Data Loss Prevention

 View Only

Integration with an external product using ICAP

  • 1.  Integration with an external product using ICAP

    Posted Feb 19, 2015 07:01 AM

    Hi,

    I am working on a product that requires integration with DLP to scan remote files for possible violations. Following suggestions of several tutorials, I manually build an HTTP response packet and send it to the detection server using ICAP. Everything works, but there are two features I don't know how to implement:

    1. Can I get the list of violations in the ICAP response? Other products return them in a special ICAP header. If not, is there an API that I can use to get them from the server?
    2. Can I send the file name in the packet so it will appear in the incident report? Currently they are always marked as coming from "http://unknownurl.com" and there is no clear distinction between incidents.

     

    Here is a sample request ICAP packet:

    RESPMOD icap://192.168.1.10:1344/RESPMOD ICAP/1.0
    Host: 192.168.1.10
    Allow: 204
    Encapsulated: res-hdr=0, res-body=65

    HTTP/1.1 200 OK
    Content-Type: text/plain
    Content-Length: 70

    46
    ------------------------------
     test
    ------------------------------
    0

     

     

    And a sample ICAP response:

    ICAP/1.0 200 OK
    Cache-Control: no-cache
    ISTag: "Vontu11.6"
    Encapsulated: res-hdr=0, res-body=141

    HTTP/1.1 200 OK
    Cache-Control: no-cache
    Date: Fri, 12 Sep 2014 10:33:56 GMT
    Content-Type: text/html; charset=UTF-8
    Content-Length: 39

    27
    Content blocked due to policy violation
    0

     

     

    Thank you!