Hello,
I have a file containing records in this format:
2022.03.18 11:46:45 DEBUG web[XXXXXXXX][auth.event] login success [method|BASIC][provider|REALM|ldap][IP|10.10.10.10|10.10.10.10:55637][login|XXXXXX]
I used this regular expression to detect private IP addresses:
(10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})|(172\.1[6-9]{1}[0-9]{0,1}\.[0-9]{1,3}\.[0-9]{1,3})|(172\.2[0-9]{1}[0-9]{0,1}\.[0-9]{1,3}\.[0-9]{1,3})|(172\.3[0-1]{1}[0-9]{0,1}\.[0-9]{1,3}\.[0-9]{1,3})|(192\.168\.[0-9]{1,3}\.[0-9]{1,3})
Using this regular expression, I can't detect any IP addresses in the file sent through netskope. What can I do and where is the problem?
Solved
DLP - Detect IP addresses in a log file
Best answer by sshiflett
Hello
I grabbed your snippet and was able to trigger using the predefined identifier for IP addresses:
Without getting into the weeds, it’s almost always better to use predefined identifiers instead of regexes when possible due to how the Netskope engine handles word boundaries. My rule just leverages the predefined identifier.
Additionally, searching for just an IP address is likely to create a lot of noise and false positives so I would suggest adding additional identifiers or thresholds to ensure you’re capturing just the log files and data you’re looking for.
This topic has been closed for replies.
Hello
I grabbed your snippet and was able to trigger using the predefined identifier for IP addresses:
Without getting into the weeds, it’s almost always better to use predefined identifiers instead of regexes when possible due to how the Netskope engine handles word boundaries. My rule just leverages the predefined identifier.
Additionally, searching for just an IP address is likely to create a lot of noise and false positives so I would suggest adding additional identifiers or thresholds to ensure you’re capturing just the log files and data you’re looking for.
I tried the predefined identifiers but it didn't work for me. When I add a space before the IP address, it works. But I need to detect IP addresses with the previous format where , i.e. |IP address.
Using the predefined identifier the ip addresses are:
✅ Detected in this case: 2022.03.18 11:46:45 DEBUG web[XXXXXXXX][auth.event] login success [method|BASIC][provider|REALM|ldap][IP| 10.10.10.10| 10.10.10.10:55637][login|XXXXXX]
❌ Not Detected in this case: 2022.03.18 11:46:45 DEBUG web[XXXXXXXX][auth.event] login success [method|BASIC][provider|REALM|ldap][IP|10.10.10.10|10.10.10.10:55637][login|XXXXXX]
What format is the document you’re testing with in? Both of my test documents have no spaces as they are copied form your sample above:
Can you also post a screenshot of your DLP rule and profile?
Sam Shiflett | Netskope Solution Architect - North America
hello,
DLP rule “IP Addresses”:
DLP Profile:
I tested this rule with .docx, .log, .txt file and it didn’t work.
Hello
If you’d like to DM me the sanitized copy of the file you’re testing with I can take a look. Alternatively, we can look at a support ticket. What site/application are you testing with?
Sign up
Already have an account? Login
Sign in or register securely using Single Sign-On (SSO)
Employee Continue as Customer / Partner (Login or Create Account)Login to the community
Sign in or register securely using Single Sign-On (SSO)
Employee Continue as Customer / Partner (Login or Create Account)Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.