Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1101
Views
0
Helpful
3
Replies

National Insurance Content Filter Help

Wargot_ironport
Level 1
Level 1

‎11-17-2009 11:22 AM

I am after some help.

We are using the RegEx provided by IronPort to do some testing and are scanning all outbound messages using this RegEx.

However we have got forms that go out to customers that by the Natioanl Insurance number request field there is a NI Number to show an example (AB123435C). This of course then triggers the content filter and the message is incorrectly stopped.

We want to try and stop this from happening as it is going to casue major issues with false positives. We have thought about adding a rule that if AB123435C "is Not" contained within the message body or attachment, but this would mean that if someone were to email out a completed form that had both the sample NI number and the customers correct NI number then it would be ignored, which of course is unacceptable.

The only way I can see to do this, is to add to the dictionary (or create a new one) that contains AB123435C with a Minus score that equals the score that the RegEx gives it.

So if the RegEx give a score of 1, then the AB123435C entry would have to give a score of -1. This would mean that the example NI would be ignored, but any real NI numbers would still be picked up.

The problem is that I don't think there is the feature to give minus scores to dictionary terms. Has anyone else either requested this or have a better idea?

Thanks in advance.

Labels:
0 Helpful
3 Replies 3

mychrislo_ironport
Level 1
Level 1

‎11-17-2009 04:17 PM

Just an idea, cos I haven't played with threshold scoring.

You dont need negative score. According to the manual, you can set "weight" to keywords in dictionary.

All you need is a very big weight difference between the "example-NI" score and the normal NI score.

E.g

example-ni score is 1.
other regex matched NI is score 9999 (I assume this can be done).

Then your minimum score of the filter rule set to 100 is sufficient to catch any email try to get through by passing the example form. (unless they attached it 100 times).

Once an email is attached with a normal form, they _should_ be caught because 9999 is assigned and > 100.

0 Helpful

lrosenstein
Level 1
Level 1

‎11-18-2009 02:59 PM 

We have thought about adding a rule that if AB123435C "is Not" contained within the message body or attachment,


You can probably do this with a negative assertion. For example if you add the following to the beginning of your existing regex:

(?!AB123435C)

Then the regex will match all numbers except "AB123435C".

0 Helpful

bettygdurand
Level 1
Level 1
In response to lrosenstein

‎05-18-2023 12:21 PM - edited ‎05-26-2023 11:46 AM

Here's an example to illustrate how it works:
^(?!AB123435C)\d+$

In this regex pattern:

^ asserts the start of the string.

(?!AB123435C) is the negative lookahead that excludes the specific pattern ""AB123435C".

\d+ matches one or more digits.

$ asserts the end of the string.

Using this pattern, the regex will match any sequence of digits except the exact pattern "AB123435C".

Top of Form

 



0 Helpful
Customers Also Viewed These Support Documents