We installed a DLP pilot which contains a Network Prevent for Web server. The NP server successfully integrated to a Websense web gateway via ICAP, and we can see HTTP/HTTPS messages.The problem is that in the incident details tab, at the sender we only have IP address instead of the Username. Some incident contains the username, not sure but maybe the IDM/EDM detection dont get this information? The customer use DHCP so the IP address does not give any information for further investigation of the incidents.
I think we must use some lookup plugin but we dont know exatly how to start it and where we can find the required information for the lookups (IP - User pairs).
Is there any solution to get this information from the IP address?
not easy to answer your question as it will depend on your infrastructure. DLP will be able to provide you the IP address, but after that it is your custom plugin script which has to find a way to get username from this address. You could do a LDAP request to your AD (in this case use std LDAP plugin) , you could do a reverse DNS, you could call a webservice which manage workstation.....It relally depends what is available on your infra.
But yes after that you will have to use lookup plugin and populate a custom attribute with this value. Or an other solution is to ask your first response team to find the information manually in a system available on your infrastructure for non false positive incident (of course it is not the best one but a possible workaround until you have a good solution).
There are many ways to skin a cat in order to get the information you require.
In either case when it comes to Network Prevent for Web you will need to do some scripting, even if you can use the LDAP lookup feature. There are a couple of things you will need to decide upon:
As far as a way to get more information via the IP, there are a few different ways outlined here.
Overall you need to be able to script a process that you can pass some good information and then call some other process and get the information you need.
Hope this makes sense.
If this solves your questions please marked as solved.
Thanks Stephane and DLP Solution :) I will walk trough the articles and try to solve it with a script.
I walked trough the articles but did not find the solution yet.
1. The lookup script doesn't work because we don't have the source information to lookup. In the environment all user are using a terminal server so user lookup based on the IP address is not possible.
2. We've checked the Websense settings and configured it to require authentication to access the web. In the WebPrevent_Access log we've found the Base64 encoded usernames, but on the DLP web interface the incident snapshot still not contains this information.
Anybody has some experience with Websense - Symantec DLP integration? Why the DLP doesn't show the username altough they are in the ICAP log?
Sample from the log (without IP, encoded username and the URL):
XXX.XXX.XXX.XXX "wefiwebflibjlikjblijde" 14/aug./2013:13:23:52:414+0200 "POST http://google.com HTTP/1.1" 204 1350 "http://google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0" 218 26 172.16.1.212 52903 5 1 2 77527BAB-B0D8-483B-A4B6-FC1C3828172B
Any idea? I'll open a techinal case and update the thread asap.
did you have a look at HTTP headers available in message processed by DLP ?
No I didn't but in the ICAP log file there is a username in every record. I check the header.
I do not think you have it configured properly. It does NOT matter what is in the ICAP log on the Websense server. It only depends on what is on the Web Prevent server, nothing else.
What version of DLP are you running.
Also what verion of Websense are you integrated with.
Here is how to see if you are getting any information.
Overall if the Sender field in the Incident Data is not populated with some user information and ONLY an IP address, then DLP is not getting it from Websense.
It looks like point 3 solved the problem. I don't really understand how because there aren't any lookup script now. The DLP use theese parameters for the native lookups too?
I check the other incident types and after that I mark this as a solution.
if you have no plugin at all (nor standard one like csv, ldap,... nor custom ones) it looks strange that point 3 solves you rproblem. but whatever if you solved it, it is nice.
did you get username in a custom attribute or in incident details section ?
There aren't any lookup so it's really strange, but now the username appears in the incident details section.
Glad I can help with fixing the situation.
It "worked" because you told DLP to return the "sender" attribute, which is the authenticated user that you are receiving from within the ICAP request. Based on what you're saying, you are not actually doing any subsequent lookup on that data. All you did was enable DLP to return that data to the standard incident meta-data.
Now that you're returning that data within the incdient by enabling that attribute, you COULD, if desired, perform subsequent lookups (i.e. via LDAP), to get additional information about the user, like their email address, department, etc, and add that to Custom Attributes.
In Network incident, you can see only user details but not IP details. IP detailes can be seen in incident in Endpoint incidents tab
I understood what you said but i didn't know that i have to enable any attribute for native/standard incident meta-data.
I'm waiting for the detailed test results but the customer already signed that some incidents (Network - HTTP) still don't contain the username...
It seems that the reason was, Firefox did not sent auth information in all packages. When I checked the logs I saw username in the first event but after that it disappear.
With IE it works like a charm, and every packet contains the username (In Base64).
With IE, and with DLP Solution's comment everything works now.
Hi WasfiYou can apply a policy on specific username or AD group or apply a spcific group or username exception for specific policy .
if you want to apply for all the policies you have to do that in each policy.
So by default a DLP policy will be applied to everyone that has the agent or anytraffic passed to the other detection servers.you have to mention which user or group to apply that policy or which you want to exclude from the policyThanks