Data Loss Prevention

Expand all | Collapse all

Network Prevent Incident Details (IP address-Username)

Jump to Best Answer
  • 1.  Network Prevent Incident Details (IP address-Username)

    Posted 08-05-2013 04:54 AM

    Hi,

    We installed a DLP pilot which contains a Network Prevent for Web server. The NP server successfully integrated to a Websense web gateway via ICAP, and we can see HTTP/HTTPS messages.The problem is that in the incident details tab, at the sender we only have IP address instead of the Username. Some incident contains the username, not sure but maybe the IDM/EDM detection dont get this information? The customer use DHCP so the IP address does not give any information for further investigation of the incidents.

    I think we must use some lookup plugin but we dont know exatly how to start it and where we can find the required information for the lookups (IP - User pairs).

    Is there any solution to get this information from the IP address?

    Thanks,

    Laszlo

     



  • 2.  RE: Network Prevent Incident Details (IP address-Username)

    Trusted Advisor
    Posted 08-07-2013 02:29 AM

    hi laszlo,

     not easy to answer your question as it will depend on your infrastructure. DLP will be able to provide you the IP address, but after that it is your custom plugin script which has to find a way to get username from this address. You could do a LDAP request to your AD (in this case use std LDAP plugin) , you could do a reverse DNS, you could call a webservice which manage workstation.....It relally depends what is available on your infra.

     But yes after that you will have to use lookup plugin and populate a custom attribute with this value. Or an other solution is to ask your first response team to find the information manually in a system available on your infrastructure for non false positive incident (of course it is not the best one but a possible workaround until you have a good solution).

     Regards



  • 3.  RE: Network Prevent Incident Details (IP address-Username)
    Best Answer

    Trusted Advisor
    Posted 08-07-2013 04:08 PM

    Laslo,

    There are many ways to skin a cat in order to get the information you require.

    In either case when it comes to Network Prevent for Web you will need to do some scripting, even if you can use the LDAP lookup feature. There are a couple of things you will need to decide upon:

    1. Does the Websense Proxy require authentication in order to get to the Web? If this feature is turned on, then then DLP incidents will have a username, but probably has the Domain in the field (Domian\username). So the only way to make sure this happens to configure Websens to require Authentication. This way EVERY incident will have a username that can be used to do a further lookup. You would need to script a process to remove the Domain information and then do an LDAP lookup with the username information. Otherwise you will have some that have a username and some that don't, which I believe is what you have now.

    https://www-secure.symantec.com/connect/forums/icap-and-winntdomainname

    1. If you want to lookup based on IP address, you will need to have some things as a requirement for a username lookup to happen. First is that there is some sort of system or way that you can decipher a username from an IP address or from the machine name. This could be through DNS or another system that you can query and get a username. For example, I had a customer who had EVERY laptop name also had the username in it. (jdoe_laptop_win7). What I needed to do was then do a reverse lookup via DNS and then parse the output of the laptop nam (remove everything after the first _) and then pass that to the LDAP lookup. This then populated the atttributes in the UI. *** This would be done via a daisy chained lookup (script then LDAP). you can then ONLY have the script run ONLY if it was a Web based incident) ****

    As far as a way to get more information via the IP, there are a few different ways outlined here.

    https://www-secure.symantec.com/connect/downloads/dlp-vontu-custom-script-lookup-network-incident-hostnames

     

    Overall you need to be able to script a process that you can pass some good information and then call some other process and get the information you need.

     

    Hope this makes sense.

    If this solves your questions please marked as solved.

    Ronak



  • 4.  RE: Network Prevent Incident Details (IP address-Username)

    Posted 08-08-2013 03:16 AM

    Thanks Stephane and DLP Solution :) I will walk trough the articles and try to solve it with a script.

    Regards

    Laszlo



  • 5.  RE: Network Prevent Incident Details (IP address-Username)

    Posted 08-14-2013 08:42 AM

    Hi,

    I walked trough the articles but did not find the solution yet. 

    1. The lookup script doesn't work because we don't have the source information to lookup. In the environment all user are using a terminal server so user lookup based on the IP address is not possible.

    2. We've checked the Websense settings and configured it to require authentication to access the web. In the WebPrevent_Access log we've found the Base64 encoded usernames, but on the DLP web interface the incident snapshot still not contains this information.

    Anybody has some experience with Websense - Symantec DLP integration? Why the DLP doesn't show the username altough they are in the ICAP log?

    Sample from the log (without IP, encoded username and the URL):

    XXX.XXX.XXX.XXX "wefiwebflibjlikjblijde" 14/aug./2013:13:23:52:414+0200 "POST http://google.com HTTP/1.1" 204 1350 "http://google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0" 218 26 172.16.1.212 52903 5 1 2 77527BAB-B0D8-483B-A4B6-FC1C3828172B

    Regards

    Laszlo



  • 6.  RE: Network Prevent Incident Details (IP address-Username)

    Posted 09-02-2013 03:04 AM

    Any idea? I'll open a techinal case and update the thread asap.

    Regards,

    Laszlo



  • 7.  RE: Network Prevent Incident Details (IP address-Username)

    Trusted Advisor
    Posted 09-02-2013 03:22 AM

    did you have a look at HTTP headers available in message processed by DLP ?



  • 8.  RE: Network Prevent Incident Details (IP address-Username)

    Posted 09-02-2013 03:29 AM

    No I didn't but in the ICAP log file there is a username in every record. I check the header.



  • 9.  RE: Network Prevent Incident Details (IP address-Username)
    Best Answer

    Trusted Advisor
    Posted 09-03-2013 02:46 PM

    Laszlo...

    I do not think you have it configured properly. It does NOT matter what is in the ICAP log on the Websense server. It only depends on what is on the Web Prevent server, nothing else.

    What version of DLP are you running.

    Also what verion of Websense are you integrated with.

    Here is how to see if you are getting any information.

    1. Go to System > Logs and on the configuration tab you will need to configure the Enforce Server to start collecting the "Custom Attribute Lookup Logging". Enable that.
    2. Also enable the "ICAP Prevent Message Processing"
    3. You will then need to go to System > Lookup Plugins > PLugin Parameters. Enable "Sender" and "Incident".
    4. Then create an incident on the Web Prevent server and then start looking at the logs.
    5. See what comes in the logs as far as the ICAP data.. you will need to see if Websense is sending you any type of information in the ICAP packet.
    6. You may need to configure Websense to send you the User information. Make sure that you have enabled NTLM proxy authentication and pass that via ICAP.

    Overall if the Sender field in the Incident Data is not populated with some user information and ONLY an IP address, then DLP is not getting it from Websense.

     

    Hope this makes sense.

    If this solves your questions please marked as solved.

    Ronak



  • 10.  RE: Network Prevent Incident Details (IP address-Username)

    Posted 09-04-2013 07:23 AM

    Hi,

    It looks like point 3 solved the problem. I don't really understand how because there aren't any lookup script now. The DLP use theese parameters for the native lookups too?

    I check the other incident types and after that I mark this as a solution.

    Thanks,

    Laszlo



  • 11.  RE: Network Prevent Incident Details (IP address-Username)

    Trusted Advisor
    Posted 09-05-2013 01:44 AM

    if you have no plugin at all (nor standard one like csv, ldap,... nor custom ones) it looks strange that point 3 solves you rproblem. but whatever if you solved it, it is nice.

    did you get username in a custom attribute or in incident details section ?  



  • 12.  RE: Network Prevent Incident Details (IP address-Username)

    Posted 09-05-2013 08:36 AM

    There aren't any lookup so it's really strange, but now the username appears in the incident details section.



  • 13.  RE: Network Prevent Incident Details (IP address-Username)

    Trusted Advisor
    Posted 09-05-2013 12:29 PM

    Laszlo...

    Glad I can help with fixing the situation.

    If this solves your questions please marked as solved.

    Ronak



  • 14.  RE: Network Prevent Incident Details (IP address-Username)

    Broadcom Employee
    Posted 09-09-2013 12:19 PM

    It "worked" because you told DLP to return the "sender" attribute, which is the authenticated user that you are receiving from within the ICAP request.  Based on what you're saying, you are not actually doing any subsequent lookup on that data.  All you did was enable DLP to return that data to the standard incident meta-data. 

    Now that you're returning that data within the incdient by enabling that attribute, you COULD, if desired, perform subsequent lookups (i.e. via LDAP), to get additional information about the user, like their email address, department, etc, and add that to Custom Attributes.



  • 15.  RE: Network Prevent Incident Details (IP address-Username)

    Posted 09-11-2013 04:11 AM

    In Network incident, you can see only user details but not IP details. IP detailes can be seen in incident in Endpoint incidents tab



  • 16.  RE: Network Prevent Incident Details (IP address-Username)

    Posted 09-11-2013 04:49 AM

    Keith,

    I understood what you said but i didn't know that i have to enable any attribute for native/standard incident meta-data.

    I'm waiting for the detailed test results but the customer already signed that some incidents (Network - HTTP) still don't contain the username...

    Laszlo

     



  • 17.  RE: Network Prevent Incident Details (IP address-Username)

    Trusted Advisor
    Posted 09-24-2013 02:15 AM

    Laszlo.

    If this solves your questions please marked as solved.

    Ronak



  • 18.  RE: Network Prevent Incident Details (IP address-Username)

    Posted 09-24-2013 02:54 AM

    Hi,

    It seems that the reason was, Firefox did not sent auth information in all packages. When I checked the logs I saw username in the first event but after that it disappear.

    With IE it works like a charm, and every packet contains the username (In Base64).

    With IE, and with DLP Solution's comment everything works now.

    Regards,

    Laszlo



  • 19.  RE: Network Prevent Incident Details (IP address-Username)

    Posted 06-10-2021 10:36 AM
    This article is what I was looking for. However, my aim is not to associate the incident with a username, but rather be able to apply DLP policies based on this username and her/his AD group. For example for the IT group, don't apply any DLP policy.

    Something similar to user groups in Enforce DLP policies, which I don't think work with the Network Prevent for Web.

    Kindly
    Wasfi


  • 20.  RE: Network Prevent Incident Details (IP address-Username)

    Posted 06-10-2021 10:44 AM

    Hi Wasfi

    You can apply a policy on specific username or AD group or apply a spcific group or username exception for specific policy . 

    if you want to apply for all the policies you have to do that in each policy.

    So by default a DLP policy will be applied to everyone that has the agent or anytraffic passed to the other detection servers.

    you have to mention which user or group to apply that policy or which you want to exclude from the policy

    Thanks



    ------------------------------
    Fady Azab
    Senior Consultant
    CCIT GMBH
    ------------------------------



  • 21.  RE: Network Prevent Incident Details (IP address-Username)

    Posted 06-10-2021 07:51 PM
    Thank you Fady. In my case, I don't have the DLP agents installed on end-user devices. I only have Network Prevent for Web detection servers that are integrated with Proxy SG devices over ICAP.

    I guess based on what you said, the Network Prevent for Web will read the username from the Proxy SG "after the Proxy SG has authenticated the user", then it will apply the policy or not apply it based on the user groups defined for that policy on the Enforce server, correct?

    In this case, the script mentioned originally in this article is only needed to associate incidents with usernames, but not needed if you want to only apply policies based on user groups?