Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1256
Views
0
Helpful
5
Replies

Problem for the creation an IronPort rule

pdo92
Level 1
Level 1

‎02-21-2019 06:21 AM - edited ‎02-21-2019 06:27 AM

Hello, 

 

I have a problem for create a complexe rule 

The goal is of deleting attachments less than 5Kb

 

I don't find that criteria, i find only an proceess for deleting the superior object (same even using drop-attachments-by-size)  not for deleting an inferior attachement 

 

Thank for you replies :) 

Labels:
0 Helpful
5 Replies 5

dmccabej
Cisco Employee
Cisco Employee

‎02-22-2019 10:44 AM - edited ‎02-25-2019 06:11 AM

Hello,

 

EDIT: Correction, this would look for any attachments larger than 5k and drop them. 

 

AttachmentSizeLessThan3KDrop: 
if (true){
drop-attachments-by-size(5000);}
.

 

Thanks!

-Dennis M.

0 Helpful

pdo92
Level 1
Level 1
In response to dmccabej

‎02-25-2019 12:46 AM

Hi Dennis,

 

thanks for your reply.

the action "drop-attachments-by-size" drop files only when the size is greater than the limit passed in argument.

We would like to be able to delete attachments when the size is smaller than the limit (for our example 5ko).

We tried in conditions with the variables $filesizes and $filenames but we did not manage to define the action corresponding to our need.

 

Thanks for your help.

0 Helpful

dmccabej
Cisco Employee
Cisco Employee
In response to pdo92

‎02-25-2019 06:10 AM - edited ‎02-25-2019 06:10 AM

Hello,

 

Thanks for the clarity. I must have been thinking in reverse the other day. ;)

 

In that case, perhaps something like this? 

 

Attachment-Size-Less-Than-3K:
if (attachment-size <= 3K){
drop-attachments-by-size(0);
log-entry("*** ATTACHMENT-SIZE-LESS-THAN-3K ***");
}

 

So, it would see if there's an attachment less than 3K in size, and then if that condition is met drop any attachments over size 0. Though keep in mind if you have any emails with multiple attachments, and one of them is less than 3K, it's going to drop them all. 

 

I wouldn't really recommend this for production, but perhaps it might help in your particular use case?

 

 

Thanks!

-Dennis M.

0 Helpful

pdo92
Level 1
Level 1
In response to dmccabej

‎02-25-2019 06:28 AM

 Hi Dennis,

I had seen this possibility but effectively all the attachments will be deleted.

In our need we would need to delete only small image attachments even if the message contains multiple attachments.

it's a rather complicated need :(

 

Regards

 

 

 

0 Helpful

dmccabej
Cisco Employee
Cisco Employee
In response to pdo92

‎02-25-2019 07:46 AM

In theory, you could use drop-attachments-by-filetype and use image, but that still would drop every image in an email and not just the smaller ones.  You could also try by MIME type if there's a certain type to the smaller images you're looking for.

 

https://www.cisco.com/c/en/us/td/docs/security/esa/esa12-0/user_guide/b_ESA_Admin_Guide_12_0/b_ESA_Admin_Guide_chapter_01000.html#con_1137059

 

Sounds like it may not be currently possible though.

 

Thanks!

-Dennis M.

0 Helpful
Customers Also Viewed These Support Documents