20 January 2011

Sophos Data Control Rules - Adding South African ID numbers

One of the best new features  that came out with Sophos 9 is the data control component.  It allows you to set policies that controls or prevents certain types of information to be copied / sent out of your corporate environment.

For this example I am going to add a custom rule for preventing South African ID numbers form being transfered.  This would be a typical example of something you don't want to leak, especially since these number will most often be included in a file with other sensitive information.

To set up your policy do the following:

  • Open the Sophos Enterprose Console
  • Expand the policies window - Data Control - Your Policy Name
  • Edit the policy
  • Click Manage Rules
  • Click add content rule
  • Specify a name and Rule description
  • Select the desired action from section 4.
  • In section 6. Click "contains"
  • In the Content Control List Manager window click Add
  • Specify a name and description
  • Click on advanced
  • Click create

The Perl5 regular expression is (((\d{2}((0[13578]|1[02])(0[1-9]|[12]\d|3[01])|(0[13456789]|1[012])(0[1-9]|[12]\d|30)|02(0[1-9]|1\d|2[0-8])))|([02468][048]|[13579][26])0229))(( |-)(\d{4})( |-)(\d{3})|(\d{7}))

  • Set the score and maximum count - for testing I have it set to 1
  • Close the windows till you get back to the Content Control List Manager window
  • Check your new definition
  • Click OK
  • Back in the Create Content Rule page in section 6 click "Select Destination"
  • Choose your desired options - click ok
  • Click ok

You can now deploy the policy to your test machine.

On the test machine create a text file with 2 valid SA ID numbers in it.
Attempt to copy it to a removable drive.
Your action should now apply.

The section in red identifies the filter that matched the file content.
The section in green is the custom message you specifies in the Data control policy under the Messages tab.

You can specify alternate message for the confirmation and block actions.

For more South African regular expression and others check out http://regexlib.com/Search.aspx?k=south+africa  Just remember to test and not just blindly trust the expression.

Thanks to Ryane Cane (Sophos South Africa) for his contribution to this article.

No comments:

Post a Comment