Data Loss Prevention

 View Only
Back to discussions
Expand all | Collapse all

Running DLP 11.5 in a LAB environment (NW Monitor) no incidents reported.

  • 1.  Running DLP 11.5 in a LAB environment (NW Monitor) no incidents reported.

    Posted May 31, 2012 04:19 PM

    Running DLP 11.5 in a LAB environment (NW Monitor) no incidents reported.

     

     I followed a test scenario listed in the DLP admin guide using a secret word "test_vontu_secret_keyword". The odd thing about it is the following:

    * If I send an email from an endpoint using Gmail or Hotmail; the incident is reported under the "Endpoint" tab and not under the "Network" TAB. Is this the way it should work? 

    * If so; what would be another way to test it if I don't have any IM protocols in our LAB environment.

     

    Thanks for your help!

    Dennis

     

     

     



  • 2.  RE: Running DLP 11.5 in a LAB environment (NW Monitor) no incidents reported.
    Best Answer

    Posted May 31, 2012 04:30 PM

    Network Monitor in a lab environment...there's a few ways to do this.  Understand that in a live environment, Network Monitor is getting traffic via a tap, which you're likely not going to be able to do in a Lab.  So there's two main ways to "send" traffic to a network monitor outside of that:

    (1) Drop an email file (.eml) into the drop folder on the Network Monitor.  It will get picked up and processed by the server.

    (2) Set up a replay of a PCAP file that you've captured off your network (if you're comfortable with loading in live traffic into you lab).  This will effectively replay that packet capture indefinitely.

    Start with the first method...it's the easiest way to do this.

    ~Keith

    p.s. The answer to your question about whether it's normal to be reported as an Endpoint incident.  Yes, if the incident was detected by the Endpoint Agent, which is what you have done, then it gets reported as an Endpoint Incident.  You're obviously monitoring HTTP with the agent.