Data Loss Prevention

DLP (Vontu) Custom Script to lookup Network incident hostnames 

11-15-2010 07:39 PM

Since implimenting DLP in our environement, i've had a blackhole by not knowing the hostname of a client system that has triggered a network monitor event (ftp/http/https), which I find a significant hole in the system.  Why does Vontu not think this is just as pertinent, if not more so than an IP Address?  (we have to assume the agent isn't always going to be on every system!)

After reading thoroughly through the Custom plugin section of the Lookup Plugin Guide, I've managed to get a fairly simple Python script to handle doing the lookup (and some future nice-to-have features, for when I get more time....)

My environment:  Vontu Enforce 10.5 running on Windows Server 2003 Enterprise R2
Additional software required:  Python (2.5 or higher)

Create a new folder in your Vontu install folder (d:\vontu\protect\plugins\script)
Copy & paste the python code below into a new file named:

Please note I am not a programmer, and I'm sure there are dozens of better ways to do this.  Here is only one way that I was successful with that took relatively little effort.
## This is a simple Python script to convert an incoming argument into a Fully-qualified hostname
## Modified for specific Vontu-DLP use to strip out incoming sender-ip= argument

import sys, socket, string

for args in [item.strip('sender-ip=') for item in sys.argv[1:]]:
 #this takes the passed arguments and performs the IP -> FQDN lookup
 fullhostname_dc = socket.getfqdn(args)
 #If you prefer/need Shortname over FQDN, comment out the next line and uncomment out the last two lines
 print 'host-name={}'.format(fullhostname_dc)
 #Now we take the Full hostname and break it down into segments for shortname and output the short hostname
 #hostname_dc = fullhostname_dc.split('.', 1)[0]
 #print 'host-name={}'.format(hostname_dc)

Next enable the custom lookup in your properties files: (d:\vontu\protect\config) - Here we're enabling the custom script tool - note, I'm chaining my LDAP lookup first, then custom hostname second.
com.vontu.api.incident.attributes.AttributeLookup.plugins=Vontu Script Lookup, com.vontu.lookup.script.ScriptLookup =

ScriptLookup.Properties - Here we're actually configuring how Vontu calls python and the script.  Add these entries to the section titled # Script Execution Params.

My file also had Example script Params, that I had to comment out by adding a # to the beginning of each line:
# Example Script Params
#List of optional args delimited by a comma

In the Vontu Web interface - Create a new custom attribute: host-name    (can be renamed as long as you also change the value in the file also!)
Under the system-menu -> Incident Data -> Attributes -> Custom Attribute.
Add new name: host-name
When done, click Reload Lookup Plug-ins

Open a FTP/HTTP/HTTPS network incident and click Lookup.  If it works correctly, you should now have the full hostname of the remote system.

Note, this does NOT change how it is displayed in the list view.  This will give you the ability to know both the IP Address and the hostname of the system that triggered the network incident.

Hopefully someone out there will find this useful...

0 Favorited
0 Files

Tags and Keywords


10-20-2015 01:27 PM

Is this script posted somewhere? We are having a really difficult time getting any python scripts to work correctly within DLP. running manually seem fine. any assistance would be greatly appreciated.



10-29-2012 11:50 AM

Would you mind posting the updated script?

09-14-2012 04:35 PM


I actually rewrote the script using VB, which is alot more effecient and got mine working beautifully. The python version is way to slow so this works so much faster.

09-14-2012 03:15 PM

Had to do some tweaking, but this script worked well.


06-13-2012 04:46 PM

Thanks for this info, but I am trying to parse out some more information from the Hostname that is retrieved from this script.


When I run the script, I am able to get the FQDN of the endpoint ""


I have tried to get this script to just give me the username from string, but I cannot get it to understand the separator "-'. When I do this the output is just 'file'.


I have chanegd the follwing line to use a dash and not a '.', I have also tried using the hex version of a dash and no avail.

 hostname_dc = fullhostname_dc.split('-', 1)[0]
 print 'host-name={}'.format(hostname_dc)


Any idea on why this is happening?

03-12-2012 11:55 AM

Hi Joe,

please refer below Symantec kb's article

 Also read the below symantecs references

About writing and preparing scripts for the Script Lookup Plug-In

To function with the Script Lookup Plug-In, script output must be in the required format. The script must reside in a directory on the Enforce Server host such as the \Protect\plugins\scripts directory. Or it can reside on a file share that is accessible with the appropriate permissions.

Note that scripts must exit with an exit code of '0.' If scripts exit with any other code, the Enforce Server assumes that an error has occurred in script execution and terminates the attribute lookup.

To prepare a script for use with the Script Lookup Plug-In

On the Enforce Server host, navigate to the \Protect\plugins directory and create a scripts subdirectory.

For example, create \Protect\plugins\scripts.

Copy your script file to the scripts subdirectory.

Make sure that permissions are set correctly on the directory and the file. The directory and the file must be readable by the protect user. Depending on the scripting language, the script may also need to be executable by the protect user.

Download and install (on the Enforce Server host) any applications necessary for executing the script. For example, if you plan to run a Python script on a Windows system, download and install the latest version of Python. For the scripts that require language libraries, you must install the required files on the Enforce Server host.




07-27-2011 06:48 AM

Hi all,

       I have purchased network monitor detection server & configured LDAP lookup. I checked the entire incidence & observed that HTTP/S incidence not having user information except SMTP. So search this article and followed but I am not getting or file & parameters configuration is very difficult.

            Please help me.




Related Entries and Links

No Related Resource entered.