How to test an http incident
search cancel

How to test an http incident


Article ID: 159840


Updated On:


Data Loss Prevention Network Monitor


Is there a way to test HTTP incidents similar to the way SMTP incidents are tested.


Like the "\drop" folder, there is a "\drop\PacketCapture" folder (C:\ProgramData\Symantec\DataLossPrevention\DetectionServer\16.0.00000\drop\PacketCapture). There may also be a sub-folder in the "\drop\PacketCapture" folder.

To test an HTTP incident the process is the following:

1. Create a test policy. 

NOTE:  For purposes of this test, you may want to create a simple keyword policy using "purplemonkey" (without quotes) as your keyword.  Just remember to uncheck the "on whole words" box before saving the rule.

2. Check that your policy has been downloaded to the Network Monitor:

    a. Click on Administration (bottom box, left hand column)-> System -> Overview

    b. Click on the server name that is doing the monitoring (for example: PimaMonitor)

    c. Look at the "All Recent Events" box (right main window, right lower box area)

        and look for "Loaded policy..."

2. Create the necessary http traffic to cause an incident.
3. Verify an incident is created.
4. From the Enforce UI stop the File Reader on the network monitor.
5. Create the necessary HTTP traffic again.
6. Wait for a file of type .vpcap to appear in the "\drop\PacketCapture" folder or sub-folder.
7. Copy the new file to a safe place.
8. From the Enforce UI start the File Reader on the network monitor
9. Verify a new incident is created.

The copied .vpcap can be used to create new incidents without having to create the HTTP traffic. Copy the file and then paste it into the "\drop\PacketCapture" file.

NOTE: In Windows the .vpcap file can not be dragged and dropped into the "\drop\PacketCapture" folder. Windows does not see this as creating a new file and the File Reader will not see the file and will not create a new incident.



Additional Information

Please note this only applies to network monitor and not web prevent.  Web prevent detects on ICAP traffic which is different from vpcap or pcap files.