Data Rules

The following rules can be used to detect data-related activities, such as exposure of sensitive data or data exfiltration.

Detect File Transfers via Chat Programs

Rule	Flow_ChatFileTransfer.lrl
Description	This rule detects chat program sessions (Lync, AIM, Facebook, IRC, Jabber, PalTalk, QQ, ymsg) where data transfer sizes indicate a file transfer.

Rule	Flow_DetectClearTextPasswords.lrl
Description	This rule detects un-intentional exposure of password credentials in clear text via insecure HTTP protocols. Use this rule to verify that all systems are using secure credential transmission.

Rule	Flow_DetectCreditCard.lrl
Description	This rule detects both intentional and accidental exposure of standard credit card numbers in clear text via HTTP GET and POST commands. This rule was updated in 3.2.1 with an improved algorithm for detecting credit card numbers and limiting false positives. It also now scans FTP and SMTP content.

Rule	Flow_DetectSSN.lrl
Description	This rule detects both intentional and accidental exposure of social security numbers in clear text via HTTP, FTP, and SMTP. This rule was updated in 3.2.1 to search additional protocols.

Rule	Flow_PrivateKeyExtension.lrl
Description	This rule detects potential exposure of private keys (.skr) or initiation of private/public key sharing by an employee outside the corporate network.

Rule	Flow_DetectCanadianSIN.lrl
Description	This rule detects both intentional and accidental exposure of Canadian Social Identification Numbers in clear text via HTTP, FTP, and SMTP. This rule was added in version 3.2.1.

Rule	Flow_DetectRoutingNumbers.lrl
Description	This rule detects both intentional and accidental exposure of bank routing numbers in clear text via HTTP, FTP, and SMTP. This rule was added in version 3.2.1.