Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Email Security Quick-links: ESA Product Support | SMA Product Support | Email Submission and Tracking Portal | Cisco SecurityHub
Current General Deployment (GD) Releases:
ESA: 11.0.0-264 WSA: 10.5.1-296 SMA: 11.0.0-115 Email Plug-in (Reporting): 1.0.1-048 Email Plug-in (Encryption): 1.0.0-036

New Member

Social Security rule Help

Hello all,

Not sure if this is every company, but we have pretty strict rules for SSN's. We use the C150. We have the following rule to catch the main SSN offensives and this works very well.

ssn: if (recv-listener == 'OutboundMail') AND body-contains("\\b[0-9]{9}\\b|\\b[0-9]{3}[-]+[0-9]{2}[-]+[0-9]{4}\\b|\\b[0-9]{3}[\\t]*[0-9]{2}[ \\t]*[0-9]{4}\\b|\\b[0-9]{3}[,]+[0-9]{2}[,]+[0-9]{4}\\b|\\b[0-9]{3}[;]+[0-9]{2}[;]+[0-9]{4}\\b|\\b[0-9]{3}[:]+[0-9]{2}[:]+[0-9]{4}\\b|\\b[0-9]{3}[.]+[0-9]{2}[.]+[0-9]{4}\\b|\\b[0-9]{8}\\b", 1)

But, we actually need to catch 9 digit numbers also such as 555555555. We are having a lot of problems with this rule and making it work good. So far, we have caught ticket numbers, HTML font classes, Outlook meetings, etc. I know this is going to be a tough rule, but wondering if anyone else had luck making one work. This one seems to catch 9 digit numbers if there is a letter on either side or more than a 9 digit number, but not if it has a hypen, period, comma, etc on either side.


ssn_8_or_9_digit: if (recv-listener == "OutboundMail") AND (body-contains("([^\\w=-@:]|^)\\b[0-9]{9}\\b([^\\w=-@:]|$), 1)

Please let me know if anyone has luck.

3 REPLIES

Re: Social Security rule Help

In version 6.1 (or above?)

Smart Identifiers
When you use message rules that scan message content, you can use smart identifiers to detect certain patterns in the data.

Smart identifiers can detect the following patterns in data:
• Credit card numbers
• U.S. Social Security numbers
• CUSIP (Committee on Uniform Security Identification Procedures) numbers
• ABA (American Banking Association) routing numbers
To use smart identifiers in a filter, enter the following keywords in a filter rule that scans body or attachment content:


Syntax
When you use a smart identifier in a filter rule, enter the smart-identifier keyword in quotes within a filter rule that scans the body or attachment file, as in the example below:

CHAPTER 4: POLICY ENFORCEMENT 171

You can also use smart identifiers in content filters and as a part of content dictionaries.

Note — You cannot combine a smart identifier key word with a normal regular expression or another key word. For example the pattern *credit|*ssn would not be valid.

Note — To minimize on false positives using the *SSN smart identifier, it may be helpful to use the *ssn smart identifier along with other filter criteria. One example filter that can be used is the “only-body-contains” filter condition. This will only evaluate the expression to be true if the search string is present in all of the message body mime parts.

For example, you
could create the following filter:
SSN-nohtml: if only-body-contains(“*ssn”) { duplicatequarantine(“
Policy”);}

New Member

Smart Identifiers

They don't block 9 straight digits and other formats.

Cisco Employee

Re: Social Security rule Help

Consecutive nine digit strings are going to be quite problematic for the exact reasons you mentioned in your original post. They'll match on everything from HTML to invoice numbers.

IronPort actually removed the match for consecutive nine digit strings from its SSN smart identifier for this exact reason.. trapping on it generates too many false positives.

I guess you could add the string in a filter that quarantines messages, but you need to be prepared to constantly monitor for false positives, which are going to be the majority of what gets caught :(

233
Views
0
Helpful
3
Replies