Data Loss Prevention

Hello,

We are trying to pull the username from the IP Address (for HTTP/HTTPS Incidents) using custom scripts that basically use WMI Calls. We have a Perl script that does this job and works perfect.

In order to integrate the Perl script with DLP (11.6.2) we are using Python. The Python script looks like this:

#!/usr/bin/python

import sys, socket, subprocess, re

args = sys.argv[1:]

ip = re.findall("(?:[0-9]{1,3}\.){3}[0-9]{1,3}", str(args))

pipe = subprocess.Popen(["perl", "/home/protect/MyScript.pl", ip[0]], stdout=subprocess.PIPE)

result = pipe.stdout.read()

sys.stdout.write ('IPUsername='); print result

Basically, the Python script uses the input from DLP, looks for IP Address, passes that information to Perl script, Perl returns the required information to Python via pipe.stdout.read() and then it should write that information to IPUsername DLP field.

Running the Python script manually with all the input from DLP works as it should. See below:

/usr/bin/python /home/protect/MyScript.py discover-repository-location=null, Employee Notified=null, Manager Title=null, date-detected=Tue Jul 07 03:43:53 PDT 2015, endpoint-machine-name=null, incident-id=1728, sender-ip=10.245.4.217, Machine Name=MyPC, sender-email=10.245.4.217, Assigned To=null, Business Unit=null, sender-port=-2147483648, endpoint-domain-name=null, endpoint-dos-volume-name=null, file-access-date=null, date-sent=Tue Jul 07 03:43:53 PDT 2015, Comment=null, Review=null, Email Blocked=null, endpoint-file-name=null, Manager Notified=null, file-modified-by=null, Manager Email=null, Comment 2=null, plugin-chain-id=4, discover-server=null, data-owner-name=null, Last Name=null, First Name=null, Phone=null, Business Event Reviewer Email=null, subject=HTTP incident, Risk Steward Email=null, Policy Owner Email=null, Manager Location=null, endpoint-user-name=null, endpoint-volume-name=null, discover-name=null, discover-content-root-path=null, data-owner-email=null, file-create-date=null, endpoint-application-name=null, Manager First Name=null, path=null, Event Date=Tue Jul 07 03:43:53 PDT 2015, Manager Last Name=null, endpoint-application-path=null, discover-location=null, Policy Name=TempTestPolicy, protocol=HTTP, Resolution=null, Risk Steward=null, Email Released=null, file-owner=null, Employee Type=null, Location=null, Email Quarantined=null, endpoint-file-path=null, discover-extraction-date=null, Title=null, Manager Business Unit=null, Manager Phone=null, policy-name=TempTestPolicy, Policy Owner=null, file-created-by=null, Functional Area=null, Email Address=null, Web Hostname=null, Office Name=null, Manager Functional Area=null, file-owner-domain=null
IPUsername=Domain\scanteie

I have edited parts of the text, but you get the idea.

Using this script in DLP, it does not work. The field is blank and the log files read: Failed to process IPUsername= as it does not conform to standard key/value pair format.

And, now I am out of ideas. Any help or input is appreciated! :)

Thanks, Stefan

Stefan,

What is the command that you are running in the Perl Script to get the Username associated to the IP address?

If it is a WMI call, it will need to be run as a user that has Admin privelages to run the WMI call and pull this info from the remote machine. If you installed DLP as the typical way, you will notice that the DLP services are running as a LOCAL user account (protect) and NOT a Domain Account.

So when this process is run it is within the JAVA engine that is run under a local account (protect). This account cannot run the WMI call.

The way around this is to Change the Vontu Manager Service to Run under a DOMAIN Admin account that can run the WMI call.

Keep in mind that the Domain Account should have Admin rights to the Enforce server so it can run the Vontu Manager service and has write capabilites to all of the directories.

An easy test run the perl script as the 'protect' account and you will see the errors.

Hope this helps..

Ronak

Please marked as solved when possible.

Hey Ronak,

The Perl script uses a different account to run the WMI Calls and it also works.

Example: perl MyScript.pl 10.245.4.217 it returns the correct output.

Calling this Perl script from Python, it also works.

Example python Machine_Lookup.py sender-ip=10.245.4.217 it returns the correct output but only when I execute it from Linux shell. Otherwise, from DLP, it does not work.

So you think that the script is executed from a different account when DLP executes the script?

Thanks,

Stefan

Stefan,

I have dealt with issue many times, I am also one of the people who helped troublshoot the lookups when I was working at VontuSymantec.

What program or procedure are you running in the script tp get the username? Pslogedon or another WMIC call?

For example.. here is a portion of my VBS script that calls psloggedon. In order for this to work the Vontu Manager Service needs to be run by a domain Administrator level account.

' *******************************************************************************************************
' *********** Use this section if we DO NOT HAVE Web Authentication turned on the Web Proxy *************
' *********** This will run the psloggedon command (PSTOOLS). In order for this to run, you *************
' *********** The VontuManager Service will need to be run as a Domain Admin Level Account  *************
' *********** This section can also be used to check if the incidnet is HTTP, HTTPS, or FTP *************
' *************** You can use the protocol filter in the UI instead or this one too. ********************
' *******************************************************************************************************

'If attributeValues(1) = "HTTP" OR attributeValues(1) = "HTTPS/SSL" OR attributeValues(1) = "FTP" then
' If attributeValues(3)=nullVal Then
'   set objShell = createobject("wscript.shell")
'   strParams = "%comspec% /c D:\SymantecDLP\Protect\plugins\psloggedon.exe -l -x \\"&attributeValues(2)
'   set objExecObj = objShell.exec(strParams)
'   Do While Not objExecObj.StdOut.AtEndOfStream
'     strText = objExecObj.StdOut.Readline()
'     findMe = "M-01\"
'     If instr(strText,findMe) Then
'    strText = trim(strText)
'    stdOut.WriteLine "Test7="&strText
'    strhost = strText
'    stdOut.WriteLine "Test8="&strhost
'    strhost = right(strText,Len(strText)-4)
'    stdOut.WriteLine "HTTPUserName="&strhost
'     End if
'   Loop
' End if
'End if

Without seeing the actual logs, I think this is the issue. As I mentioned your best bet to test this out is to run the script as the protect user and see what happens.

If on linux, it should be easy to do. If on Windows, you will need to logon to the server as the protect user (this will require changing the user account to logon access to the server). Either that or do a RUN as for the command prompt and then play with the script.

Once you run it you will be able to see what the real error is with the script. Keep in mind that the protect user is NOT a domian accoutn so it does not have all of the privelges to run things.

I would run the script as the Protect user and also run the command that you are calling as the protect user.

That is where I would start.

Last option is to run the Vontu Manager Service as Domain Adminstrator Account LEVEL account (service account or something) and see how that works.

It all comes down to permissions.

Hope this helps..

Ronak

Please marked as solved when possible.

Hello,

It might be related to permissions, but:

- Both scripts (Perl and Python) are saved on the Enforce Server under /opt/SymantecDLP/Protect/plugins and under protect account. I even gave rwx permissions to all:

-rwxrwxrwx  1 protect protect 7.4K Jul 10 02:25 IP_Lookup.pl
-rwxrwxrwx  1 protect protect  758 Jul 10 02:25 IP_Lookup.py

- Vontu services are executed under this account.

- Manually executing the script under the "protect" user works: IP to Username=Domain\scanteie

But, when DLP executes the Python script it returns the following error (this is from the DLP logs):

13 Jul 2015 03:15:03,998- Thread: 522 FINE [com.vontu.lookup.script.ExecLauncher] Return [IP to Username=]
13 Jul 2015 03:15:03,998- Thread: 522 WARNING [com.vontu.lookup.script.ScriptUtility] Failed to process IP to Username= as it does not conform to standard key/value pair format.

Thanks,

Stefan

PS: I have other Python scripts in the same location (/opt/SymantecDLP/Protect/plugins) and those scripts are working fine. So it has something to do with this specific script.

Stefan,

Please attach the script to this post so I can look at it. 

Also what boxes do you have checked in the Script Lookup configuration?

Do you have the Enable stdin and Enable stdout boxes checked?? You may want to UNCHECK these, it might fix the issue right away.

Lastly what is the expected format of the outputted username supposed to be?

"domian\username" or just "username"

If its the first one, then that might be your issue to. the "\" is considered an escape character and is NOT liked by the system. Hence you are getting the as it does not conform to standard key/value pair format.

I would change your OUTPUT name to just be the username and not include the domain.

Use the strip function to remove the Domain name and ONLY output the useraname. You can then Daisy chain this to be part of an LDAP lookup as well.

username=username.strip("Domain\")

You will notice I do this in the VBS script I posted before.. I stripped the Domain "M-01" from the output that I got.

I then used the variable "HTTPUserName" to be part of the LDAP lookup process..

attr.First\ Name =:(|(mail=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountName=$endpoint-user-name$)(sAMAccountName=$HTTPUserName$)):givenName

Hope this helps..

Ronak

Please marked as solved when possible.

Unfortunately, it didn't work and the strip fails miserably. It also strips the last letter from my username.

Right now, I am out of ideas. I can share both scripts (Python and Perl) with you, but I do not want to publish them. Can you PM me with an email address?

Thanks,

Stefan

I have been able to confirm by looking at the security logs on the endpoint system that the credentials being passed are the Vontu Manager credentials which are local account creds. This is despite the checkbox being checked to use alternate credentials and pointing it to the encrypted credentials text file in the plugins directory. boo... I want my python script to run please. I am doing exactly what is discussed above.

Attachment(s)

iplookup2.py_.txt   1 KB 1 version

Were you ever able to get this sorted out? I am having the exact same issues after 2 days of working on this script. Thanks! Carly

Just to make sure.. when you are using the Enable Credentials setting.. have you actually encrypted the credentials?? This will not work with a TXT file that is in the clear.

Enabling and encrypting credentials

1 Create a text file that contains the credentials that are needed by the script to access the appropriate external systems.
The format of this file is key=value, where key is the name of the credential. 

For example: username=msantos password=esperanza9

You may need to play with these settings to make sure you have the domain right too!

username=msantos@domain password=esperanza

or Username=domain\msantos or Username=domain/msantos
 
2 Save this credential file to the file system local to the Enforce Server.
 The file needs to be saved to the Enforce Server temporarily.

For example: C:\temp\MyCredentials.txt.
 
3 On the Enforce Server, open a shell or command prompt and change directories to \SymantecDLP_home\Protect\bin. 
 This directory on the Enforce Server contains the Credential Generator Utility.
 
4 Issue a command to generate an encrypted credential file.
 The command syntax is as follows:

CredentialGenerator.bat
 in-cleartext-filepath out-encrypted-filepath

For example on Windows you would issue the following:

CredentialGenerator.bat C:\temp\MyCredentials.txt  
    C:\temp\MyCredentialsEncrypted.txt

You can open this file in a text editor to verify that it is encrypted.
 
5 Select Enable Credentials.
 At the System > Lookup Plugins > Edit Script Lookup Plugin page, select (check) the Enable Credentials option.
 
6 Enter the Credentials File Path.
 Enter the fully qualified path to the encrypted credentials file. For example:

C:\SymantecDLP\Protect\plugins\MyCredentialsEncrypted.txt
 
7 Save the plug-in.
 You can now use the encrypted credentials to authenticate to an external system.
 
8 Secure the clear-text credentials file.
 If you want to save the clear-text credentials file, move it to a secure location. It can be useful to save the file if you plan to update and re-encrypt it later. If you do not want to save the file, delete it now.
 
9 Reload the lookup plug-in.

Yes the steps above have been followed already. We are using an encrypted credentials file using the Credential Generator Utility described above. I can see the credentials "supposedly" being passed as the log shows the credentials i entered (in plain text thank you.) but when i check the node itself that the script was doing the WMI lookup for the logged on user the security event log shows a denied access event and the credentials being passed are the enforce "vontu manager" local account credentials (protect). Obviously this account has no permissions and hence the script fails.