Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

How to monitor http traffic on network monitor on a different http tcp port

Created: 23 Jul 2013 • Updated: 25 Jul 2013 | 3 comments
This issue has been solved. See solution.

Hello all,

I having an issue with a customer. This customer is using a proxy (squid) for http, https, FTP, etc. We configured network monitor to inspect http, FTP traffic. Customer is using tcp port 3128 to redirect traffic trough the proxy. The problem is that there are no incidents reported on DLP console. I added a custom protocol, I named it HTTP2 and choose 3128 as tcp port, then I activated this protocol to be monitored but the problem persist. We used a span port for network monitor. This span port is monitoring the "inside" interface of the squid proxy.

Any suggestion?

Best regards,

Operating Systems:
Discussion Filed Under:

Comments 3 CommentsJump to latest comment

DLP Solutions2's picture

Blackjet,

First of all it is better to integrate the proxy using ICAP and a DLP Web Prevent server an not a Network Monitor.

Have you connected 2 Nics of the network monitor to the network? One of them is for communication to the Enfrce console (needs and IP address). The 2nd NIC is what is to be connected to the Span port, this DOES NOT need an IP address.

Once you have done this then have you configured the Network Monitor in the DLP console to be inspecting traffic on the right NIC? Make sure it is not the one with an IP address.

Easy way to check is to look at the System Overview or the Traffic page in the DLP console and see if there are messages or packets being counted.

As far as configuring the Span Port on the switch;

You should configure the span port to replicate all of the traffic going outbound and not a specific tcp port on a network. Keep in mind that there is some other routing happening by the switch that is sending traffic to the proxy.

I would re-examine the Span Port configuration to make sure you are seeing all OUTBOUND traffic and not inbound.

Hope this helps.

If this solves your questions please marked as solved.

Ronak

Please make sure to mark this as a solution

to your problem, when possible.

SOLUTION
stephane.fichet's picture

Hi roberto,

 First check with wireshark (for example) if this traffic is routing to your monitor server. If it is not so ask your network admin to correct SPAN configuration.

If it is, did you restart your monitor after adding a new protocol ? did you configure your policy to monitor this protocol (especially if you have set some exclusion/detection on specific protocol) ?  be sure to generate some traffic that must generate an incident (because usually no incident in DLP is quite a good news :) ), for example by defining a specific policy used to functionnaly monitor that DLP is working (very specific keywords not used by anyone else than you posted on a web site). You can also check that your custom protocol is well defined because a part from the port there is also some parameter on the way to analyse message content. So i hope it will help you investigate your issue and let us know when you solve it.

 regards.

SOLUTION
Roberto_Ortiz's picture

Thank you all.

I reviewed the configuration and the services. There was a problem with a Oracle service. There were some incidents but they were unable to register on the console due to the oracle database service.

Best regards,