Hello everybody.
I have some issues with Network DLP, still no clear answer from local technical support, maybe someone here could help.
Here's data from two netwok cards, which collects network flow from SPAN ports (from Cisco router).
eth3 Link encap:Ethernet HWaddr 00:26:55:DE:1C:78
inet6 addr: fe80::226:55ff:fede:1c78/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:331857313419 errors:0 dropped:34617 overruns:0 frame:0
TX packets:23 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:218048540846375 (198.3 TiB) TX bytes:3800 (3.7 KiB)
Interrupt:178 Memory:fbce0000-fbd00000
eth4 Link encap:Ethernet HWaddr 00:26:55:DE:1C:7B
inet6 addr: fe80::226:55ff:fede:1c7b/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:331857513770 errors:0 dropped:43222 overruns:0 frame:0
TX packets:26 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:218048618676882 (198.3 TiB) TX bytes:4085 (3.9 KiB)
Interrupt:194 Memory:fbfe0000-fc000000
rx/tx checksum offloading is off, but there are dropped packets which i suppose to cause severeal overall problems to the whole Symantec DLP system.
Daily traffic:
Data: 288.90 GB
Messages: 41,744,406
Incidents: 1,998
Encrypted Attachments: 0
Unprocessable Components: 3,839
Discarded Packets: 0
Damaged incidents are created in Enforce - without attachments, with not full body and header information (sometimes are totally empty - but the original e-mail messages're checked to contain full data). See dlp_cc.PNG for details.
In addition, there are *.vpcap-files generated by PacketCapture process in /opt/Vontu/Protect/var/spool/pcap/ that won't move to /opt/Vontu/Protect/var/Vontu/drop_pcap/ - not being unpacked there automatically and not being analyzed by FileReader process.
For example:
13341370464349.vpcap
1334137175225.vpcap
1334137363593.vpcap
133413742665.vpcap
133413743979.vpcap
1334137522242.vpcap
If not deleted manually in several days, the filesystem slice (/opt) fills up and systems stops.
If these files are moved by cron to some directory in /opt/Vontu/Protect/var/Vontu/drop_pcap/somedirectory, these vpcap files are processed, but incidents are generated in Enforce with the 01.01.1970 date (see dlp_date.PNG for details - sorry for russian interface, but it's common to english to the fields), though the body of these incidents contains correct information. I suppose these dates (1970) are generated through the incorrect data in those vpcap files that are not automatically processed - but it may be not only these files.
Some incidents that are processed correctly (those that get automatically in drop_pcap), are corrupted - don't have full information, for example: have headers, but no body text (rare cases).
All installation process is made close to the documentation.
OS - Red Hat (RHEL) 5.6 Tikanga 64bit.
Hardware:
HP DL360G7 E5540 Base EU Svr:
2 X Intel Xeon E5540 Processor
6 X HP 2GB 2Rx8 PC3-10600R-9 Kit
3 X HP 146GB 6G SAS 15K 2.5in DP ENT HDD
HP 460W HE 12V Hotplg AC Pwr Supply Kit
Please, can anyone tell what can be done to correct the isues with corrupted incidents and adding *.vpcap files to /opt/Vontu/Protect/var/spool/pcap/?