Regular Expression-Based Policy¶
Note
Fudo Enterprise supports POSIX extended regular expression.
Follow the steps to configure a regular expression-based policy:
Select > .
Select Regular expressions tab.
Click .
Enter pattern name.
Define the pattern itself.
Note
Patterns can be defined as regular expressions.
Fudo Enterprise does not recognize expressions which use backslash character, e.g.
\d,\D,\w,\W.
Repeat steps 3-5 to define additional patterns.
Click .
Note
Regular expressions examples
Command rm
(^|[^a-zA-Z])rm[[:space:]]
Command rm -rf (also -fr; -Rf; -fR)
(^|[^a-zA-Z])rm[[:space:]]+-([rR]f|f[rR])
Command rm file
(^|[^a-zA-Z])rm[[:space:]]+([^[:space:]]+[[:space:]]*)?/full/path/to/a/file([[:space:]]|\;|$)
(^|[^a-zA-Z])rm[[:space:]]+.*justafilename
Go back to Policies tab.
Click .
Enter policy name.
Select policy severity.
Note
Severity parameter value is included in the email notification message.
Click the Regular expression button in the Policy type section.
In the Regular expressions field, select the previously created monitoring pattern.
Select the Match input only option to process input stream only.
Note
In RDP, VNC and MySQL protocols only input data is processed.
In the Policy Behaviour field, select desired actions to be taken:
Send email send email notification to system administrator.
SNMP Trap send SNMP TRAP notification to the receiver.
- pause connection.
- terminate session.
- block user.
Note
Sending email notifications requires configuring and enabling notification service as well as Session policy match notification enabled in safe configuration.
Sending SNMP TRAP notifications requires configuring the SNMPv3 TRAP in the System tab. Check the SNMP page for more information.
Note that blocking the user automatically terminates the connection.
Click .
After defining a policy, assign it to a safe that is used to establish connections to servers.
Select > .
Edit the selected safe by clicking on its name.
Go to the tab and select the policy created in the previous step.
Click .
Related topics: