Data Loss Prevention

Hi All,

         I am new to Symantec DLP. In the process of evaluating the product, I am setting network monitor server.But I could not see any incidents. This is a single-tier setup.I followed the admin guide in setting up the network monitor server.But I could not see the incodents either through SMTP/Http protocols.Any suggestion where it went wrong...?

Thanks in Advance....

Hi Prasad,

If you run a sniffer on your DLP box, are you able to see SMTP and/or HTTP traffic? Have you imported a solution pack? Have you tried sending emails that would trigger some of the rules that are enabled?

-Chris

Hi Chris,

I did not run any sniffer on the DLP server.I have sent emails from the DLP server itself with the content that is created in the policy to see if any incident is created. But Nothing is triggered in the Incidents page. I created the same policy that is given in the Admin guide.Also I could see the error NO SMTP Traffice is captured in the logs of the network monitor server..

I also imported a solution pack....

Thanks in Advance.......

Have you confirmed that your SPAN port/network TAP is configured properly?

To check this, please install Wireshark on the DLP server and see if you can see all traffic passing through the switch, or just traffic destined to/from the DLP server itself.

Try this:

a) Make sure that you have your SPAN /  TAP port configured properly.

b) Ensure that the NIC card connected to the SPAN / TAP port is in promniscous mode.

c) Ensure that the promniscous mode NIC card is selected under System - Servers - Network Monitor server - Configure - Network Interfaces