See “A Regular Expression Search Primer for Analysts” [pdf] by Timothy Cook. Test with REGex TESTER.
It looks like the examples below have been corrupted.
When watching outbound files for sensitive information, some specific strings to grep for would be:
| IP address in dotted decimal notation | b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b/ |
| Email address | /^([a-z0-9_\.-]+)@([\da-z\.-]+)\.([a-z\.]{2,6})$/ |
| Visa Credit Card Number | ^4[0-9]{12}(?:[0-9]{3})?$
All Visa card numbers start with a 4. New cards have 16 digits. Old cards have 13. |
| MasterCard Credit Card Number | ^5[1-5][0-9]{14}$
All MasterCard numbers start with the numbers 51 through 55. All have 16 digits. |
| American Express Credit Card Number | ^3[47][0-9]{13}$American Express card numbers start with 34 or 37 and have 15 digits. |
| Diners Club Credit Card Number | ^3(?:0[0-5]|[68][0-9])[0-9]{11}$Diners Club card numbers begin with 300 through 305, 36 or 38. All have 14 digits. There are Diners Club cards that begin with 5 and have 16 digits. These are a joint venture between Diners Club and MasterCard, and should be processed like a MasterCard. |
| Discover Credit Card Number | ^6(?:011|5[0-9]{2})[0-9]{12}$Discover card numbers begin with 6011 or 65. All have 16 digits. |
| JCB Credit Card Number | ^(?:2131|1800|35\d{3})\d{11}$JCB cards beginning with 2131 or 1800 have 15 digits. JCB cards beginning with 35 have 16 digits. |
| Social Security Number | ^(?!000)([0-6]\d{2}|7([0-6]\d|7[012]))([ -]?)(?!00)\d\d\3(?!0000)\d{4}$ |
| Archive file extension | \.(?:z(?:ip|[0-9]{2})|r(?:ar|[0-9]{2})|jar|bz2|gz|tar|rpm)$ |
| Audio file extension | \.(?:mp3|wav|og(?:g|a)|flac|midi?|rm|aac|wma|mka|ape)$ |
| Software file extension | \.(?:exe|msi|dmg|bin|xpi|iso)$ |
| Image file extension | \.(?:jp(?:e?g|e|2)|gif|png|tiff?|bmp|ico)$ |
| Video file extension | \.(?:mpeg|ra?m|avi|mp(?:g|e|4)|mov|divx|asf|qt|wmv|m\dv|rv|vob|asx|ogm)$ |
Use Regex Coach, Expresso or kiki to assist when writing regular expressions.
Learn more at regular-expressions.info, RegexPlanet, or Lars Vogel’s Java Regex Tutorial.
See article on credit card numbers at RegexBuddy Library and RegularExpressions.info. General credit card information at Credit Card Numbers Are Not Random: How To Read & Understand Them Yourself.
Acknowledgment to Perl-Fu: Regexp log file processing should be inserted here.
Aggressive Virus Defense 