cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
seetha123
Level 7
Report Inappropriate Content
Message 1 of 3
‎11-03-2019 10:34 PM

Identify files in Personal Network Storage SItes

Hi,

Im using MWG of 7.8.2. We have allowed Upload/Download for users in Personal network STorage category websites. Now my management wants to see what files are getting uploaded and downloaded in such websites. How to view that? ANy rule set we want to enable for that?

Please help.

0 Kudos
Reply
2 Replies
aloksard
Employee
Employee
Report Inappropriate Content
Message 2 of 3
‎11-05-2019 07:13 PM

Re: Identify files in Personal Network Storage SItes

Hi,

Hope you are doing well.

 

I was able to get a rule set configured in order to get name of the files uploaded with some testing. Content-Disposition is the field which contains name of the files uploaded in majority of the cases.

 

I did testing with few websites like https://dlptest.com/https://files.fm/https://uploadfiles.io/  etc and was successfully to see the name of the files uploaded in access.log.

 

NOTE:- Make sure you have SSL Scanner enabled in order to inspect HTTPS traffic and enable composite opener rule enabled as well.

 

 

Please do the following modification in the rule mentioned in below:

 

Step1: Please enable the rule called " Enable composite opener".

 

Step 2: Please create a new rule called " test"  under the enable composite opener rule.

 

Step3: In the new rule " Test " the criteria we need to add should be mentioned in below:

 

Body.HasMimeHeader(String) -> equals -> true.

 

NOTE: Parameter value that needs to add in property "Body.HasMIMEHeader"  should be mentioned in below:

Body.HasMimeHeader(String) -> parameters -> parameter value -> Content-Disposition

 

AND

 

Body.HasMimeHeaderParameter (String,String) ->  true

 

NOTE: Parameter value that needs to add in property "Body.HasMimeHeaderParameter"  should be mentioned in below:

Body.HasMimeHeaderParameter (String,String) -> Parameters -> Parameter value -> Name (string)

-> Content-Disposition. and MIME Parameter name -> filename.

 

NOTE: I have shared a snapshot of the rule along with this email.

 

 

Step4: In same test rule inside the event tab we need to write those parameter values for that we have configured the below:

 

Test rule -> Event -> Add -> User-defined.log -> Body.HasMimeHeaderParameter (String,String) -> Parameters -> Parameter value -> Name (string)  -> Content-Disposition. and

MIME Parameter name -> filename.

 

NOTE: Please find the ruleset snapshot attached along with this email

 

Step5: Policy --> Ruleset --> LogHandler --> Access.log --> Write.access.log --> Edit --> Events --> Edit -->

Add --> Parameter Property -->  User-defined.log (We are calling this property which has configured ) --> Add

--> Parameter value --> " (add this symbol).

 

 

Step 6:- Go to Policy->Settings-> File System Logging-> Access Log configuration-> Log Header-> at end add filename.

 

 

NOTE: Please re-arrange the properties as defined in the snapshot attached along with this email.

 

 

Please refer attached screenshots. Above steps can be taken as a reference point.

 

Regards

Alok Sarda

0 Kudos
Reply
aloksard
Employee
Employee
Report Inappropriate Content
Message 3 of 3
‎11-05-2019 07:15 PM

Re: Identify files in Personal Network Storage SItes

Hi,

Also if you are pushing the access.log to CSR then in CSR as well we need to do some modifications.


Also attaching rule set which is specially logging the file names uploaded to Dropbox and Google Drive, you need can import this rule in your MWG and then test.

 

Regards
Alok Sarda

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC