- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
10-03-2012 04:17 AM
Does anyone try to use the data filter function to block the keyword which sent by hotmail or outlook? I defined a policy to alert those sent by hotmail or outlook mail, I could see the event happened in data filter log but cannot see the full mail content/body. Does anyone know PA support to see the mail content or not?
10-04-2012 01:20 AM
I doubt it can do this today because PA doesnt buffer emails and such.
When dealing with DLP you act on a stream but each packet is (often) not more than 1500 bytes.
So when the DLP triggers most likely only the packet (or few packets before that) are still in the memory and can be dumped to the log.
Personally I would combine DLP with proxyservers to achive what you want. In your case a MTA such as Ironport (or whatever you like) placed in DMZ.
For example a setup like:
1) Traffic inside -> DMZ, alert DLP.
2) DMZ-server, take full dump when signatures triggers.
3) Traffic DMZ -> outside, block DLP.
There is a pcap feature you can attach to signatures (which might help you identify a specific email) but the built in pcap will only save first 100 bytes of each packet (if im not mistaken) and also you might end up in situations where the mailheader is long gone when the DLP triggers.
Like assume someone sends a 25MB email and the DLP signature triggers at the last packet (the last packet had the keyword you were searching for) - then only the last few kilobytes will be in the pcap file (and not the whole 25MB unless something changed recently).
Also by hotmail do you mean someone using IMAP/SMTP/POP3 or using webbrowser? Otherwise if its IMAP/SMTP/POP3 I can agree with you it would be a nice feature if the PA could log the mailheader (optional) when creating for example a DLP signature acting on mailtraffic.
10-04-2012 06:44 PM
Thank you for your information.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!