Regex Library
Regular expressions for unique situations
Nightfall provides detectors for the most common data protection use cases. For unique situations, you can build custom detectors using regular expressions.
Secrets Detection
Please double-check our Nightfall Detector Glossary before creating your own, including the API and cryptographic key detectors listed below, as regex detectors can introduce noise.
Nightfall's API key supports specific detection and validation of API keys for the top 50 vendors and use cases, as shown below.
• AWS
• Azure
• Confluence
• Confluent
• Datadog
• ElasticSearch
• Facebook • GCP
• Google API
• GitHub
• GitLab
• Hugging Face
• JIRA
• Nightfall
• Notion
• Okta
• OpenAI
• PagerDuty
• Paypal
• Plaid
• Postmark
• Postman
• Salesforce
• Sendgrid
• Slack
• Snyk
• Square
• Stripe
• Twilio
• Zapier
• Authentication Token
• CSRF Token
• OAuth Token
• Generic API Key
• Generic Token
• JWT
• Private Key
• Refresh Token
• Session Token
Nightfall's Cryptographic Key Detector
Nightfall's identifies popular keys for locking or unlocking cryptographic functions, including authentication, authorization, and encryption.
• DSA Private Key
• RSA Private Key
• EC Private Key
• OpenSSH Private Key
• Private Key
• Encrypted Private Key
• PGP Private Key Block
You can send us a request for new ML detectors directly in Nightfall.
REGEX Library
Here is a list of regex detectors used by other Nightfall customers.
google_two_factor_backup
^(?:BACKUP VERIFICATION CODES|SAVE YOUR BACKUP CODES)[\s\S]{0,300}@$
Credentials
heroku_key
^(heroku_api_key|HEROKU_API_KEY|heroku_secret|HEROKU_SECRET)[a-z_ =\s"'\:]{0,10}[^a-zA-Z0-9-]\w{8}(?:-\w{4}){3}-\w{12}[^a-zA-Z0-9\-]$
Credentials
MailGun API Key
^key-[0-9a-zA-Z]{32}$
Credentials
microsoft_office_365_oauth_context
^https://login.microsoftonline.com/common/oauth2/v2.0/token|https://login.windows.net/common/oauth2/token$
Credentials
PayPal Braintree Access Token
^access_token\$production\$[0-9a-z]{16}\$[0-9a-f]{32}$
Credentials
Picatic API Key
^sk_live_[0-9a-z]{32}$
Credentials
ECDSA Private Key
^-----BEGIN ECDSA PRIVATE KEY-----\s.*,ENCRYPTED(?:.|\s)+?-----END ECDSA PRIVATE KEY-----$
Credentials
KeePass 1.x CSV Passwords
^"Account","Login Name","Password","Web Site","Comments"$
Credentials
KeePass 1.x XML Passwords
^<pwlist>\s*?<pwentry>[\S\s]*?<password>[\S\s]*?<\/pwentry>\s*?<\/pwlist>$
Credentials
Password etc passwd
^[a-zA-Z0-9\-]+:[x|\*]:\d+:\d+:[a-zA-Z0-9/\- "]*:/[a-zA-Z0-9/\-]*:/[a-zA-Z0-9/\-]+$
Credentials
Password etc shadow
^[a-zA-Z0-9\-]+:(?:(?:!!?)|(?:\*LOCK\*?)|\*|(?:\*LCK\*?)|(?:\$.*\$.*\$.*?)?):\d*:\d*:\d*:\d*:\d*:\d*:$
Credentials
MailChimp API Key
^[0-9a-f]{32}-us[0-9]{1,2}$
Credentials
PGP Header
^-{5}(?:BEGIN|END)\ PGP\ MESSAGE-{5}$
Credentials
PKCS7 Encrypted Data
^(?:Signer|Recipient)Info(?:s)?\ ::=\ \w+|[D|d]igest(?:Encryption)?Algorithm|EncryptedKey\ ::= \w+$
Credentials
PuTTY SSH DSA Key
^PuTTY-User-Key-File-2: ssh-dss\s*Encryption: none(?:.|\s?)*?Private-MAC:$
Credentials
PuTTY SSH RSA Key
^PuTTY-User-Key-File-2: ssh-rsa\s*Encryption: none(?:.|\s?)*?Private-MAC:$
Credentials
Samba Password config file
^[a-z]*:\d{3}:[0-9a-zA-Z]*:[0-9a-zA-Z]*:\[U\ \]:.*$
Credentials
SSH DDS Public
^ssh-dss [0-9A-Za-z+/]+[=]{2}$
Credentials
SSH RSA Public
^ssh-rsa AAAA[0-9A-Za-z+/]+[=]{0,3} [^@]+@[^@]+$
Credentials
SSL Certificate
^-----BEGIN CERTIFICATE-----(?:.|\n)+?\s-----END CERTIFICATE-----$
Credentials
Lightweight Directory Access Protocol
^(?:dn|cn|dc|sn):\s*[a-zA-Z0-9=, ]*$
Credentials
Arista network configuration
^via\ \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3},\ \d{2}:\d{2}:\d{2}$
Network
John the Ripper
^[J,j]ohn\ [T,t]he\ [R,r]ipper|john-[1-9].[1-9].[1-9]|Many\ salts:|Only\ one\ salt:|openwall.com/john/|List.External:[0-9a-zA-Z]*|Loaded\ [0-9]*\ password hash|guesses:\ \d*\ \ time:\ \d*:\d{2}:\d{2}:\d{2}|john\.pot$
Network
Huawei config file
^sysname\ HUAWEI|set\ authentication\ password\ simple\ huawei$
Network
Metasploit Module
^require\ 'msf/core'|class\ Metasploit|include\ Msf::Exploit::\w+::\w+$
Network
Network Proxy Auto-Config
^proxy\.pac|function\ FindProxyForURL\(\w+,\ \w+\)$
Network
Nmap Scan Report
^Nmap\ scan\ report\ for\ [a-zA-Z0-9.]+$
Network
Cisco Router Config
^service\ timestamps\ [a-z]{3,5}\ datetime\ msec|boot-[a-z]{3,5}-marker|interface\ [A-Za-z0-9]{0,10}[E,e]thernet$
Network
Simple Network Management Protocol Object Identifier
^(?:\d\.\d\.\d\.\d\.\d\.\d{3}\.\d\.\d\.\d\.\d\.\d\.\d\.\d\.\d\.\d{4}\.\d)|[a-zA-Z]+[)(0-9]+\.[a-zA-Z]+[)(0-9]+\.[a-zA-Z]+[)(0-9]+\.[a-zA-Z]+[)(0-9]+\.[a-zA-Z]+[)(0-9]+\.[a-zA-Z]+[)(0-9]+\.[a-zA-Z0-9)(]+\.[a-zA-Z0-9)(]+\.[a-zA-Z0-9)(]+\.[a-zA-Z0-9)(]+$
Network
Bank of America Routing Numbers - California
^(?:121|026)00(?:0|9)(?:358|593)$
Finance
BBVA Compass Routing Number - California
^321170538$
Finance
Chase Routing Numbers - California
^322271627$
Finance
Citibank Routing Numbers - California
^32(?:11|22)71(?:18|72)4$
Finance
USBank Routing Numbers - California
^12(?:1122676|2235821)$
Finance
United Bank Routing Number - California
^122243350$
Finance
Wells Fargo Routing Numbers - California
^121042882$
Finance
SWIFT Codes
^[A-Za-z]{4}(?:GB|US|DE|RU|CA|JP|CN)[0-9a-zA-Z]{2,5}$
Finance
CVE Number
^CVE-\d{4}-\d{4,7}$
General
Dropbox Links
^https://www.dropbox.com/(?:s|l)/\S+$
General
Box Links
^https://app.box.com/[s|l]/\S+$
General
Large number of US Zip Codes
^(\d{5}-\d{4}|\d{5})$
General
MySQL database dump
^DROP DATABASE IF EXISTS(?:.|\n){5,200}CREATE DATABASE(?:.|\n){5,200}DROP TABLE IF EXISTS(?:.|\n){5,200}CREATE TABLE$
Database
MySQLite database dump
^DROP\ TABLE\ IF\ EXISTS\ \[[a-zA-Z]*\];|CREATE\ TABLE\ \[[a-zA-Z]*\];$
Database
If you need help with regexes or have regexes you'd like to share, please reach out to support@nightfall.ai.
Last updated