How to set up Script Lookup utilizing a Python script

book

Article ID: 159900

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

How to set up a script lookup utilizing a Python script.

Resolution

The Script Lookup, its setup, usage and testing, is outlined in the Lookup Plugin Guide.

Here is an example of how a script deployment could be set up.
 
Disclaimer:

This script is provided for educational purposes only and not supported by Symantec Support Services.  We do not guarantee that it will work for you. For deployment in production you would have to create, test and deploy your own custom script. Due to the differences in the way text editors, e-mail packages and operating systems handle text formatting (spaces, tabs and carriage returns), this script may not be in an executable state when you first receive it. Check over the script to ensure that errors of this type are corrected
 
 Basics
 
The following setup assumes that you have a python script named  ip-lookup.py that we will use as a sample for demonstration purposes. Bear in mind you will need to apply this to the specific scripting environment of choice. To enable the script-lookup plug-in for the first time with minimum features and dependencies, follow these steps.
 
Property Files
 
Configure Plugins.properties in /Vontu/Protect/config as follows:

com.vontu.api.incident.attributes.AttributeLookup.plugins=Vontu Script Lookup
com.vontu.plugins.execution.chain=com.vontu.lookup.script.ScriptLookup
com.vontu.lookup.script.ScriptLookup.properties = ScriptLookup.properties

Create a scripts folder in /Vontu/Protect/plugins/
 
Copy the ip-lookup.py script file to /Vontu/Protect/plugins/scripts
If this is a windows system, download and install Python 2.5.1 Windows Installer from http://www.python.org/download/ in c:/python25
In the example the script has the referenced username hard-coded for testing purposes.
 
Configuration
 
Configure /Vontu/Protect/config/ScriptLookup.properties as follows:

Windows Setup
 
script.1.command=c:/python25/python.exe
script.1.custom.args=-u,c:/Vontu/Protect/plugins/scripts/ip-lookup.py
 
Linux Setup
 
script.1.command=/usr/bin/python
script.1.custom.args=-u,/opt/Vontu/Protect/plugins/scripts/ip-lookup.py
 
Script Sanity Testing
 
The script should be tested for basic sanity before running it on Enforce.
Any attributes that would be passed by enforce can be stubbed out and passed via the command line
<script command> <stubbed out attributes>
 
c:\python25\python.exe -u c:\Vontu\Protect\plugins\scripts\ip-lookup.py sender-ip=74.125.19.99
 
host-name=company.com
user-name=VontuUser
 
Enable Enforce
 
Create a new Attribute Group: User Identity Resolution
Create the following custom attributes.
 
host-name
username
 
Recycle the Manager Service
Generate some incidents and verify that incidents contain the populated custom attributes. 


This should be a good starting point. As you can see you can essentially write a program with any programming language as long as the configuration file is properly reflecting the calling convention of your program.