Since implimenting DLP in our environement, i've had a blackhole by not knowing the hostname of a client system that has triggered a network monitor event (ftp/http/https), which I find a significant hole in the system. Why does Vontu not think this is just as pertinent, if not more so than an IP Address? (we have to assume the agent isn't always going to be on every system!)
After reading thoroughly through the Custom plugin section of the Lookup Plugin Guide, I've managed to get a fairly simple Python script to handle doing the lookup (and some future nice-to-have features, for when I get more time....)
My environment: Vontu Enforce 10.5 running on Windows Server 2003 Enterprise R2 Additional software required: Python (2.5 or higher) www.python.org/download Create a new folder in your Vontu install folder (d:\vontu\protect\plugins\script) Copy & paste the python code below into a new file named: hostlookup.py Please note I am not a programmer, and I'm sure there are dozens of better ways to do this. Here is only one way that I was successful with that took relatively little effort.
#hostlookup.py ## This is a simple Python script to convert an incoming argument into a Fully-qualified hostname ## Modified for specific Vontu-DLP use to strip out incoming sender-ip= argument
import sys, socket, string
for args in [item.strip('sender-ip=') for item in sys.argv[1:]]: #this takes the passed arguments and performs the IP -> FQDN lookup fullhostname_dc = socket.getfqdn(args) #If you prefer/need Shortname over FQDN, comment out the next line and uncomment out the last two lines print 'host-name={}'.format(fullhostname_dc) #Now we take the Full hostname and break it down into segments for shortname and output the short hostname #hostname_dc = fullhostname_dc.split('.', 1)[0] #print 'host-name={}'.format(hostname_dc)
Next enable the custom lookup in your properties files: (d:\vontu\protect\config) Plugins.properties - Here we're enabling the custom script tool - note, I'm chaining my LDAP lookup first, then custom hostname second. com.vontu.api.incident.attributes.AttributeLookup.plugins=Vontu Script Lookup com.vontu.plugins.execution.chain=com.vontu.lookup.liveldap.LiveLdapLookup.properties, com.vontu.lookup.script.ScriptLookup com.vontu.lookup.script.ScriptLookup.properties = ScriptLookup.properties ScriptLookup.Properties - Here we're actually configuring how Vontu calls python and the script. Add these entries to the section titled # Script Execution Params. protocol.filtering.enabled=false protocols.allow=FTP,HTTP,NNTP script.1.command=c:/python27/python.exe script.1.custom.args=-u,d:/Vontu/Protect/plugins/Scripts/HostLookup.py
My file also had Example script Params, that I had to comment out by adding a # to the beginning of each line: # Example Script Params #script.1.command=c:/python27/python.exe #List of optional args delimited by a comma #script.1.custom.args=-u,c:/ip-lookup.py #script.2.command=c:/data/simpleScript.bat In the Vontu Web interface - Create a new custom attribute: host-name (can be renamed as long as you also change the value in the hostlookup.py file also!) Under the system-menu -> Incident Data -> Attributes -> Custom Attribute. Add new name: host-name When done, click Reload Lookup Plug-ins Open a FTP/HTTP/HTTPS network incident and click Lookup. If it works correctly, you should now have the full hostname of the remote system. Note, this does NOT change how it is displayed in the list view. This will give you the ability to know both the IP Address and the hostname of the system that triggered the network incident.
Hopefully someone out there will find this useful...
Is this script posted somewhere? We are having a really difficult time getting any python scripts to work correctly within DLP. running manually seem fine. any assistance would be greatly appreciated.
carly
Would you mind posting the updated script?
All,
I actually rewrote the script using VB, which is alot more effecient and got mine working beautifully. The python version is way to slow so this works so much faster.
Had to do some tweaking, but this script worked well.
Thanks!
Thanks for this info, but I am trying to parse out some more information from the Hostname that is retrieved from this script.
When I run the script, I am able to get the FQDN of the endpoint "username-laptop.company.com"
I have tried to get this script to just give me the username from string, but I cannot get it to understand the separator "-'. When I do this the output is just 'file'.
I have chanegd the follwing line to use a dash and not a '.', I have also tried using the hex version of a dash and no avail.
hostname_dc = fullhostname_dc.split('-', 1)[0] print 'host-name={}'.format(hostname_dc)
Any idea on why this is happening?
Hi Joe,
please refer below Symantec kb's article
https://kb1-vontu.altiris.com/display/1/kb/article.asp?aid=42806&n=2&s=
https://kb1-vontu.altiris.com/display/1/kb/article.asp?aid=46476&n=1&s=
Also read the below symantecs references
About writing and preparing scripts for the Script Lookup Plug-In
To function with the Script Lookup Plug-In, script output must be in the required format. The script must reside in a directory on the Enforce Server host such as the \Protect\plugins\scripts directory. Or it can reside on a file share that is accessible with the appropriate permissions.
Note that scripts must exit with an exit code of '0.' If scripts exit with any other code, the Enforce Server assumes that an error has occurred in script execution and terminates the attribute lookup.
To prepare a script for use with the Script Lookup Plug-In
On the Enforce Server host, navigate to the \Protect\plugins directory and create a scripts subdirectory.
For example, create \Protect\plugins\scripts.
Copy your script file to the scripts subdirectory.
Make sure that permissions are set correctly on the directory and the file. The directory and the file must be readable by the protect user. Depending on the scripting language, the script may also need to be executable by the protect user.
Download and install (on the Enforce Server host) any applications necessary for executing the script. For example, if you plan to run a Python script on a Windows system, download and install the latest version of Python. For the scripts that require language libraries, you must install the required files on the Enforce Server host.
regards
Kishorilal
Hi all,
I have purchased network monitor detection server & configured LDAP lookup. I checked the entire incidence & observed that HTTP/S incidence not having user information except SMTP. So search this article and followed but I am not getting ip-lookup.py or hostlookup.py file & parameters configuration is very difficult.
Please help me.
Regards,
Amol