Error creating Data Identifier

book

Article ID: 184742

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

The following error is seen when creating a new Data Identifier:

The pattern "<pattern>" is not valid because the cumulative range 10 is too long. The maximum cumulative range is 8.

For example, if attempting to create a Data Identifier to find IP addresses and a port similar to 10.10.10.10/2552, the following identifier is used:

10\.\d{1,3.\d{1,3}.\d{1,3}[\\\/]\d{1,5}

The pattern "<pattern>" is not valid because the cumulative range 10 is too long. The maximum cumulative range is 8.

The <pattern> above would be replaced with whatever pattern was attempted.

Cause

This is caused due to the differences in the length of characters that might be within the identifier. Using the IP address example above, it can be as short as 10 characters (10.1.1.1/1) or as many as 20 characters (10.123.123.123/12345). This difference in the possible length of the string drastically affects detection, so DLP does not allow a difference of more than 8 characters.

Environment

Symantec Data Loss Prevention (DLP) 15 and higher

Resolution

Option 1:

If a difference of 10 or more characters is needed, then it will need to be split between several different identifiers. Again using the same IP address sample from before, this could be done similar to the following:

10\.\d{1,3.\d{1,3}.\d{1,3}[\\\/]\d{1,2}
10\.\d{1,3.\d{1,3}.\d{1,3}[\\\/]\d{3,5}

This will search for the same identifiers (an IP address with 1 to 5 digits in a port), but breaks it up into smaller segments.

Option 2:

For better functionality, further define the identifier as much as possible. For example, with the IP address example currently being used, if the next subnet is also known then it could be added to the identifier, which would shorten the number of characters that the identifier would need to search for:

10\.10.\d{1,3}.\d{1,3}[\\\/]\d{1,5}

Or, alternatively, if only ports of 3 to 5 digits are used then the following could be used:

10\.\d{1,3.\d{1,3}.\d{1,3}[\\\/]\d{3,5}

Either of the above options will simplify the identifier without affecting detection.