Professional Documents
Culture Documents
Source Code DLP
Source Code DLP
Because Zscaler does not support nested repeats, the currently used regex needs to be
changed and divided into two dictionaries (in order to apply AND logic). The tables below show the
suggested configuration on Zscaler portal to match the Java source codes.
2.1.1 Dictionary 1
Pattern
import\s\w[\w.]*[\w\*];
The “number of violation threshold” value should be set to 0 and all patterns should use the
“trigger” action.
Because it is not possible to use nested repeat (like “(\w+\.)+”), the regex has been slightly
changed. The configuration on the portal should look like on the screenshot below.
2.1.2 Dictionary 2
Pattern
public\s*(class|static|boolean|interface)\s\w+(\s(implements|extends))?\s?\w*(,\s)?\w*(\s\{)?\
{?
protected\s*(class|static|boolean|interface)\s\w+(\s(implements|extends))?\s?\w*(,\s)?\w*(\s\
{)?\{?
private\s*(class|static|boolean|interface)\s\w+(\s(implements|extends))?\s?\w*(,\s)?\w*(\s\{)?\
{?
The “number of violation threshold” value should be set to 0 and all patterns should use the
“trigger” action.
Because the patterns cannot start with a subexpression, the original regex needs to be split
into three sub-patterns. The example configuration on the portal is shown below.
The regex used for the VB source code is relatively simple and can be copied to the Zscaler
portal without any changes. It requires a single dictionary with one pattern and a single engine.
Pattern
Attribute\sVB_Name
The action should be configured as “trigger” and the threshold should be set to 0.
The below screenshots present the sample dictionary and engine configuration.
Pattern
include\s+"[\w.]+"
include\s+<[\w.]+>
Both patterns should have the action configured as “trigger” and should be part of the same
DLP engine, as shown on the screenshots below.
There are two separate dictionaries required, each dictionary with a single pattern. Both
dictionaries are described in the table below.
Dictionary Pattern
Perl Source Code usr(usr|bin|local|\/)*\/perl\W
bin(usr|bin|local|\/)*\/perl\W
local(usr|bin|local|\/)*\/perl\W
not-perl usr(usr|bin|local|\/)*\/perl\S
bin(usr|bin|local|\/)*\/perl\S
local(usr|bin|local|\/)*\/perl\S
The following dictionaries will not check if there is #! at the beginning of the stream, as
currently it is not supported configuration at Zscaler side (such features will be most probably
available on summer 2020). However, in most cases the path to the “perl” file uses common
keywords like “usr”, “bin” or “local”. The “perl” keyword should be the last part of the line. The
following examples of this line in Perl source code will be matched by the dictionaries above:
#!/bin/perl
#!/perl
#!/usr/local/bin/perl
#!/usr/perl
#!/usr/local/perl
#!/usr/bin/perl
#!/bin/perl
#!/perl
#!/usr/local/bin/perl
#!/usr/perl
#!/usr/local/perl
In order to avoid false positives, two previously configured dictionaries should use a specific
Boolean logic inside the engine. The line of the perl source code which the configured
dictionaries should match is usually the first line in the code (or one of the first lines) and
there is nothing else in this specific line (except the “new line” character at the end). In order
to match such lines only if they end with the “new line” character, the following logic in the
engine should be configured:
((perl source code > 0) AND ( NOT ( (not-perl > 0) ) ) ).
The screenshot below, shows how this configuration should look like on the portal.
In order to configure a DLP engine in this way, it is required to add the “perl source code” dictionary
at the beginning of the expression and then add a subexpression with the “not-perl” dictionary and
changing the logic to “exclude”.
2.4.3 Possible change once Zscaler supports special characters as a base token
The suggested perl source code DLP configuration should match most of the perl source
codes, however it will not work in the exact same way as the currently configured DLP. It is
related to the current lack of support for special characters configured as a base token. Once
it is possible to configure new dictionary to use the currently configured pattern which starts
with the dollar sign. The new dictionary can use then the following pattern:
\$[a-zA-Z_]\w+
It should be then added to the engine with “AND” logic, as presented on the screenshot
below.
Adding the dictionary will make the engine more specific and help avoiding false positives.