Data Loss Prevention

 View Only

  • 1.  DLP - LDAP Lookup issue

    Posted Dec 18, 2014 03:47 AM

    Dear All,

    Background:

    • Single Tier deployment (with Network Monitor, Network Prevent for Web - squid enabled)
    • Confirmed Directory Connection is okay
    • Create LDAP lookup plugins and switch to "on" status

    attr.Name=:(|(givenName=$sender-email$)(mail=$sender-email$)):cn
    attr.Title=:(|(givenName=$sender-email$)(mail=$sender-email$)):title
    attr.Department=:(|(givenName=$sender-email$)(mail=$sender-email$)):department
    attr.Employee\ Email=:(|(givenName=$sender-email$)(mail=$sender-email$)):mail

    However, when we try to trigger an incident, only IP is shown in sender field, nothing is changed even if pressing "Lookup" button

    Q1) In this situation, any log file should I looking at ?

    Q2) Any HTTP link can be used for testing (file uploading), since squid is supported HTTP protocol only

    Thanks



  • 2.  RE: DLP - LDAP Lookup issue

    Posted Dec 18, 2014 09:13 AM

     

     

     

    This is always a frustrating Network Monitor shortcoming and an area where Symantec really needs to build in some resolution functionality. Without adding a script as lookup plug-in, you won't know who that IP belongs (or belonged) to when the incident was generated. 

     

    Here is a forum post about getting a logged on username from a HTTP incident. 

    https://www-secure.symantec.com/connect/forums/lookup-get-user-information-http-incidents

    Here is a fourm post about a site to test http posts with test data. I used it recently to troubleshoot Network Monitor.

    https://www-secure.symantec.com/connect/forums/site-test-http-posts-fake-phi-pii-pci-data



  • 3.  RE: DLP - LDAP Lookup issue

    Posted Dec 19, 2014 03:33 AM

    The other solution is ensure, that the ICAP connection between Squid and the NPW knows the user, e.g. using an authenticated session. Then it works without the script. However I am not a Squid specialist, therefore can't tell you how ;-(



  • 4.  RE: DLP - LDAP Lookup issue

    Posted Dec 19, 2014 04:36 AM

    don't worry, I am just looking for a solution to test LDAP lookup plugin, cause file upload (eg: sendspace ) is https encrypted, squid cannot inspect https, therefore, I am looking for a HTTP file upload, I tried to use HFS, however, still cannot identity the username successfully



  • 5.  RE: DLP - LDAP Lookup issue
    Best Answer

    Trusted Advisor
    Posted Dec 29, 2014 07:51 AM

    hello,

     if you performed your test using HTTP incident, sender-email attribute value wont be set so your plugin will never retrieve any information in LDAP. You have to use sender-ip as key in your LDAP request (so this means your AD need to know users IP addresses).

     If plugin failed you will have a red banner when you click on "lookup" button and some error message in tomcat log file.

     regards