Video Screencast Help

DLP (Vontu) Custom Script to lookup Network incident hostnames

Created: 15 Nov 2010 • Updated: 16 Nov 2010 | 6 comments
Joe Bagnulo's picture
+5 5 Votes
Login to vote

Since implimenting DLP in our environement, i've had a blackhole by not knowing the hostname of a client system that has triggered a network monitor event (ftp/http/https), which I find a significant hole in the system.  Why does Vontu not think this is just as pertinent, if not more so than an IP Address?  (we have to assume the agent isn't always going to be on every system!)

After reading thoroughly through the Custom plugin section of the Lookup Plugin Guide, I've managed to get a fairly simple Python script to handle doing the lookup (and some future nice-to-have features, for when I get more time....)

My environment:  Vontu Enforce 10.5 running on Windows Server 2003 Enterprise R2
Additional software required:  Python (2.5 or higher)  www.python.org/download

Create a new folder in your Vontu install folder (d:\vontu\protect\plugins\script)
Copy & paste the python code below into a new file named: hostlookup.py

Please note I am not a programmer, and I'm sure there are dozens of better ways to do this.  Here is only one way that I was successful with that took relatively little effort.

#hostlookup.py
## This is a simple Python script to convert an incoming argument into a Fully-qualified hostname
## Modified for specific Vontu-DLP use to strip out incoming sender-ip= argument

import sys, socket, string

for args in [item.strip('sender-ip=') for item in sys.argv[1:]]:
 #this takes the passed arguments and performs the IP -> FQDN lookup
 fullhostname_dc = socket.getfqdn(args)
 #If you prefer/need Shortname over FQDN, comment out the next line and uncomment out the last two lines
 print 'host-name={}'.format(fullhostname_dc)
 
 #Now we take the Full hostname and break it down into segments for shortname and output the short hostname
 #hostname_dc = fullhostname_dc.split('.', 1)[0]
 #print 'host-name={}'.format(hostname_dc)

Next enable the custom lookup in your properties files: (d:\vontu\protect\config)

Plugins.properties - Here we're enabling the custom script tool - note, I'm chaining my LDAP lookup first, then custom hostname second.
com.vontu.api.incident.attributes.AttributeLookup.plugins=Vontu Script Lookup
com.vontu.plugins.execution.chain=com.vontu.lookup.liveldap.LiveLdapLookup.properties, com.vontu.lookup.script.ScriptLookup
com.vontu.lookup.script.ScriptLookup.properties = ScriptLookup.properties

ScriptLookup.Properties - Here we're actually configuring how Vontu calls python and the script.  Add these entries to the section titled # Script Execution Params.
protocol.filtering.enabled=false
protocols.allow=FTP,HTTP,NNTP
script.1.command=c:/python27/python.exe
script.1.custom.args=-u,d:/Vontu/Protect/plugins/Scripts/HostLookup.py

My file also had Example script Params, that I had to comment out by adding a # to the beginning of each line:
# Example Script Params
#script.1.command=c:/python27/python.exe
#List of optional args delimited by a comma
#script.1.custom.args=-u,c:/ip-lookup.py
#script.2.command=c:/data/simpleScript.bat

In the Vontu Web interface - Create a new custom attribute: host-name    (can be renamed as long as you also change the value in the hostlookup.py file also!)
Under the system-menu -> Incident Data -> Attributes -> Custom Attribute.
Add new name: host-name
When done, click Reload Lookup Plug-ins

Open a FTP/HTTP/HTTPS network incident and click Lookup.  If it works correctly, you should now have the full hostname of the remote system.

Note, this does NOT change how it is displayed in the list view.  This will give you the ability to know both the IP Address and the hostname of the system that triggered the network incident.

Hopefully someone out there will find this useful...

Comments 6 CommentsJump to latest comment

Amol S's picture

Hi all,

       I have purchased network monitor detection server & configured LDAP lookup. I checked the entire incidence & observed that HTTP/S incidence not having user information except SMTP. So search this article and followed but I am not getting ip-lookup.py or hostlookup.py file & parameters configuration is very difficult.

            Please help me.

 

Regards,

Amol

0
Login to vote
kishorilal1986's picture

Hi Joe,

please refer below Symantec kb's article

https://kb1-vontu.altiris.com/display/1/kb/article.asp?aid=42806&n=2&s=

https://kb1-vontu.altiris.com/display/1/kb/article.asp?aid=46476&n=1&s=

 Also read the below symantecs references

About writing and preparing scripts for the Script Lookup Plug-In

To function with the Script Lookup Plug-In, script output must be in the required format. The script must reside in a directory on the Enforce Server host such as the \Protect\plugins\scripts directory. Or it can reside on a file share that is accessible with the appropriate permissions.

Note that scripts must exit with an exit code of '0.' If scripts exit with any other code, the Enforce Server assumes that an error has occurred in script execution and terminates the attribute lookup.

To prepare a script for use with the Script Lookup Plug-In

On the Enforce Server host, navigate to the \Protect\plugins directory and create a scripts subdirectory.

For example, create \Protect\plugins\scripts.
 

Copy your script file to the scripts subdirectory.
 

Make sure that permissions are set correctly on the directory and the file. The directory and the file must be readable by the protect user. Depending on the scripting language, the script may also need to be executable by the protect user.

Download and install (on the Enforce Server host) any applications necessary for executing the script. For example, if you plan to run a Python script on a Windows system, download and install the latest version of Python. For the scripts that require language libraries, you must install the required files on the Enforce Server host.
 

 

regards

Kishorilal

0
Login to vote
DLP Solutions's picture

Thanks for this info, but I am trying to parse out some more information from the Hostname that is retrieved from this script.

 

When I run the script, I am able to get the FQDN of the endpoint "username-laptop.company.com"

 

I have tried to get this script to just give me the username from string, but I cannot get it to understand the separator "-'. When I do this the output is just 'file'.

 

I have chanegd the follwing line to use a dash and not a '.', I have also tried using the hex version of a dash and no avail.

 hostname_dc = fullhostname_dc.split('-', 1)[0]
 print 'host-name={}'.format(hostname_dc)

 

Any idea on why this is happening?

Please make sure to mark this as a solution

to your problem, when possible.

 

+1
Login to vote
ANaybor's picture

Had to do some tweaking, but this script worked well.

Thanks!

0
Login to vote
DLP Solutions's picture

All,

I actually rewrote the script using VB, which is alot more effecient and got mine working beautifully. The python version is way to slow so this works so much faster.

Please make sure to mark this as a solution

to your problem, when possible.

 

+1
Login to vote
Luis A.'s picture

Would you mind posting the updated script?

0
Login to vote