DLP (Vontu) Custom Script to lookup Network incident hostnames
Since implimenting DLP in our environement, i've had a blackhole by not knowing the hostname of a client system that has triggered a network monitor event (ftp/http/https), which I find a significant hole in the system. Why does Vontu not think this is just as pertinent, if not more so than an IP Address? (we have to assume the agent isn't always going to be on every system!)
After reading thoroughly through the Custom plugin section of the Lookup Plugin Guide, I've managed to get a fairly simple Python script to handle doing the lookup (and some future nice-to-have features, for when I get more time....)
My environment: Vontu Enforce 10.5 running on Windows Server 2003 Enterprise R2
Additional software required: Python (2.5 or higher) www.python.org/download
Create a new folder in your Vontu install folder (d:\vontu\protect\plugins\script)
Copy & paste the python code below into a new file named: hostlookup.py
Please note I am not a programmer, and I'm sure there are dozens of better ways to do this. Here is only one way that I was successful with that took relatively little effort.
import sys, socket, string
for args in [item.strip('sender-ip=') for item in sys.argv[1:]]:
Next enable the custom lookup in your properties files: (d:\vontu\protect\config)
Plugins.properties - Here we're enabling the custom script tool - note, I'm chaining my LDAP lookup first, then custom hostname second.
com.vontu.api.incident.attributes.AttributeLookup.plugins=Vontu Script Lookup
com.vontu.lookup.script.ScriptLookup.properties = ScriptLookup.properties
ScriptLookup.Properties - Here we're actually configuring how Vontu calls python and the script. Add these entries to the section titled # Script Execution Params.
My file also had Example script Params, that I had to comment out by adding a # to the beginning of each line:
# Example Script Params
#List of optional args delimited by a comma
In the Vontu Web interface - Create a new custom attribute: host-name (can be renamed as long as you also change the value in the hostlookup.py file also!)
Under the system-menu -> Incident Data -> Attributes -> Custom Attribute.
Add new name: host-name
When done, click Reload Lookup Plug-ins
Open a FTP/HTTP/HTTPS network incident and click Lookup. If it works correctly, you should now have the full hostname of the remote system.
Note, this does NOT change how it is displayed in the list view. This will give you the ability to know both the IP Address and the hostname of the system that triggered the network incident.
Hopefully someone out there will find this useful...