38
14-3
Cisco IronPort AsyncOS 7.5 for Email Configuration Guide
OL-25136-01
Chapter14 Text Resources
headers, and message attachments for terms included in the dictionary in order to
take appropriate action in accordance with your corporate policies. For example,
you could create a list of confidential or profane words, and, using a filter rule to
scan messages that contain words in the list, drop, archive, or quarantine the
message.
The AsyncOS operating system includes the ability to define a total of 100 content
dictionaries using the GUI (Mail Policies > Dictionaries) or the CLI’s
dictionaryconfig
command. You can create, delete, and view dictionaries; add
and delete entries from a dictionary; and import and export entire dictionaries.
Dictionary Content
Words in dictionaries are created with one text string per line, and entries can be
in plain text or in the form of regular expressions. Dictionaries can also contain
non-ASCII characters. Defining dictionaries of regular expressions can provide
more flexibility in matching terms, but doing so requires you to understand how
to delimit words properly. For a more detailed discussion of Python style regular
expressions, consult the Python Regular Expression HOWTO, accessible from
http://www.python.org/doc/howto/
Note
To use the special character # at the beginning of a dictionary entry, you can use
a character class [#] to prevent it being treated as a comment.
For each term, you specify a “weight,” so that certain terms can trigger filter
conditions more easily. When AsyncOS scans messages for the content dictionary
terms, it “scores” the message by multiplying the number of term instances by the
weight of term. Two instances of a term with a weight of three would result in a
score of six. AsyncOS then compares this score with a threshold value associated
with the content or message filter to determine if the message should trigger the
filter action.
You can also add smart identifiers to a content dictionary. Smart identifiers are
algorithms that search for patterns in data that correspond to common numeric
patterns, such as social security numbers and ABA routing numbers. These
identifiers can useful for policy enforcement. For more information about regular
expressions, see “Regular Expressions in Rules” in the “Using Message Filters to
Enforce Email Policies” chapter of the Cisco IronPort AsyncOS for Email
39
Chapter14 Text Resources
14-4
Cisco IronPort AsyncOS 7.5 for Email Configuration Guide
OL-25136-01
Advanced Configuration Guide. For more information about smart identifiers, see
“Smart Identifiers” in the “Using Message Filters to Enforce Email Policies”
chapter of the Cisco IronPort AsyncOS for Email Advanced Configuration Guide.
Note
Dictionaries containing non-ASCII characters may or may not display properly in
the CLI on your terminal. The best way to view and change dictionaries that
contain non-ASCII characters is to export the dictionary to a text file, edit that text
file, and then import the new file back into the appliance. For more information,
see Importing and Exporting Dictionaries as Text Files, page14-4.
Word Boundaries and Double-byte Character Sets
In some languages (double-byte character sets), the concepts of a word or word
boundary, or case do not exist. Complex regular expressions that depend on
concepts like what is or is not a character that would compose a word (represented
as “\w” in regex syntax) cause problems when the locale is unknown or if the
encoding is not known for certain. For that reason, you may want to disable
word-boundary enforcement.
Importing and Exporting Dictionaries as Text Files
The content dictionary feature also includes, by default, the following text files
located in the configuration directory of the appliance:
•
config.dtd
•
profanity.txt
•
proprietary_content.txt
•
sexual_content.txt
These text files are intended to be used in conjunction with the content
dictionaries feature to aid you in creating new dictionaries. These content
dictionaries are weighted and use smart identifiers to better detect patterns in data
and trigger filters when the patterns indicate compliance issues.
Note
Importing and exporting dictionaries does not preserve the Match Whole Words
and Case Sensitive settings. This settings are only preserved in the configuration
file.
26
14-5
Cisco IronPort AsyncOS 7.5 for Email Configuration Guide
OL-25136-01
Chapter14 Text Resources
See AppendixA, “Accessing the Appliance” for more information accessing on
the configuration directory.
You can also create your own dictionary files and import them onto the appliance.
The best way to add non-ASCII characters to dictionaries is to add the terms into
the dictionary in a text file off the appliance, move that file onto the appliance,
and then import that file as a new dictionary. For more information about
importing dictionaries, see Importing Dictionaries, page14-8. For information
about exporting dictionaries, see Exporting Dictionaries, page14-9.
You can also import and export custom DLP dictionaries. For more information,
see Importing and Exporting DLP Dictionaries, page14-15.
Warning
These text files contain terms that some persons may consider obscene,
indecent or offensive. If you import terms from these files into your content
dictionaries, the terms will be displayed when you later view the content
dictionaries you have configured on the appliance.
Managing Content Dictionaries (GUI)
Log in to the GUI and click the Mail Policies tab. Click the Dictionaries link in
the left menu.
Figure 14-1
The Dictionaries Page
Adding Dictionaries
To create a new dictionary:
26
Chapter14 Text Resources
14-6
Cisco IronPort AsyncOS 7.5 for Email Configuration Guide
OL-25136-01
Step 1
Click Add Dictionary on the Dictionaries page. The Add Dictionary page is
displayed:
Figure 14-2
The Dictionaries Page
Step 2
Type a name for the dictionary.
Step 3
Specify whether to match whole words only by marking the checkbox next to
Match Whole Words Only. See Matching Whole Words Only, page14-7 for more
information.
Step 4
Specify whether to perform case-sensitive searches. See Matching Case-Sensitive
Words, page 14-7 for more information.
Note
AysncOS preserves the Match Whole Words and Case Sensitive settings
when they are saved in the configuration file. These settings are not
preserved when importing and exporting dictionaries.
Step 5
Optionally, add a smart-identifier to the dictionary. Smart identifiers are
algorithms that search for patterns in data that correspond to common numeric
patterns, such as social security numbers and ABA routing numbers. For more
39
14-7
Cisco IronPort AsyncOS 7.5 for Email Configuration Guide
OL-25136-01
Chapter14 Text Resources
information about smart identifiers, see the “Using Message Filters to Enforce
Email Policies” chapter in Cisco IronPort AsyncOS for Email Advanced
Configuration Guide.
Step 6
Enter new dictionary entries into the list of terms. For more information about the
kinds of entries that are supported, see Dictionary Content, page14-3.
Step 7
Specify a weight for the term. You can “weight” a dictionary term so that it is
more likely than other terms to trigger a filter action. For more information about
how this weight is used to determine filter actions, see “Threshold Scoring for
Content Dictionaries” in the “Using Message Filters to Enforce Email Policies”
chapter of the Cisco IronPort AsyncOS for Email Advanced Configuration Guide.
Step 8
Click Add.
Step 9
Submit and commit your changes.
The Dictionaries page now lists the new dictionary, along with the terms included
and the setting configured for the dictionary.
Note
Content dictionary entries with the regular expression: “
.*
” at the beginning or
end will cause the system to lock if a match for the “word” MIME part is found.
Cisco Systems recommends you do not use “
.*
” at the beginning or end of a
content dictionary entry.
Matching Case-Sensitive Words
Checking this box will cause AsyncOS to consider the case of the word when
matching. For example, the words “codename” would match a dictionary entry of
“codename”, but the word “CodeName” would not match.
Matching Whole Words Only
Checking this box will cause words to match only if they match the whole entry.
For example, the word “codename” would match a dictionary entry of
“codename,” while “code” and “codenam” would not.
35
Chapter14 Text Resources
14-8
Cisco IronPort AsyncOS 7.5 for Email Configuration Guide
OL-25136-01
Sorting Terms
You can click the column heading to sort by term or weight. If you click the
column heading a second time, it reverses the sort order.
Editing Dictionaries
To edit an existing dictionary:
Step 1
Click the name of the dictionary in the listing on the Dictionaries page. The Edit
Dictionary page is displayed.
Step 2
Make changes to the entries or the settings for the dictionary, and click Submit.
Step 3
Commit your changes.
Deleting Dictionaries
To delete a dictionary:
Step 1
Click the trash can icon next to the dictionary to delete in the dictionary listing.
A confirmation message is displayed.
Step 2
The confirmation message lists any filters that are currently referencing the
dictionary.
Step 3
Click Delete to delete the dictionary.
Step 4
Commit your changes.
Step 5
Any message filters that reference the deleted dictionary are marked as invalid.
Step 6
Any content filters that reference the deleted dictionary are left enabled, but will
evaluate to false.
Importing Dictionaries
To import a dictionary via the GUI:
31
14-9
Cisco IronPort AsyncOS 7.5 for Email Configuration Guide
OL-25136-01
Chapter14 Text Resources
Step 1
Click Import Dictionary on the Dictionaries page. The Import Dictionary dialog
is displayed:
Figure 14-3
The Import Dictionary Page
Step 2
Select the location to import from.
Step 3
Select a file to import.
Note
The file to import must be in the configuration directory on the appliance.
Step 4
Select the default weight to use for dictionary terms. AsyncOS will assign a
default weight to any terms with unspecified weights. You can edit the weights
after importing the file.
Step 5
Select an encoding.
Step 6
Click Next.
Step 7
The imported dictionary is displayed in the Add Dictionary page.
Step 8
You can now name and edit the dictionary before adding it.
Step 9
Submit and commit your changes.
Exporting Dictionaries
To export a dictionary via the GUI:
40
Chapter14 Text Resources
14-10
Cisco IronPort AsyncOS 7.5 for Email Configuration Guide
OL-25136-01
Step 1
Click Export Dictionary on the Dictionaries page. The Export Dictionary dialog
is displayed:
Figure 14-4
The Export Dictionary Page
Step 2
Select a dictionary to export.
Step 3
Enter a file name for the dictionary. This is the name of the file that will be created
in the configuration directory on the appliance.
Step 4
Select the location to export to.
Step 5
Select an encoding for the text file.
Step 6
Submit and commit your changes.
Using and Testing Content Dictionaries
Dictionaries can be used along with the various
dictionary-match()
message
filter rules and with content filters.
Dictionary Match Filter Rule
The message filter rule named
dictionary-match(<
dictionary_name
>)
(and its
counterparts) evaluates to true if the message body contains any of the regular
expressions in the content dictionary named dictionary_name. If that dictionary
does not exist, the rule evaluates to false.
Note that the
dictionary-match()
rule functions similarly to the
body-contains()
body scanning rule: it only scans the body and attachments of
messages, and not the headers.
45
14-11
Cisco IronPort AsyncOS 7.5 for Email Configuration Guide
OL-25136-01
Chapter14 Text Resources
For scanning headers, you can use the appropriate
*-dictionary-match()
-type
rule (there are rules for specific headers, such as
subject-dictionary-match()
and a more generic rule,
header-dictionary-match()
, in which you can specify
any header including custom headers). See “Dictionary Rules” in the “Using
Message Filters to Enforce Email Policies” chapter of the Cisco IronPort
AsyncOS for Email Advanced Configuration Guide for more information about
dictionary matching.
In the following example, a new message filter using the
dictionary-match()
rule is created to blind carbon copy the administrator when the Cisco IronPort
appliance scans a message that contains any words within the dictionary named
“secret_words” (created in the previous example). Note that because of the
settings, only messages that contain the whole word “
codename
” matching the
case exactly will evaluate to true for this filter.
In this example, we send the message to the Policy quarantine:
Table 14-1
Message Filter Rules for Content Dictionaries
Rule
Syntax
Description
Dictionary Match h dictionary-match(<dict
ionary_name>)
Does the message contain a word
that matches all the regular
expressions listed in the named
dictionary?
bcc_codenames:
if (dictionary-match ('secret_words'))
{
bcc('administrator@example.com');
}
quarantine_codenames:
if (dictionary-match ('secret_words'))
{
51
Chapter14 Text Resources
14-12
Cisco IronPort AsyncOS 7.5 for Email Configuration Guide
OL-25136-01
Example Dictionary Entries
Testing Content Dictionaries
The
trace
function can provide quick feedback on message filters that use the
dictionary-match()
rule. See Debugging Mail Flow Using Test Messages:
Trace, page -446 for more information. You can also use the
quarantine()
action
to test filters, as in the
quarantine_codenames
filter example above.
DLP Dictionaries
DLP dictionaries are groups of words or phrases that work in conjunction with the
RSA DLP scanning feature on the appliance and are available to custom DLP
policies. Use the DLP dictionaries to scan messages and message attachments for
the words and phrases included in the dictionary in order to take appropriate
quarantine('Policy');
}
Table 14-2
Example Dictionary Entries
Description
Example
Wildcard
*
Anchors
Ends with: foo
$
Begins with:
^
foo
Email address
(Do not escape the period)
foo@example.com
,
@example.com
example.com$
(ends with)
@example.*
Subject
An email subject
(keep in mind when using the
^
anchor in email
subjects that subjects are often prepended with
“RE:” or “FW:” and the like)
Documents you may be interested
Documents you may be interested
