DLP Regex Advanced Filter regex limitations

  • 24 October 2022
  • 3 replies
  • 48 views

Badge +12
  • Netskope Partner
  • 21 replies

Hi all, thanks for reading.

 

The regex [a-z0-9]{64} is allowed to be used as the main regex, but the UI return an error when trying to use that same regex as a regex filter in entity advanced settings. I validated that decreasing the length from 64 to 40 makes the regex to be accepted instead.

 

Why is that? I cannot find any documentation differentiating between limitations for the main regex and the advanced filter ones.

 

How does netskope evaluate if a regexx is supported or not

 

Thanks in advance,

Òscar


3 replies

Badge +11

@oscar that's a really vague RegEx to begin with. Can you expand on the use case of what you are trying to accomplish? In general, a Regex is the last resort because of the high rate of FPs. I'd like to understand why a Regex is needed in the first place.

I'm looking into the regex limit, but don't have an answer yet.

Badge +12

Hi @jason , thanks for responding.

 

I try to simplify the scenarios to just focus on the issue or unexpected behaviour.

I give you some context about how I get here:

We are using regex to detect base64 encoded data being sent outside. We are matching sha265 hashes as false positives, so we wanted to ignore these. sha265 are 64 hexadecimal characters.

 

We finally used the regex [a-f0-9]{64} as filter, and it was admitted by the UI as filter, but before this we tried to use the regex [a-z0-9]{64}, which was not allowed by the UI.

Then I checked if the same regex was admited as the main regex, and it was admited.

 

This is why I guessed there are limitations with regex and there are different limitations between the main regex and the filter regex.

 

I would like to understand why the UI refuses a regex and there is no syntax error in it.

The error pop up says: Exception: Regex Dictionary compilation error

 

Thanks in advance,

Òscar

Badge +12

Hello @jason , I hope you are doing well.

 

were you able to check my latest update? I provided more details regarding the issue I'm facing.

 

Thanks in advance,

Òscar

Reply