Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1413
Views
0
Helpful
2
Replies

Complex Conditions in Filters?

johnsmith1000
Level 1
Level 1

‎05-25-2013 09:40 PM

Could I code any complex regex conditions in a content filter beyond what the rules editor allows me to do?

For example, since now i know how to use a dictionary to lookup authorized senders for encrypting with CRES (thanks to an earlier responder), I need a condition such as this:

IF (msg flagged AND sender-from dictionary)
ENCRYPT
ELSE IF (msg flagged AND sender-not-in-dictionary)
BOUNCE with error to sender
ELSE
SEND UNENCRYPTED

Any suggestion?

Thanks.

Sent from Cisco Technical Support iPhone App

Labels:
0 Helpful
2 Replies 2

Alvaro J Gordon-Escobar
Cisco Employee
Cisco Employee

‎05-26-2013 07:03 AM

Hello John,

"Could I code any complex regex conditions in a content filter beyond what the rules editor allows me to do?"

No you can't, GUI or CLI the content fitlers do not allow for complex regex.  However, the CLI's message filters allow for 'else' and 'if not' statememts.  Unlike content filters,  message filters are not directional (inbound vs. outbound emails), so you have to define a direction for them.  If you do not,  the appliance will start to look at traffic coming from the internet and leaving for the internet.  This will increase load on the unit, as it has to look at all traffic.

The best way to accomplish this task would be via  an LDAP membership profile, and a special outbound mail policy, and your defuault catch all outbound mail policy.  A user can only match one mail policy, even if they exist in more than one. 

Steps I would take to  accomplish this task:

Most likely you already have an LDAP system,  this repository has all your users, and they are most likely already in buckets/groups.  

IT Admins

Accounts

Business

Guests

etc...

EncryptEmail -- new group

1.  you will need an LDAP profile on your appliance (system administration-- LDAP ) ## will control group membership queries, mail from, authentication .. among many other

2. create a group in your LDAP system called -- "EncryptEmail"  ##  -- name is yours to define,  add all your  users allowed to encrypt to the group.

2A-- create an LDAP group profile 'ldap_server'

2B --Create an LDAP group query 'ldap_server.group'

3. create an  outbound Encrypt filter that looks for the encrypt flag set to  \[SEND SECURE\] ##-- single escapes-- content filter will handle the second escape, or what ever flag you are actually looking for.

4. create an outgoing mail policy that will be for your 'ldap_server_profile.group-query.EncryptEmail' ###as people get added or removed,  your LDAP system membership will be altered'  you don't have to touch the mail policy again

(mail policies-- outgoing mail policies ADD LDAP Group Query  -- select your group query, and add the name of your group, example is using "EncryptEmail"),  when you click add it will look something like this

ldap_server.group-query.EncryptEmail

5. now activate your  -outbound Encrypt filter- only on the  your outbound mail policy that has the LDAP group on it.

NOTE:

Encryption will only be done for the people that match on your LDAP outbound mail policy, and have their subject flag on. Other traffic from these users will also match, but will not be encrypted.  Since content filters can be activated on different mail policies, you can also activate any other policy type content filter you have for all your users on this outbound policy too. By default it will enherit AS and AV Scanning, so you should not have to add them. if you have done something that stops this, then, please enable AS and AV on the new mail policy too.

Now to deal with the users that are not in your encrypt LDAP group,  and flagged/subject thier email for encryption 

\[SEND SECURE\]

6. on your default outbound mail policy,  create an new outbound mail content filter that has one conditions

6A Condition:  "looks for your encrypt flag/subject"

6B  First Action: if the flag/subject is found:  Notify action -- notify the sender and the administrator--

6C Second Action: if the flag/subject is found:  Bounce action --  this is final,  and the email will be returned.

7.  active your new content filter on the default 'catch all' outbound mail policy.

Submit and commit all your work a long the way.

you are done.  I strongly advice you to test the steps with a couple of testing mail policies that only have IT guys in the them.  once working, you can push the work to prod.

If you still want to do this via a message filter,

CLI -- filters-- new

you can use something like this:

====================================================

To_encrypt_NOT_encrypt:

if ((recv-listener == "InboundMail") AND (mail-from-dictionary-match("users_allow_encrypt")) AND (subject == "\\[SEND SECURE\\]"))

{

encrypt('encryption_profile');

}

else {

if ((subject == "\\[SEND SECURE\\]") AND (NOT mail-from-dictionary-match("users_allow_encrypt")))

{

notify("admin@domain.com, $EnvelopeSender");    

bounce();

}

}

====================================================

cheers,

-Alvaro

0 Helpful

johnsmith1000
Level 1
Level 1

‎06-10-2013 08:38 PM

Thanks Alvaro for your detailed comments. I agree LDAP is definitely a better choice, but due to some constraints in our environment, it does not work for us.

I'll consider your suggestion about The CLI approach.

Regards.

Sent from Cisco Technical Support iPhone App

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents