Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Synatx for URL L7 Recipient Filter

Created: 10 Sep 2012 | 5 comments
Joe Saland's picture

Can someone please share the syntax for excluding URLs from the Network Monitor using the L7 Recipient Filter?  I see plenty of examples for SMTP in there but it supposedly supports URLs as well.  Would it be something like this?

-http://facebook.com/cgi-bin/*,-http://disqus.com

 

Thanks,

Joe

Comments 5 CommentsJump to latest comment

ShawnM's picture

Joe,

I'm not an expert on syntax as there are many areas that have specifics. I do recall finding the syntax though in 1 of 2 places:

  • If you click on the help link in the top right section of the interface on the page with the filters shown, it should bring up the context that covers the filter syntax.
  • Consult the Admin Guide which should definitely have the L7 filter syntax outlined if not in the system help for DLP.

Symantec Corporation | Sr Systems Engineer | CISSP, CCSK, VCP

If a post solves your problem, please flag it as solved.

If you like an item, please give it a thumbs up vote.

Joe Saland's picture

Actually those filters are only described in the online help (at least I've never seen them in the admin guide despite much searching).  My problem is the online help only gives SMTP examples but not for URLs.

ShawnM's picture

Joe,

I believe the examples should follow the same suit for URL's. Just replace the domains from SMTP or the email address from SMTP examples. You should be able to use root domains, or fill it out to fuller subdomains as well. It won't necessarily work though if trying to use a full URL (including things like an actual page: domain/directory/page.html).

And to touch on your original question, I believe the syntax just needs to remove the HTTP piece of it. It should just rely on the domain essentially and using the +/- as well as wildcard as needed.

Symantec Corporation | Sr Systems Engineer | CISSP, CCSK, VCP

If a post solves your problem, please flag it as solved.

If you like an item, please give it a thumbs up vote.

stumunro's picture

Joe,

 

this would do a certainusers domain

-trustedpartner@partnercompany.com

-ceo@acme.com,-cfo@acme.com

 

Also do not foreget wildcard statements

-*@acme.com, -*.acme.com

 

so for your example http://facebook.com/* may work as any thing behind that should fit in the *

kishorilal1986's picture

Hi Joe,

Please refer,

 

  • Any email address mask that starts with a plus sign (+) keeps matching messages for inspection. If you add the sender filter +*@abc.com, all messages that are sent from anyone in the abc.com domain are inspected.

  • Any email address mask that starts with a minus sign (-) excludes matching messages from inspection. If you add the recipient filter -*@xyz.com, all messages that are sent to anyone in the xyz.com domain are not inspected.

If you add an asterisk (*) to the end of the filter expression, any message not explicitly matching any of the filter masks is ignored. For example, if you add the sender filter +*@abc.com,*, all messages from anyone in the abc.com domain are inspected, but all other messages are ignored.

You can also include asterisk wildcards elsewhere in the address strings. The specific filter syntax depends on the protocol. For example, for email addresses you can use wildcards anywhere in the filter string as follows:

  • +*@symantec.com inspects all email to/from symantec.com.

  • +*.symantec.com inspects all email to/from any subdomains of symantec.com.

  • -*symantec.com excludes all email to/from any email address ending in symantec.com.