Data Loss Prevention: Custom CCL with a specific expression

Hi guys,

SOPHOS Support cannot help me in that case, they always sind me a manual with not really good content inside for this topic. Maybe you can answer my question!

We are using DLP by Sophos and want to check if a spec. content is inside of a file. We have some policy numbers like ABC123456 or XYZ987654 and many many other constellations. It always 3characters and 6 numbers. We want to check if somebody copied a file to removable device with this value\expression. How to configure this here?

  • Hi,

    you could try the following expression: \b[A-Z]{3}\d{6}\b

    this would look for:

    • \b - a word boundary (space, comma, period, etc)
    • [A-Z]{3} - 3 uppercase characters from A to Z
    • \d{6} - 6 digits
    • \b - a word boundary (space, comma, period, etc)

    Furthermore, the "trigger score" combined with the "score" and "Max count" will determine when the rule triggers, for example:

    • score = 1, max count = 3, trigger score 3 --> Every time the above patter is found we count 1 (score) for a maximum of 3 occurrences (max count). If you now have a file containing 3 or more occurrences of the pattern the rule will match (trigger score), if the file only contains 1 or 2 occurrences it ill not match.
    • score = 1, max count = 1, trigger score 1 --> Only one occurrence of the patter is needed for the rule to trigger
    • score = 1, max count = 3, trigger score 4 --> This rule will never trigger because max count (3) * score (1) is less than the trigger score (4)