Data Loss Prevention

Team,

I have been tasked with creating a Python script to perform a ip > hostname lookup and then query AD for additional attributes. Currently, I have LDAP working to where I receive all attributes but our proxies cannot pass user authentication to DLP so we're hit with the IP address only. I saw an article that Joe Bagnulo created a few years ago and I've been able to use his design to get a basic script in place. At this point, I have a Python script that does output a hostname on the incidents but I'd like to figure out how to take that information and tie it back into AD (if possible). I'm running Python 2.4 so I had to change Joes script around a little but for the most part, it's pretty identical. Also, it would be nice to not have to chain my lookups and if Python could do everything in one script, I would prefer that route. I'll keep doing research and provide updates but I appreciate everyones help ahead of time!

Any ideas?

Thanks!

hi tim,

 plugin chain is working fine (and you can use all variable already computed) but if you want to do all in your python script there is no issue.

If you dont have it , you can download the python ldap module and then use it to do your LDAP request to your AD (there is also some other which add some specific AD functionality to this LDAP module) as if you did it with LDAP plugin, then you will have to parse your result and output all you custom attribute in order to have these informations available in your incident.

 regards.