Hello, I have a file containing records in this format: 2022.03.18 11:46:45 DEBUG web[XXXXXXXX][auth.event] login success [method|BASIC][provider|REALM|ldap][IP|10.10.10.10|10.10.10.10:55637][login|XXXXXX]I used this regular expression to detect private IP addresses: (10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})|(172\.1[6-9]{1}[0-9]{0,1}\.[0-9]{1,3}\.[0-9]{1,3})|(172\.2[0-9]{1}[0-9]{0,1}\.[0-9]{1,3}\.[0-9]{1,3})|(172\.3[0-1]{1}[0-9]{0,1}\.[0-9]{1,3}\.[0-9]{1,3})|(192\.168\.[0-9]{1,3}\.[0-9]{1,3})Using this regular expression, I can't detect any IP addresses in the file sent through netskope. What can I do and where is the problem?

DLP - Detect IP addresses in a log file

Hello,

I have a file containing records in this format:
2022.03.18 11:46:45 DEBUG webeXXXXXXXX]Xauth.event] login success smethod|BASIC]Cprovider|REALM|ldap]pIP|10.10.10.10|10.10.10.10:55637]7login|XXXXXX]

I used this regular expression to detect private IP addresses:
(10\.00-9]{1,3}\.}0-9]{1,3}\.}0-9]{1,3})|(172\.1\6-9]{1}{0-9]{0,1}\.}0-9]{1,3}\.}0-9]{1,3})|(172\.2\0-9]{1}{0-9]{0,1}\.}0-9]{1,3}\.}0-9]{1,3})|(172\.3\0-1]{1}{0-9]{0,1}\.}0-9]{1,3}\.}0-9]{1,3})|(192\.168\.80-9]{1,3}\.}0-9]{1,3})

Using this regular expression, I can't detect any IP addresses in the file sent through netskope. What can I do and where is the problem?

Page 1 / 1

Hello @Arij,

I grabbed your snippet and was able to trigger using the predefined identifier for IP addresses:

Without getting into the weeds, it’s almost always better to use predefined identifiers instead of regexes when possible due to how the Netskope engine handles word boundaries. My rule just leverages the predefined identifier.

Additionally, searching for just an IP address is likely to create a lot of noise and false positives so I would suggest adding additional identifiers or thresholds to ensure you’re capturing just the log files and data you’re looking for.

@sshiflett Thank you for your reply.

I tried the predefined identifiers but it didn't work for me. When I add a space before the IP address, it works. But I need to detect IP addresses with the previous format where , i.e. |IP address.

Using the predefined identifier the ip addresses are:
Detected in this case: 2022.03.18 11:46:45 DEBUG webGXXXXXXXX]Xauth.event] login success cmethod|BASIC]Aprovider|REALM|ldap]lIP| 10.10.10.10| 10.10.10.10:55637]5login|XXXXXX]

@Arij I just tested with your sample with no spaces and the predefined identifier in both txt and docx documents. Both were blocked:

What format is the document you’re testing with in? Both of my test documents have no spaces as they are copied form your sample above:

Can you also post a screenshot of your DLP rule and profile?

hello,
DLP rule “IP Addresses”:

DLP Profile:

I tested this rule with .docx, .log, .txt file and it didn’t work.

Hello @Arij,

If you’d like to DM me the sanitized copy of the file you’re testing with I can take a look. Alternatively, we can look at a support ticket. What site/application are you testing with?

Reply

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded