000031366 - Advanced Troublshooting steps for DLP Network Sensor

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000031366
Applies ToRSA Product Set: DLP
RSA Product/Service Type: DLP Network
RSA Version/Condition: No events from Sensor
Platform: CentOS
O/S Version: 6
 
IssueDLP Sensor is configured, all networks and protocol has been configured. Traffic is being sent to the sensor.
Correct policies have been applied and confirmed they are working. There are still no events generated from the sensor.
TasksTo debug, you can take following steps. First find out what type of protocol is missing.
1. Work with the network team to make sure the IP addresses in question fall into the correct sub net. 
2. confirm that host IP have not been changed. (If events are no longer being generated)
3. Traffic must be in the clear. (no encryption of data, https, or TLS enabled)
Find out which protocol is in question. (if it is http traffic, the service is called passivehttp, and for email it is passivesmtp)
Logon to sensor and open a command prompt, type: moncmd debug <service> on
then type: conwatch -n 10

The message output will show every session that is received by sensor.
Run your tests from machine  and watch for the Client IP, if it is missing , you will need to work with the network team to find out why that IP is missing.
If you see the IP and there is still no event, you need to find out if there is the network is asymmetrical  routing In order for the session to be captured for analysis, it has to be full session. 
After testing is complete you turn off debugging of the service.
moncmd debug <service> off
 
NotesExample of of enabling debug for smtp service
Command used:   moncmd debug passivesmtp on
Message displayed to confirm debug is enabled:
09-29 14:21:09 INFO  NW_902   sensor1.ribeye.com       PassiveSMTP0     #### debug: True
9-29 14:23:06 DEBUG NW_901   sensor1.ribeye.com       PassiveSMTP0     [FLOW.Event] [Content ID: 1443568986.0000_bd3c42d8-382b-4856-8ffd-14f0a7d7274a_smtp] Analyzing (passive) SMTP Session. Mail From: johndoe@ribeye.com, Mail To: [u' joedoe@.company.com'], Subject: DLP Sensor Test, Client: "10.1.2.3", Server: "10.3.2.1"
In this case, client is the origination  network and the Server is destination network.
 

Attachments

    Outcomes