Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1635
Views
0
Helpful
3
Replies

ESA - not stripping attachments based on custom Dictionary

costacadmins
Level 1
Level 1

‎06-08-2016 08:07 AM

We currently have a filter setup for "malicious file extensions", with several conditions/actions entries that works. The issue is it is very cumbersome to manage/add additional extensions. I also read that this setup is a CPU hog due to the amount of conditions/actions it has to go thru for that filter.

What I'm trying to do: create a dictionary list and then strip based on that.  Dictionary list is very easy to update/add to.

Example that works with tons of individual file extension entries:

Condition :"attachment file info"  "ends with (?i)\.js" 

Action:  "strip attachment by file info"  "ends with (?I\.js"

Example of what doesn't work:

condition: "attachment file info" " Filename contains term in content dictionary: "bad-extensions"

action: "strip attachment by content"   Attachment contains term in content dictionary: "bad-extensions"

Under actions, it doesn't let you tie it to a dictionary for "strip attachment by file info".  Only for "strip attachment by "content".  I feel like that is the issue.

* I read that the Dictionary uses regular expressions.   I've tried both \.jar$ and \\.jar$ and it doesn't matter.

Any assistance would be greatly appreciated.

Thanks

Labels:
dictionary.jpg
Preview file
62 KB
incoming_filter.jpg
Preview file
93 KB
0 Helpful
3 Replies 3

Mathew Huynh
Cisco Employee
Cisco Employee

‎06-08-2016 05:15 PM

Hello Costacadmins,


I personally do not use dictionaries as often for these types of setup.

What i would personally suggest is:

Condition: Attachment File info -> Filename -> Contains -> (?i)\.(js|jar|scr|exe|vbs)$  (add more with | to seperate it)


Action, use the same syntax you had for your condition (copy and paste that text box) for the strip attachment by filename rule.

This should meet your requirements without use of a dictionary.

Regards,

Matthew

0 Helpful

costacadmins
Level 1
Level 1
In response to Mathew Huynh

‎06-09-2016 04:06 AM

Matthew,

I appreciate the response.

I was able to figure out the method you posted by reading a few of the other forum posts yesterday.  It works, but the possibility for error when updating seems increased compared to just adding an additional dictionary term.

The method works though, and we will use it.

Thanks.

0 Helpful

Mathew Huynh
Cisco Employee
Cisco Employee
In response to costacadmins

‎06-09-2016 04:32 PM

Hello,

Apologise that I cannot assist in getting the dictionary to work. I personally do not use the dictionary for such filter rules as I have seem them not work to the requirements I seeked, though they do accept regex, I have seem some users incorporate \b boundaries on them as well.

Regards,

Matthew

0 Helpful
Top