Video Screencast Help
Give us your opinion and win with Symantec! Please help us by taking this survey to tell us about your experience with Symantec Connect, so that we can continue to grow and improve.  Take the survey.

Network Prevent Incident Details (IP address-Username)

Created: 05 Aug 2013 • Updated: 23 Sep 2013 | 17 comments
Laszlo2's picture
This issue has been solved. See solution.

Hi,

We installed a DLP pilot which contains a Network Prevent for Web server. The NP server successfully integrated to a Websense web gateway via ICAP, and we can see HTTP/HTTPS messages.The problem is that in the incident details tab, at the sender we only have IP address instead of the Username. Some incident contains the username, not sure but maybe the IDM/EDM detection dont get this information? The customer use DHCP so the IP address does not give any information for further investigation of the incidents.

I think we must use some lookup plugin but we dont know exatly how to start it and where we can find the required information for the lookups (IP - User pairs).

Is there any solution to get this information from the IP address?

Thanks,

Laszlo

Operating Systems:

Comments 17 CommentsJump to latest comment

stephane.fichet's picture

hi laszlo,

 not easy to answer your question as it will depend on your infrastructure. DLP will be able to provide you the IP address, but after that it is your custom plugin script which has to find a way to get username from this address. You could do a LDAP request to your AD (in this case use std LDAP plugin) , you could do a reverse DNS, you could call a webservice which manage workstation.....It relally depends what is available on your infra.

 But yes after that you will have to use lookup plugin and populate a custom attribute with this value. Or an other solution is to ask your first response team to find the information manually in a system available on your infrastructure for non false positive incident (of course it is not the best one but a possible workaround until you have a good solution).

 Regards

DLP Solutions2's picture

Laslo,

There are many ways to skin a cat in order to get the information you require.

In either case when it comes to Network Prevent for Web you will need to do some scripting, even if you can use the LDAP lookup feature. There are a couple of things you will need to decide upon:

  1. Does the Websense Proxy require authentication in order to get to the Web? If this feature is turned on, then then DLP incidents will have a username, but probably has the Domain in the field (Domian\username). So the only way to make sure this happens to configure Websens to require Authentication. This way EVERY incident will have a username that can be used to do a further lookup. You would need to script a process to remove the Domain information and then do an LDAP lookup with the username information. Otherwise you will have some that have a username and some that don't, which I believe is what you have now.

https://www-secure.symantec.com/connect/forums/icap-and-winntdomainname

  1. If you want to lookup based on IP address, you will need to have some things as a requirement for a username lookup to happen. First is that there is some sort of system or way that you can decipher a username from an IP address or from the machine name. This could be through DNS or another system that you can query and get a username. For example, I had a customer who had EVERY laptop name also had the username in it. (jdoe_laptop_win7). What I needed to do was then do a reverse lookup via DNS and then parse the output of the laptop nam (remove everything after the first _) and then pass that to the LDAP lookup. This then populated the atttributes in the UI. *** This would be done via a daisy chained lookup (script then LDAP). you can then ONLY have the script run ONLY if it was a Web based incident) ****

As far as a way to get more information via the IP, there are a few different ways outlined here.

https://www-secure.symantec.com/connect/downloads/dlp-vontu-custom-script-lookup-network-incident-hostnames

Overall you need to be able to script a process that you can pass some good information and then call some other process and get the information you need.

Hope this makes sense.

If this solves your questions please marked as solved.

Ronak

Please make sure to mark this as a solution

to your problem, when possible.

Laszlo2's picture

Thanks Stephane and DLP Solution :) I will walk trough the articles and try to solve it with a script.

Regards

Laszlo

Laszlo2's picture

Hi,

I walked trough the articles but did not find the solution yet. 

1. The lookup script doesn't work because we don't have the source information to lookup. In the environment all user are using a terminal server so user lookup based on the IP address is not possible.

2. We've checked the Websense settings and configured it to require authentication to access the web. In the WebPrevent_Access log we've found the Base64 encoded usernames, but on the DLP web interface the incident snapshot still not contains this information.

Anybody has some experience with Websense - Symantec DLP integration? Why the DLP doesn't show the username altough they are in the ICAP log?

Sample from the log (without IP, encoded username and the URL):

XXX.XXX.XXX.XXX "wefiwebflibjlikjblijde" 14/aug./2013:13:23:52:414+0200 "POST http://google.com HTTP/1.1" 204 1350 "http://google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0" 218 26 172.16.1.212 52903 5 1 2 77527BAB-B0D8-483B-A4B6-FC1C3828172B

Regards

Laszlo

Laszlo2's picture

Any idea? I'll open a techinal case and update the thread asap.

Regards,

Laszlo

stephane.fichet's picture

did you have a look at HTTP headers available in message processed by DLP ?

Laszlo2's picture

No I didn't but in the ICAP log file there is a username in every record. I check the header.

DLP Solutions2's picture

Laszlo...

I do not think you have it configured properly. It does NOT matter what is in the ICAP log on the Websense server. It only depends on what is on the Web Prevent server, nothing else.

What version of DLP are you running.

Also what verion of Websense are you integrated with.

Here is how to see if you are getting any information.

  1. Go to System > Logs and on the configuration tab you will need to configure the Enforce Server to start collecting the "Custom Attribute Lookup Logging". Enable that.
  2. Also enable the "ICAP Prevent Message Processing"
  3. You will then need to go to System > Lookup Plugins > PLugin Parameters. Enable "Sender" and "Incident".
  4. Then create an incident on the Web Prevent server and then start looking at the logs.
  5. See what comes in the logs as far as the ICAP data.. you will need to see if Websense is sending you any type of information in the ICAP packet.
  6. You may need to configure Websense to send you the User information. Make sure that you have enabled NTLM proxy authentication and pass that via ICAP.

Overall if the Sender field in the Incident Data is not populated with some user information and ONLY an IP address, then DLP is not getting it from Websense.

Hope this makes sense.

If this solves your questions please marked as solved.

Ronak

Please make sure to mark this as a solution

to your problem, when possible.

SOLUTION
Laszlo2's picture

Hi,

It looks like point 3 solved the problem. I don't really understand how because there aren't any lookup script now. The DLP use theese parameters for the native lookups too?

I check the other incident types and after that I mark this as a solution.

Thanks,

Laszlo

stephane.fichet's picture

if you have no plugin at all (nor standard one like csv, ldap,... nor custom ones) it looks strange that point 3 solves you rproblem. but whatever if you solved it, it is nice.

did you get username in a custom attribute or in incident details section ?  

Laszlo2's picture

There aren't any lookup so it's really strange, but now the username appears in the incident details section.

DLP Solutions2's picture

Laszlo...

Glad I can help with fixing the situation.

If this solves your questions please marked as solved.

Ronak

Please make sure to mark this as a solution

to your problem, when possible.

Keith Reynolds - ExchangeTek's picture

It "worked" because you told DLP to return the "sender" attribute, which is the authenticated user that you are receiving from within the ICAP request.  Based on what you're saying, you are not actually doing any subsequent lookup on that data.  All you did was enable DLP to return that data to the standard incident meta-data. 

Now that you're returning that data within the incdient by enabling that attribute, you COULD, if desired, perform subsequent lookups (i.e. via LDAP), to get additional information about the user, like their email address, department, etc, and add that to Custom Attributes.

kishorilal1986's picture

In Network incident, you can see only user details but not IP details. IP detailes can be seen in incident in Endpoint incidents tab

Laszlo2's picture

Keith,

I understood what you said but i didn't know that i have to enable any attribute for native/standard incident meta-data.

I'm waiting for the detailed test results but the customer already signed that some incidents (Network - HTTP) still don't contain the username...

Laszlo

DLP Solutions2's picture

Laszlo.

If this solves your questions please marked as solved.

Ronak

Please make sure to mark this as a solution

to your problem, when possible.

Laszlo2's picture

Hi,

It seems that the reason was, Firefox did not sent auth information in all packages. When I checked the logs I saw username in the first event but after that it disappear.

With IE it works like a charm, and every packet contains the username (In Base64).

With IE, and with DLP Solution's comment everything works now.

Regards,

Laszlo