DLP (Vontu) Custom Script to lookup Network incident hostnames
Since implimenting DLP in our environement, i've had a blackhole by not knowing the hostname of a client system that has triggered a network monitor event (ftp/http/https), which I find a significant hole in the system. Why does Vontu not think this is just as pertinent, if not more so than an IP Address? (we have to assume the agent isn't always going to be on every system!)
After reading thoroughly through the Custom plugin section of the Lookup Plugin Guide, I've managed to get a fairly simple Python script to handle doing the lookup (and some future nice-to-have features, for when I get more time....)
My environment: Vontu Enforce 10.5 running on Windows Server 2003 Enterprise R2
Additional software required: Python (2.5 or higher) www.python.org/download
Create a new folder in your Vontu install folder (d:\vontu\protect\plugins\script)
Copy & paste the python code below into a new file named: hostlookup.py
Please note I am not a programmer, and I'm sure there are dozens of better ways to do this. Here is only one way that I was successful with that took relatively little effort.
|
#hostlookup.py import sys, socket, string for args in [item.strip('sender-ip=') for item in sys.argv[1:]]: |
Next enable the custom lookup in your properties files: (d:\vontu\protect\config)
Plugins.properties - Here we're enabling the custom script tool - note, I'm chaining my LDAP lookup first, then custom hostname second.
com.vontu.api.incident.attributes.AttributeLookup.plugins=Vontu Script Lookup
com.vontu.plugins.execution.chain=com.vontu.lookup.liveldap.LiveLdapLookup.properties, com.vontu.lookup.script.ScriptLookup
com.vontu.lookup.script.ScriptLookup.properties = ScriptLookup.properties
ScriptLookup.Properties - Here we're actually configuring how Vontu calls python and the script. Add these entries to the section titled # Script Execution Params.
protocol.filtering.enabled=false
protocols.allow=FTP,HTTP,NNTP
script.1.command=c:/python27/python.exe
script.1.custom.args=-u,d:/Vontu/Protect/plugins/Scripts/HostLookup.py
My file also had Example script Params, that I had to comment out by adding a # to the beginning of each line:
# Example Script Params
#script.1.command=c:/python27/python.exe
#List of optional args delimited by a comma
#script.1.custom.args=-u,c:/ip-lookup.py
#script.2.command=c:/data/simpleScript.bat
In the Vontu Web interface - Create a new custom attribute: host-name (can be renamed as long as you also change the value in the hostlookup.py file also!)
Under the system-menu -> Incident Data -> Attributes -> Custom Attribute.
Add new name: host-name
When done, click Reload Lookup Plug-ins
Open a FTP/HTTP/HTTPS network incident and click Lookup. If it works correctly, you should now have the full hostname of the remote system.
Note, this does NOT change how it is displayed in the list view. This will give you the ability to know both the IP Address and the hostname of the system that triggered the network incident.
Hopefully someone out there will find this useful...
Comments 6 Comments • Jump to latest comment
Hi all,
I have purchased network monitor detection server & configured LDAP lookup. I checked the entire incidence & observed that HTTP/S incidence not having user information except SMTP. So search this article and followed but I am not getting ip-lookup.py or hostlookup.py file & parameters configuration is very difficult.
Please help me.
Regards,
Amol
Hi Joe,
please refer below Symantec kb's article
https://kb1-vontu.altiris.com/display/1/kb/article.asp?aid=42806&n=2&s=
https://kb1-vontu.altiris.com/display/1/kb/article.asp?aid=46476&n=1&s=
Also read the below symantecs references
About writing and preparing scripts for the Script Lookup Plug-In
To function with the Script Lookup Plug-In, script output must be in the required format. The script must reside in a directory on the Enforce Server host such as the \Protect\plugins\scripts directory. Or it can reside on a file share that is accessible with the appropriate permissions.
Note that scripts must exit with an exit code of '0.' If scripts exit with any other code, the Enforce Server assumes that an error has occurred in script execution and terminates the attribute lookup.
To prepare a script for use with the Script Lookup Plug-In
On the Enforce Server host, navigate to the \Protect\plugins directory and create a scripts subdirectory.
For example, create \Protect\plugins\scripts.
Copy your script file to the scripts subdirectory.
Make sure that permissions are set correctly on the directory and the file. The directory and the file must be readable by the protect user. Depending on the scripting language, the script may also need to be executable by the protect user.
Download and install (on the Enforce Server host) any applications necessary for executing the script. For example, if you plan to run a Python script on a Windows system, download and install the latest version of Python. For the scripts that require language libraries, you must install the required files on the Enforce Server host.
regards
Kishorilal
Thanks for this info, but I am trying to parse out some more information from the Hostname that is retrieved from this script.
When I run the script, I am able to get the FQDN of the endpoint "username-laptop.company.com"
I have tried to get this script to just give me the username from string, but I cannot get it to understand the separator "-'. When I do this the output is just 'file'.
I have chanegd the follwing line to use a dash and not a '.', I have also tried using the hex version of a dash and no avail.
hostname_dc = fullhostname_dc.split('-', 1)[0]
print 'host-name={}'.format(hostname_dc)
Any idea on why this is happening?
Please make sure to mark this comment as a solution to your problem, when possible.
Had to do some tweaking, but this script worked well.
Thanks!
All,
I actually rewrote the script using VB, which is alot more effecient and got mine working beautifully. The python version is way to slow so this works so much faster.
Please make sure to mark this comment as a solution to your problem, when possible.
Would you mind posting the updated script?
Would you like to reply?
Login or Register to post your comment.