Data Loss Prevention

 View Only
  • 1.  ProxySG Send ICAP No Content

    Posted Nov 24, 2023 12:10 PM

    Hi Everyone,

    I have integrated DLP for Web with ProxySG.

    When I tested upload sensitive file on web.skype.com but DLP does not generate Incident.

    I check on the ProxySG, Messages has been sent to DLP.

    I tried upload this file on drive.google.com and DLP generate incident normally.

    Proxy SSL Intercepted on both destination URL.

    Please check filereader logging as below:

    << 1700821218429 42
    REQMOD icap://10.6.33.37/reqmod ICAP/1.0
    << 1700821218429 18
    Host: 10.6.33.37
    << 1700821218429 31
    X-Client-Abandon-Supported: 1
    << 1700821218429 20
    X-ISTag-Version: 2
    << 1700821218429 30
    X-Scan-Progress-Interval: 10
    << 1700821218429 26
    X-Client-IP: 10.2.208.81
    << 1700821218429 52
    X-Authenticated-User: V2luTlQ6Ly9OT1IvdGhhbmdkZDE=
    << 1700821218429 81
    X-Bluecoat-Transaction-UUID: f4462611cdbfbf1a-00000000a9163f9c-00000000656078e2
    << 1700821218429 12
    Allow: 204
    << 1700821218429 40
    Encapsulated: req-hdr=0, req-body=3893
    << 1700821218429 2

    << 1700821218429 3893
    POST https://azwus1-client-s.gateway.messenger.live.com/v1/users/ME/conversations/8%3Alive%3A.cid.683105de39ad09e7/messages?x-ecs-etag=%22TJdh7w9M4rjcKALQCDOILU5%2FbFjuaAZ1fDld7Y1IwDo%3D%22 HTTP/1.1
    Host: azwus1-client-s.gateway.messenger.live.com
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
    Accept: application/json
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate, br
    Referer: https://web.skype.com/
    Authentication: skypetoken=eyJhbGciOiJSUzI1NiIsImtpZCI6IjVFODQ4MjE0Qzc3MDczQUU1QzJCREU1Q0NENTQ0ODlEREYyQzRDODQiLCJ4NXQiOiJYb1NDRk1kd2M2NWNLOTVjelZSSW5kOHNUSVEiLCJ0eXAiOiJKV1QifQ.eyJpYXQiOjE3MDA4MjA4MTcsImV4cCI6MTcwMDkwNzIxNCwic2t5cGVpZCI6ImxpdmU6LmNpZC42ZDA1Y2RjMGU4ZTRlMmE5Iiwic2NwIjo5NTYsImNzaSI6IjE3MDA4MjA4MTQiLCJjaWQiOiI2ZDA1Y2RjMGU4ZTRlMmE5IiwiYWF0IjoxNjk5MjQyODc3LCJhYWRfYXBwaWQiOm51bGx9.H1Fckg6CI4MTQqGofkHG_fkjyY99DDvXkCz2NsDRbVLFxbFYbl8v5ZCkpJkGtRRY4tud2U9YxYEUG9gozH7a1ucziUCLkCr7Wl05j1KkVknBD4xZkj3ixLWs7lLMBXhMW5VdvdEqVmo3colGN-04fZg1qTP0PdgsaeEkbKkusqQVXrxHWTDLx5v92yZb0Qx8ZI-HQ8uKb03PyFbKf5cH55f9YFgW1LN6hsDDOgIOVeoXblz5Dp5bpYDfydaal3Og0fLqM_VkAOVYrboE3zd7KmHFy_-QZU_uGJlDpDWb9HAIsRG8SjjaHS62QHKkC_evM4oBbuZz97Ybq8-VbNg1Kg
    RegistrationToken: registrationToken=U2lnbmF0dXJlOjI6Mjg6QVFRQUFBQ1RCLzdQQTZESlE5Q3pvZTdCdHJuVjtWZXJzaW9uOjY6MToxO0lzc3VlVGltZTo0OjE5OjUyNTAwNTAxOTQ3MzY3NzAwMzM7RXAuSWRUeXBlOjc6MTo4O0VwLklkOjI6MjY6bGl2ZTouY2lkLjZkMDVjZGMwZThlNGUyYTk7RXAuRXBpZDo1OjM2Ojc3OTc3ZjA1LTM4NzEtNDVkYS1iZGMxLThjY2Q2NmRiYjA0ZDtFcC5Mb2dpblRpbWU6NzoxOjA7RXAuQXV0aFRpbWU6NDoxOTo1MjUwMDUwMTk0NzM0MTEzNzY1O0VwLkF1dGhUeXBlOjc6MjoxNTtFcC5FeHBUaW1lOjQ6MTk6NTI1MDA1MTA1ODU2NzM4NzkwNDtFcC5Ta3lwZVRva2VuOjI6NzEwOmV5SmhiR2NpT2lKU1V6STFOaUlzSW10cFpDSTZJalZGT0RRNE1qRTBRemMzTURjelFVVTFRekpDUkVVMVEwTkVOVFEwT0RsRVJFWXlRelJET0RRaUxDSjROWFFpT2lKWWIxTkRSazFrZDJNMk5XTkxPVFZqZWxaU1NXNWtPSE5VU1ZFaUxDSjBlWEFpT2lKS1YxUWlmUS5leUpwWVhRaU9qRTNNREE0TWpBNE1UY3NJbVY0Y0NJNk1UY3dNRGt3TnpJeE5Dd2ljMnQ1Y0dWcFpDSTZJbXhwZG1VNkxtTnBaQzQyWkRBMVkyUmpNR1U0WlRSbE1tRTVJaXdpYzJOd0lqbzVOVFlzSW1OemFTSTZJakUzTURBNE1qQTRNVFFpTENKamFXUWlPaUkyWkRBMVkyUmpNR1U0WlRSbE1tRTVJaXdpWVdGMElqb3hOams1TWpReU9EYzNMQ0poWVdSZllYQndhV1FpT201MWJHeDkuSDFGY2tnNkNJNE1UUXFHb2ZrSEdfZmtqeVk5OUREdlhrQ3oyTnNEUmJWTEZ4YkZZYmw4djVaQ2twSmtHdFJSWTR0dWQyVTlZeFlFVUc5Z296SDdhMXVjemlVQ0xrQ3I3V2wwNWoxS2tWa25CRDR4WmtqM2l4TFdzN2xMTUJYaE1XNVZkdmRFcVZtbzNjb2xHTi0wNGZaZzFxVFAwUGRnc2FlRWtiS2t1c3FRVlhyeEhXVERMeDV2OTJ5WmIwUXg4WkktSFE4dUtiMDNQeUZiS2Y1Y0g1NWY5WUZnVzFMTjZoc0RET2dJT1Zlb1hibHo1RHA1YnBZRGZ5ZGFhbDNPZzBmTHFNX1ZrQU9WWXJib0UzemQ3S21IRnlfLVFaVV91R0psRHBEV2I5SEFJc1JHOFNqamFIUzYyUUhLa0NfZXZNNG9CYnVaejk3WWJxOC1WYk5nMUtnO1Vzci5OZXRNYXNrOjExOjE6MjtVc3IuWGZyQ250OjY6MTowO1Vzci5SZHJjdEZsZzoyOjA6O1Vzci5FeHBJZDo5OjE6MDtVc3IuRXhwSWRMYXN0TG9nOjQ6MTowO1VzZXIuQXRoQ3R4dDoyOjQ0NDpDbE5yZVhCbFZHOXJaVzRhYkdsMlpUb3VZMmxrTGpaa01EVmpaR013WlRobE5HVXlZVGtCQTFWcFl4UXhMekV2TURBd01TQXhNam93TURvd01DQkJUUXhPYjNSVGNHVmphV1pwWldTcDR1VG93TTBGYlFBQUFBQUFBRUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFhYkdsMlpUb3VZMmxrTGpaa01EVmpaR013WlRobE5HVXlZVGtBQUFBQUFBQUFBQUFIVG05VFkyOXlaUUFBQUFBRUFBQUFBQUFBQUFBQUFBQ3A0dVRvd00wRmJRQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFScHNhWFpsT2k1amFXUXVObVF3TldOa1l6QmxPR1UwWlRKaE9RQUFBQUFBVG5kZ1pRY0FBQUFJU1dSbGJuUnBkSGtPU1dSbGJuUnBkSGxWY0dSaGRHVUlRMjl1ZEdGamRITU9RMjl1ZEdGamRITlZjR1JoZEdVSVEyOXRiV1Z5WTJVTlEyOXRiWFZ1YVdOaGRHbHZiaFZEYjIxdGRXNXBZMkYwYVc5dVVtVmhaRTl1YkhrQUFBPT07; expires=1700907214; endpointId={77977f05-3871-45da-bdc1-8ccd66dbb04d}
    ClientInfo: os=Windows; osVer=10; proc=x86; lcid=en-US; deviceType=1; country=VN; clientName=skype4life; clientVer=1418/8.108.0.205//skype4life; timezone=Asia/Bangkok
    BehaviorOverride: redirectAs404
    X-ECS-Etag: "TJdh7w9M4rjcKALQCDOILU5/bFjuaAZ1fDld7Y1IwDo="
    Content-Type: application/json
    Content-Length: 906
    Origin: https://web.skype.com
    Connection: keep-alive
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: cross-site

    << 1700821218429 5
    38A
    << 1700821218429 906
    {"clientmessageid":"11822949048799991983","composetime":"2023-11-24T10:20:16.881Z","content":"<URIObject uri=\"https://api.asm.skype.com/v1/objects/0-ea-d2-3b07298cb72adf9cc89db1c8a3bf01e5\" url_thumbnail=\"https://api.asm.skype.com/v1/objects/0-ea-d2-3b07298cb72adf9cc89db1c8a3bf01e5/views/original\" type=\"File.1\" doc_id=\"0-ea-d2-3b07298cb72adf9cc89db1c8a3bf01e5\">To view this file, go to: <a href=\"https://login.skype.com/login/sso?go=webclient.xmm&amp;docid=0-ea-d2-3b07298cb72adf9cc89db1c8a3bf01e5\">https://login.skype.com/login/sso?go=webclient.xmm&amp;docid=0-ea-d2-3b07298cb72adf9cc89db1c8a3bf01e5</a><OriginalName v=\"TEST_DLP_ND13 (2).txt\"></OriginalName><FileSize v=\"53446\"></FileSize></URIObject>","messagetype":"RichText/Media_GenericFile","contenttype":"text","imdisplayname":"Cuong Duy","receiverdisplayname":"Cuong Duy","amsreferences":["0-ea-d2-3b07298cb72adf9cc89db1c8a3bf01e5"]}<< 1700821218429 2

    << 1700821218429 3
    0
    << 1700821218429 2

    >> 1700821218429 70
    ICAP/1.0 204 No content
    Cache-Control: no-cache
    ISTag: "Vontu15.8"
    >> 1700821218429 2

    Thanks



  • 2.  RE: ProxySG Send ICAP No Content

    Posted Dec 04, 2023 10:52 AM

    Did you check this KB? 

    https://knowledge.broadcom.com/external/article/159592/does-dlp-web-prevent-server-support-the.html





  • 3.  RE: ProxySG Send ICAP No Content

    Posted Dec 05, 2023 02:24 AM

    Dear Muhammad,

    I saw that KB.

    But I used same file to upload on Drive.google.com and I have a incident for this file.

    I don't know why on web.skype.com have ICAP: No Content.

    Thanks




  • 4.  RE: ProxySG Send ICAP No Content

    Posted Dec 06, 2023 12:50 AM

    Hi Duy,

    I Can see there is Allow 204 code in your logs and this is the same one that is highlighted in the technote that ICAP does not require any modification therefore DLP Web is not able to capture the incident




  • 5.  RE: ProxySG Send ICAP No Content

    Posted Dec 06, 2023 02:01 AM

    Hi Saqid,

    The strange thing is that everything is normal in my lab environment.
    I don't know where the problem lies.
    I created a support case and they said the problem is not with the Proxy.
    They are investigating further on DLP.

    Thanks