IBM Security Guardium

 View Only
  • 1.  Extrusion rule without replacement char

    Posted Thu July 02, 2020 05:50 AM
    Hi,

    I have a Extrusion rule with some Regex to find a digit pattern.
    The rule is working properly and a alert is generated when this digit combination is extruded from the database.

    In the rule Replacement character = * is used but the extuded digits are not masked in the result for the DBA.
    So right now it works as I want it to but that might be caused by some error since nothing is masked but the rule is triggerd when the return value is true with the Regex.

    What is the purpose of Replacement character? Is it to show *** instead of the digit combination?

    My goal is to a have a Extrusion Rule that alert according to the Regex but not replace/mask any characters. With other words a Extrusion Rule without Replacement Characters.

    The reasons that I want this Extrusion rule is to alert on SQLs that return a certain digit combination without masking the value for the DBA.


  • 2.  RE: Extrusion rule without replacement char

    Posted Mon July 13, 2020 12:53 AM
    Hi,

    In your regex, do you include "[" and "]" to hide the digits?

    I do have the same problem with Extrusion rules and there is no resolution so far from IBM support.

    ------------------------------
    TS Teh
    ------------------------------



  • 3.  RE: Extrusion rule without replacement char

    Posted Tue July 14, 2020 09:20 AM
    The regex that I use, snippet from it looks like this: (1[0-2]))(([0-2][0-9])|3[0-1])) <== does not replace any char with  ***.

    I dont want to replace any chars is the reponse/return value, I just want an alert when the DBA made a query where the response matches my regex. When creating a extrusion rule a replacement text box i mandatory which i do not want, since I just want the alert.

    It quite a hassle to get the Replace char correct, I think it would be better if you use https://www.ibm.com/support/knowledgecenter/SSMPHH_10.6.0/com.ibm.guardium.doc/protect/policy_rule_actions_blocking.html