Video Screencast Help

Unusually high amount of traffic between a client and Endpoint server

Created: 22 Mar 2013 | 4 comments

Hello,

My network guys detected 50GB of traffic being transmitted between a host with the DLP endpoint client and the Endpoint server over port 8000.  There is no  policy incident that shows up.  Anyone have a suggestion for troubleshooting this, so I can identify why this happened?  Or does anyone have a suggestion why this could happen?

Thanks in advance,

Bob

Comments 4 CommentsJump to latest comment

DLP Solutions's picture

Bob,

Over what period was there 50GB of traffic? Also what Endpoint policies do you have configured. You might have a policy that is misconfigured for an Endpoint server.

For instance, do you have an EDM or IDM policy configured that applies to the endpoint server? If the EDM/IDM policy DOES NOT have a REGEX rule associated to the EDM policy, then the endpoint will send EVERY file to the endpoint server for a policy scan on the ENDPOINT SERVER.

Remember that EDM\IDM polices exist only on the Servers for the EDM/IDM indexes cannot sit on the Endpoints themselves (too large)

If this answeres your question, please marked as solved

Ronak

Please make sure to mark this as a solution

to your problem, when possible.

 

BzlBob's picture

Hi Ronak,

This occurred over 5 hours.  The user told me he was copying files from a USB drive at the time.  I have four policies enabled.  Screen prints are attached of the rules which were enabled at the time.  One is a test policy I made to look for unallowed web sites.  The others are privacy based (HIPAA and SSN mostly.)  There are no exact data, indexed data or vector machine learning profiles enabled.  Do any of the policies look like the reason all of the data was transferred?  

Also, all of the eanbled rules are configured with Group rules which only apply to a specific OU, yet this user is in a different OU.  DLP is loaded by IT on all of our Windows 7 machines, but I would like DLP to do nothing except for users in a specific OU.  Is this possible?  If I disable all rules, will the clients stop sending traffic altogether?

Also, is it possible to throttle how much traffic is sent to Endpoint servers?

 

Thanks,

Bob

 

 

snagit2.png snagit1.png snagit3.png snagit4.png
stumunro's picture

Bob,

 

any reason for multiple SSN policies? also are you trying to protect HIPPA HITECH, they key words on drup codes are used for that. I would look are refineing these polcies. Did you use a template for these rules?

DLP Solutions's picture

Bob,

With just those 3 policies, I do not see what would cause the amount of traffic. I would turn off one or more of these policies to see what is causing the large amount of data to be sent between the endpoint and server.

I would start with the Forbidden Websites.. may not be written correctly.

You can also look at the Endpoint server logs to see what kind of transmissions are happeing. Turn the loggin level up on the Endpoint Server to see more on the communication. The only thing I can think of if is the Endpoint Agent is constantly renegotiating the connection with the Endpoint Server. That aspect does have a large amount of data in comparison to just and incident...doubt it, but a good place to start.

Also check the Endpoint Agent Events to see if there is a large amount of communication happening with the Endpoint server or even some errors.

Is this happening on just one Endpoint? If so what kinda of actions or transmissions are they doing?

If this answeres your question, please marked as solved

Ronak

Please make sure to mark this as a solution

to your problem, when possible.