Regex Library
Regular expressions for unique situations
Nightfall provides detectors for the most common data protection use cases. For unique situations, you can build custom detectors using regular expressions. Please double-check our Nightfall Detector Glossary before creating your own, including the API and cryptographic key detectors listed below, as regex detectors can introduce noise.
Nightfall's API key detector supports specific detection and validation of API keys for the top 30 services shown below.
• AWS • Azure • Confluence • Confluent • Datadog • ElasticSearch • Facebook • GCP (New) • Google API • GitHub | • GitLab • JIRA • JWT (New) • Nightfall • Notion (New) • Okta • Paypal • Plaid • Postmark (New) • Postman (New) | • Salesforce • Sendgrid (New) • Slack • Snyk (New) • Square • Stripe • Twilio • Zapier |
Nightfall's Cryptographic Key detector identifies popular keys to lock or unlock cryptographic functions, including authentication, authorization, and encryption.
• DSA Private Key • RSA Private Key | • EC Private Key • OpenSSH Private Key • Private Key | • Encrypted Private Key • PGP Private Key Block |
You can send us a request for new ML detectors directly in Nightfall.
REGEX Library
Here is a list of regex detectors used by other Nightfall customers.
| Name | Detector | Category |
|---|---|---|
google_two_factor_backup | ^(?:BACKUP VERIFICATION CODES|SAVE YOUR BACKUP CODES)[\s\S]{0,300}@$ | Credentials |
heroku_key | ^(heroku_api_key|HEROKU_API_KEY|heroku_secret|HEROKU_SECRET)[a-z_ =\s"'\:]{0,10}[^a-zA-Z0-9-]\w{8}(?:-\w{4}){3}-\w{12}[^a-zA-Z0-9\-]$ | Credentials |
MailGun API Key | ^key-[0-9a-zA-Z]{32}$ | Credentials |
microsoft_office_365_oauth_context | ^https://login.microsoftonline.com/common/oauth2/v2.0/token|https://login.windows.net/common/oauth2/token$ | Credentials |
PayPal Braintree Access Token | ^access_token\$production\$[0-9a-z]{16}\$[0-9a-f]{32}$ | Credentials |
Picatic API Key | ^sk_live_[0-9a-z]{32}$ | Credentials |
ECDSA Private Key | ^-----BEGIN ECDSA PRIVATE KEY-----\s.*,ENCRYPTED(?:.|\s)+?-----END ECDSA PRIVATE KEY-----$ | Credentials |
KeePass 1.x CSV Passwords | ^"Account","Login Name","Password","Web Site","Comments"$ | Credentials |
KeePass 1.x XML Passwords | ^<pwlist>\s*?<pwentry>[\S\s]*?<password>[\S\s]*?<\/pwentry>\s*?<\/pwlist>$ | Credentials |
Password etc passwd | ^[a-zA-Z0-9\-]+:[x|\*]:\d+:\d+:[a-zA-Z0-9/\- "]*:/[a-zA-Z0-9/\-]*:/[a-zA-Z0-9/\-]+$ | Credentials |
Password etc shadow | ^[a-zA-Z0-9\-]+:(?:(?:!!?)|(?:\*LOCK\*?)|\*|(?:\*LCK\*?)|(?:\$.*\$.*\$.*?)?):\d*:\d*:\d*:\d*:\d*:\d*:$ | Credentials |
MailChimp API Key | ^[0-9a-f]{32}-us[0-9]{1,2}$ | Credentials |
PGP Header | ^-{5}(?:BEGIN|END)\ PGP\ MESSAGE-{5}$ | Credentials |
PKCS7 Encrypted Data | ^(?:Signer|Recipient)Info(?:s)?\ ::=\ \w+|[D|d]igest(?:Encryption)?Algorithm|EncryptedKey\ ::= \w+$ | Credentials |
PuTTY SSH DSA Key | ^PuTTY-User-Key-File-2: ssh-dss\s*Encryption: none(?:.|\s?)*?Private-MAC:$ | Credentials |
PuTTY SSH RSA Key | ^PuTTY-User-Key-File-2: ssh-rsa\s*Encryption: none(?:.|\s?)*?Private-MAC:$ | Credentials |
Samba Password config file | ^[a-z]*:\d{3}:[0-9a-zA-Z]*:[0-9a-zA-Z]*:\[U\ \]:.*$ | Credentials |
SSH DDS Public | ^ssh-dss [0-9A-Za-z+/]+[=]{2}$ | Credentials |
SSH RSA Public | ^ssh-rsa AAAA[0-9A-Za-z+/]+[=]{0,3} [^@]+@[^@]+$ | Credentials |
SSL Certificate | ^-----BEGIN CERTIFICATE-----(?:.|\n)+?\s-----END CERTIFICATE-----$ | Credentials |
Lightweight Directory Access Protocol | ^(?:dn|cn|dc|sn):\s*[a-zA-Z0-9=, ]*$ | Credentials |
Arista network configuration | ^via\ \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3},\ \d{2}:\d{2}:\d{2}$ | Network |
John the Ripper | ^[J,j]ohn\ [T,t]he\ [R,r]ipper|john-[1-9].[1-9].[1-9]|Many\ salts:|Only\ one\ salt:|openwall.com/john/|List.External:[0-9a-zA-Z]*|Loaded\ [0-9]*\ password hash|guesses:\ \d*\ \ time:\ \d*:\d{2}:\d{2}:\d{2}|john\.pot$ | Network |
Huawei config file | ^sysname\ HUAWEI|set\ authentication\ password\ simple\ huawei$ | Network |
Metasploit Module | ^require\ 'msf/core'|class\ Metasploit|include\ Msf::Exploit::\w+::\w+$ | Network |
Network Proxy Auto-Config | ^proxy\.pac|function\ FindProxyForURL\(\w+,\ \w+\)$ | Network |
Nmap Scan Report | ^Nmap\ scan\ report\ for\ [a-zA-Z0-9.]+$ | Network |
Cisco Router Config | ^service\ timestamps\ [a-z]{3,5}\ datetime\ msec|boot-[a-z]{3,5}-marker|interface\ [A-Za-z0-9]{0,10}[E,e]thernet$ | Network |
Simple Network Management Protocol Object Identifier | ^(?:\d\.\d\.\d\.\d\.\d\.\d{3}\.\d\.\d\.\d\.\d\.\d\.\d\.\d\.\d\.\d{4}\.\d)|[a-zA-Z]+[)(0-9]+\.[a-zA-Z]+[)(0-9]+\.[a-zA-Z]+[)(0-9]+\.[a-zA-Z]+[)(0-9]+\.[a-zA-Z]+[)(0-9]+\.[a-zA-Z]+[)(0-9]+\.[a-zA-Z0-9)(]+\.[a-zA-Z0-9)(]+\.[a-zA-Z0-9)(]+\.[a-zA-Z0-9)(]+$ | Network |
Bank of America Routing Numbers - California | ^(?:121|026)00(?:0|9)(?:358|593)$ | Finance |
BBVA Compass Routing Number - California | ^321170538$ | Finance |
Chase Routing Numbers - California | ^322271627$ | Finance |
Citibank Routing Numbers - California | ^32(?:11|22)71(?:18|72)4$ | Finance |
USBank Routing Numbers - California | ^12(?:1122676|2235821)$ | Finance |
United Bank Routing Number - California | ^122243350$ | Finance |
Wells Fargo Routing Numbers - California | ^121042882$ | Finance |
SWIFT Codes | ^[A-Za-z]{4}(?:GB|US|DE|RU|CA|JP|CN)[0-9a-zA-Z]{2,5}$ | Finance |
CVE Number | ^CVE-\d{4}-\d{4,7}$ | General |
Dropbox Links | ^https://www.dropbox.com/(?:s|l)/\S+$ | General |
Box Links | ^https://app.box.com/[s|l]/\S+$ | General |
Large number of US Zip Codes | ^(\d{5}-\d{4}|\d{5})$ | General |
MySQL database dump | ^DROP DATABASE IF EXISTS(?:.|\n){5,200}CREATE DATABASE(?:.|\n){5,200}DROP TABLE IF EXISTS(?:.|\n){5,200}CREATE TABLE$ | Database |
MySQLite database dump | ^DROP\ TABLE\ IF\ EXISTS\ \[[a-zA-Z]*\];|CREATE\ TABLE\ \[[a-zA-Z]*\];$ | Database |
If you need help with regexes or have regexes you'd like to share, please reach out to support@nightfall.ai.
Last updated
