Solved: Regular Expression to match credit cards

oscargarcia · ‎03-08-2011

Hi,

I am trying to write a search to look for credit card numbers in logs (for the PCI requirement 3.1, of course 🙂

I came across this:

^((67\d{2})|(4\d{3})|(5[1-5]\d{2})|(6011))(-\s\d{4}){3}|(3[4,7])\d{2}-\s\d{6}-\s\d{5}$

Which is said to match most credit card data, but I am struggling to find a way to translate this into an splunk search.

Can anybody help?

Many thanks

dwaddle · ‎03-08-2011

You can define this as a search-time extracted field and do searches for events where that field has a value.

Taking your regex above, and plugging it into transforms.conf like so:

[possible_credit_card_no]
REGEX=^((67\d{2})|(4\d{3})|(5[1-5]\d{2})|(6011))(-\s\d{4}){3}|(3[4,7])\d{2}-\s\d{6}-\s\d{5}$
FORMAT=possible_cardno::$1

Then referencing it in props.conf:

[mysourcetype]
REPORT-cardno=possible_credit_card_no

dwaddle · ‎03-08-2011

You can define this as a search-time extracted field and do searches for events where that field has a value.

Taking your regex above, and plugging it into transforms.conf like so:

[possible_credit_card_no]
REGEX=^((67\d{2})|(4\d{3})|(5[1-5]\d{2})|(6011))(-\s\d{4}){3}|(3[4,7])\d{2}-\s\d{6}-\s\d{5}$
FORMAT=possible_cardno::$1

Then referencing it in props.conf:

[mysourcetype]
REPORT-cardno=possible_credit_card_no