter Rules
In this instance, AsyncOS will have to start the regular expression engine 30 times, once for each
attachment type and the recv-listener.
attachment type and the recv-listener.
Instead, write the filter to look like this:
The regular expression engine only has to start twice and the filter is arguably easier to maintain as you
do not have to worry about adding “()”, spelling errors. In contrast to the above, this should show a
decrease in CPU overhead.
do not have to worry about adding “()”, spelling errors. In contrast to the above, this should show a
decrease in CPU overhead.
PDFs and Regular Expressions
Depending on how a PDF is generated, it may contain no spaces or line breaks. When this occurs, the
scanning engine attempts to insert logical spaces and line breaks based on the location of the words on
the page. For example, when a word is constructed using multiple fonts or font sizes, the PDF code is
rendered in a way that makes it difficult for the scanning engine to determine word and line breaks. When
you attempt to match a regular expression against a PDF file constructed in this way, the scanning engine
may return unexpected results.
scanning engine attempts to insert logical spaces and line breaks based on the location of the words on
the page. For example, when a word is constructed using multiple fonts or font sizes, the PDF code is
rendered in a way that makes it difficult for the scanning engine to determine word and line breaks. When
you attempt to match a regular expression against a PDF file constructed in this way, the scanning engine
may return unexpected results.
For example, you enter a word in a PowerPoint document that uses different fonts and different font
sizes for each letter in the word. When a scanning engine reads a PDF generated from this application,
it inserts logical spaces and line breaks. Because of the construction of the PDF, it may interpret the word
“callout” as “call out” or “c a l lout.” Attempting to match either of these renderings against the regular
expression, “callout,” would result in no matches.
sizes for each letter in the word. When a scanning engine reads a PDF generated from this application,
it inserts logical spaces and line breaks. Because of the construction of the PDF, it may interpret the word
“callout” as “call out” or “c a l lout.” Attempting to match either of these renderings against the regular
expression, “callout,” would result in no matches.
Smart Identifiers
When you use message rules that scan message content, you can use smart identifiers to detect certain
patterns in the data.
patterns in the data.
Smart identifiers can detect the following patterns in data:
•
Credit card numbers
•
U.S. Social Security numbers
•
Committee on Uniform Security Identification Procedures (CUSIP) numbers
•
American Banking Association (ABA) routing numbers
attachment-filter: if (recv-listener == "Inbound") AND (attachment-filename ==
"\\.(386|exe|ad|ade|adp|asp|bas|bat|chm|cmd|com|cpl|crt|exe|hlp|hta|inf|ins|isp|js|jse|l
nk|mdb|mde|msc|msi|msp|mst|pcd|pif|reg|scr|sct|shb|shs|url|vb|vbe|vbs|vss|vst|vsw|ws|wsc
|wsf|wsh)$") {
bounce();
}