Data Loss Prevention

Dears,

Hi

There is a HTTP server in the network.

Users upload files to that HTTP server but they claim that it is very slow and actually after stopping DLP agent on the machines, the issue will be resolved!

-I have attached an example of incident which is being detected while users are uploading to that IP address.

-I have added an screenshot which shows IP filter which i have created for that server.

-Please let me know if i have to add another type of exclusion in addition to the IP filter list.

-I am using DLP endpoint standard.

 

Best Regards

Your IP filter :

-,10.132.58.92/32,*;+,*,*

is correct.

So, you mean: after you create this IP filter, your DLP Agent still trigger incident when upload file to your server?

if you have domain name add it under domain name for HTTP and check.

Dear Yang_Zhung,

That IP Filter worked.

Would you please let me know for adding the second Ip to be excluded is this correct or not?

-,10.132.58.92/32,10.132.58.93/32,*;+,*,*

 

 

Hi Shahram, I think above u mentioned is correct one but I think u should add "-" before adding second IP filtering rule

You have it close...

-,10.132.58.92/32,*;-,10.132.58.93/32,*;+,*,*

The way the nominclature works..is

(+ or -), destination IP, source IP;(+ or -), destination IP, source IP

so in your case it would be like the following

-,10.132.58.92/32,*;-,10.132.58.0/24,*;+,*,*

Also when on that page click on the online HELP.. it outlines this also

If this answers your question please mark this as solved

 

Ronak

Hi Shahram,

Just put exclusion rule in Ipfiltering config. U can do this by inserting in agent configaration.

To setup IP filters for the Vontu Monitor Server:

1. From Vontu Enforce, in the left pane, go to Administration > Settings > Protocols (if you want to apply to ALL Monitor servers); or go to Administration > System > Overview > Network Monitor server > Configure > Protocol (if you want to apply ONLY to a specific Monitor server).
2. Add the filter by selecting the protocol you want.
3. Use the following general syntax for IP filtering:
   
   -, <destination> , <source> drop all streams send to <destination> from <source>
   +, <destination> , <source> includes all streams send <destination> from <source>
   
   All filters are processed from top to bottom. Make sure that there is no extra linefeed at the end. Otherwise you will get errors.
   For example, if you want to exclude only IPs 1.1.1.1 and 2.2.2.2 and keep everything else, you could do the following
   
   -,*,1.1.1.1;-,*,2.2.2.2;+,*,*
   
   You can also use Classless Inter Domain Routing (CIDR) notation (http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing). A filter of +,10.67.0.0/16,*;-,*,* matches all streams going to network 10.67.x.x but does not match any other traffic.
   
   For more information on filtering and protocols, open the online help from Administration > Settings -> Protocols.

Just refer below important threads, I hope this will resolve your concern

https://www-secure.symantec.com/connect/forums/internal-ips-exclusion-http-protocol#comment-6470691

https://www-secure.symantec.com/connect/forums/dlp-agent-configuration-0#comment-7075821

https://www-secure.symantec.com/connect/forums/need-assistance-ip-filtering-vontu-network-monitor#comment-5239231