How to write an L7 IP filter

book

Article ID: 160162

calendar_today

Updated On:

Products

Data Loss Prevention Network Monitor Data Loss Prevention Enforce

Issue/Introduction

Information on writing an L7 IP filter.

Resolution

Subnetwork description:= <network address>/<subnet bitmask size> | *

Each stream is evaluated in order against the filter entries until an entry matches the stream's IP parameters. A minus sign (-) at the start of the entry indicates that the stream is dropped. A plus sign (+) at the start of the entry indicates that the stream is kept. A subnet description of an asterisk (*) means that any packet matches this entry. When there is a subnet-bitmask size of 32, the entry must match the exact network address.

For example, a filter of +,10.67.0.0/16,*;-,*,* matches all streams going to network 10.67.x.x but does not match any other traffic.

The more specific you are when you define the recognition characteristics, the more specific your results. For example, if you define one specific IP address, only incidents involving that IP address are captured. If you do not define any IP addresses, or if you define a wide range of IP addresses, you achieve broader results.

Vontu recommends that you add at least one plus sign (+) clause and one minus sign (-) clause to be more explicit about what is included and excluded.

Example:

Let's say that you want to drop all ftp traffic to IP 192.140.1.34 and capture all FTP traffic for other addresses.

As per the online help: Protocol Filter Entry := -|+,<destination subnetwork description>,<source subnetwork description>

Therefore, if we break down the request and then recombine it:

drop all ftp traffic to IP 192.140.1.34

This should resolve to : exclude traffic to <destination> 192.140.1.34 from anywhere <source>

Therefore: -,192.140.1.34/32,*;

Capture all FTP traffic for other addresses: +,*,*

Or, in a single line: -,192.140.1.34/32,*;+,*,*

Is it possible that the traffic you are seeing is outbound from 192.140.1.34 ?

In this case we might want to try: -,192.140.1.34/32,*;-,*,192.140.1.34/32;+,*,*