Data Loss Prevention

 View Only
  • 1.  Synatx for URL L7 Recipient Filter

    Posted Sep 10, 2012 09:43 AM

    Can someone please share the syntax for excluding URLs from the Network Monitor using the L7 Recipient Filter?  I see plenty of examples for SMTP in there but it supposedly supports URLs as well.  Would it be something like this?

    -http://facebook.com/cgi-bin/*,-http://disqus.com

     

    Thanks,

    Joe



  • 2.  RE: Synatx for URL L7 Recipient Filter

    Posted Sep 10, 2012 03:12 PM

    Joe,

    I'm not an expert on syntax as there are many areas that have specifics. I do recall finding the syntax though in 1 of 2 places:

    • If you click on the help link in the top right section of the interface on the page with the filters shown, it should bring up the context that covers the filter syntax.
    • Consult the Admin Guide which should definitely have the L7 filter syntax outlined if not in the system help for DLP.


  • 3.  RE: Synatx for URL L7 Recipient Filter

    Posted Sep 11, 2012 11:50 AM

    Actually those filters are only described in the online help (at least I've never seen them in the admin guide despite much searching).  My problem is the online help only gives SMTP examples but not for URLs.



  • 4.  RE: Synatx for URL L7 Recipient Filter

    Posted Sep 12, 2012 11:24 AM

    Joe,

    I believe the examples should follow the same suit for URL's. Just replace the domains from SMTP or the email address from SMTP examples. You should be able to use root domains, or fill it out to fuller subdomains as well. It won't necessarily work though if trying to use a full URL (including things like an actual page: domain/directory/page.html).

    And to touch on your original question, I believe the syntax just needs to remove the HTTP piece of it. It should just rely on the domain essentially and using the +/- as well as wildcard as needed.



  • 5.  RE: Synatx for URL L7 Recipient Filter

    Posted Sep 13, 2012 08:56 AM

    Joe,

     

    this would do a certainusers domain

    -trustedpartner@partnercompany.com

    -ceo@acme.com,-cfo@acme.com

     

    Also do not foreget wildcard statements

    -*@acme.com, -*.acme.com

     

    so for your example http://facebook.com/* may work as any thing behind that should fit in the *



  • 6.  RE: Synatx for URL L7 Recipient Filter

    Posted Sep 21, 2012 01:41 AM

    Hi Joe,

    Please refer,

     

    • Any email address mask that starts with a plus sign (+) keeps matching messages for inspection. If you add the sender filter +*@abc.com, all messages that are sent from anyone in the abc.com domain are inspected.

    • Any email address mask that starts with a minus sign (-) excludes matching messages from inspection. If you add the recipient filter -*@xyz.com, all messages that are sent to anyone in the xyz.com domain are not inspected.

    If you add an asterisk (*) to the end of the filter expression, any message not explicitly matching any of the filter masks is ignored. For example, if you add the sender filter +*@abc.com,*, all messages from anyone in the abc.com domain are inspected, but all other messages are ignored.

    You can also include asterisk wildcards elsewhere in the address strings. The specific filter syntax depends on the protocol. For example, for email addresses you can use wildcards anywhere in the filter string as follows:

    • +*@symantec.com inspects all email to/from symantec.com.

    • +*.symantec.com inspects all email to/from any subdomains of symantec.com.

    • -*symantec.com excludes all email to/from any email address ending in symantec.com.