Data Loss Prevention

 View Only

  • 1.  DLP Enforce Script Lookup Plugin

    Posted May 08, 2014 01:07 PM

    I wrote Python script to find userId based on sender-ip. This script must run with elevated credentials.

     

    Our DLP Enforce Server is on Windows 2008 R2 Server

    Path of python.exe is D:\Python27\python.exe

    Path of script is D:\SymantecDLP\Protect\lookup.py

    Below is the script 

    from __future__ import print_function

    # import statements
    import sys, subprocess
    import wmi, win32api, win32con

    # get the arguments and extract user's IP address
    argument = sys.argv[1]
    attr_map = dict(item.strip().split('=') for item in argument.split(','))
    userIP =  attr_map['sender-ip']

    # subprocess
    ping = subprocess.Popen(
        ["ping", "-n", "1", userIP],
        stdout = subprocess.PIPE,
        stderr = subprocess.PIPE
    )

    # can we ping the user's IP address?
    out, error = ping.communicate()

    # if we cannot ping user's IP address then print error message and exit program
    if out.find("Reply from") == -1:
        print (userIP, "is NOT pingable.")
        sys.exit()

    # try to access wmi
    try:
        c = wmi.WMI(userIP)
    except:    
        print ("Cannot access WMI for", userIP)
        sys.exit()
        
        
    # perform system lookup of IP address
    user_list = []
    for us in c.Win32_LogonSession():
        try:
            for user in us.references("Win32_LoggedOnUser"):
                user_logins = user.Antecedent.Domain + "\\" + user.Antecedent.Name
                user_list.append(user_logins)
                
        except:
            pass


    userId = user_list[0]
    print(userId)

     

    When I run the terminal command promt with elevated credentials and execute the script as

    python lookup.py "sender-ip=10.10.10.10"

    It outputs the userId

     

    Here is a screenshop of Script Lookup Plugin

    script_lookup.png 

     

    And these are the Lookup Parameter Keys

     

    lookup_parameter_keys.png

     

    When I click on Lookup of 10.10.10.10, I get error in red "Custom Attribute lookup failed"

     

     

    1. How to enter the attributes so that I don't get this error?

    2. How do I set up the credentials file so that script runs with elevated credentials?

     



  • 2.  RE: DLP Enforce Script Lookup Plugin
    Best Answer

    Trusted Advisor
    Posted May 12, 2014 02:15 AM

    hi,

    - try to move your script to "plugin" directory (and update config of course), i am not sure tomcat server is allowed to run anything in protect directory.

    - try to do a simple python scipt as "hello world" just to check that everything is running fine.

    - You must send result to stdout with following format "<attribute name> = <attribute value>" and not only attribute value.

    did you get any error messages in your tomcat log files ?

     regards.



  • 3.  RE: DLP Enforce Script Lookup Plugin

    Trusted Advisor
    Posted May 12, 2014 10:42 PM

    RSAKSA,

    You need to modify the script and also move the script to the plugins directory. The script will not run if it is not in the plugins directory. It is a Java control, that cannot be changed

    D:/python26/python.exe

    -u,D:/Vontu/Protect/plugins/XXX.py

    Hope this makes sense.

    If this solves your questions please marked as solved.

    Ronak



  • 4.  RE: DLP Enforce Script Lookup Plugin

    Posted May 13, 2014 02:44 PM

    I made the changes and still not working. Created new thread

     

    https://www-secure.symantec.com/connect/forums/dlp-enforce-server-not-reading-encrypted-credentials-file

     

     



  • 5.  RE: DLP Enforce Script Lookup Plugin

    Trusted Advisor
    Posted May 13, 2014 06:21 PM

    Please close this case if it fixed the first issue of running th script!

    We will work on your password issue as a separate thread.

    Hope this makes sense.

    If this solves your questions please marked as solved.

    Ronak