Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1175
Views
0
Helpful
3
Replies

finding out what item in a dictionary is firing?

Go to solution
ed.sherratt
Level 1
Level 1

‎09-09-2016 03:17 AM

Hi,

We have an incoming content filter that is used to quarantine suspicious mails, based on Attachment name, sender, and body content dictionaries, as well as a couple of other items.

These have grown over time, particularly with the recent macro malware runs, and we've now the situation where valid mails are being captured and the default logs are not showing us why.

If it's a straightforward phrase in the body, or a sender then it's displayed in the quarantine and I can remove the offending item, if it's in the attachment then nothing .

How do I find out the particular dictionary/filter entry that is causing the capture if it's not shown on the Quarantine GUI? It's not in CLI message logs either, which just details the name of the filter or dictionary, not the individual entry.

Any help appreciated, as we're currently capturing boarding passes for JSON content for absolutely no reason I can see -  much to the disgust of users, although it's saving printer toner.

Thanks

Ed

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Libin Varghese
Cisco Employee
Cisco Employee

‎09-09-2016 06:17 AM

Hi Ed,

The best way to accomplish this would be to add a filter action to add a lot entry.

Add log entry: $MatchedContent

The usage of the action variable is: Returns the content that triggered a scanning filter rule (including filter rules such as body-contains and content dictionaries).

This would work for body and attachment content matches, however sender recipient matches would need to be manually reviewed.

Thanks
Libin

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Libin Varghese
Cisco Employee
Cisco Employee

‎09-09-2016 06:17 AM

Hi Ed,

The best way to accomplish this would be to add a filter action to add a lot entry.

Add log entry: $MatchedContent

The usage of the action variable is: Returns the content that triggered a scanning filter rule (including filter rules such as body-contains and content dictionaries).

This would work for body and attachment content matches, however sender recipient matches would need to be manually reviewed.

Thanks
Libin

0 Helpful

Go to solution
ed.sherratt
Level 1
Level 1
In response to Libin Varghese

‎09-12-2016 04:03 AM

Thank You Libin,

I'll look into this and let you know how it goes.

Regards,
Ed

0 Helpful

Go to solution
ed.sherratt
Level 1
Level 1
In response to ed.sherratt

‎09-13-2016 04:35 AM

Hi Again,

Thanks for that, it's not perfect as you said, but a lot better visibility than I had.

Regards,

Ed

0 Helpful
Customers Also Viewed These Support Documents