cancel
Showing results for 
Search instead for 
Did you mean: 
DBO
Level 9

Alert on Filter by Expression?

Is it possible to receive an email alert when WW block a link using URL Filter\Filter by expressions?  I am blocking some executable like \card.exe but it would be nice to receive an alert

This is with 6.8.7 build 9396

0 Kudos
23 Replies
eelsasser
Level 15

Re: Alert on Filter by Expression?

You can create a custom action in the Action Editor that includes and email alert.

Back a copy of the Block Action and rename it to Block-Email

Set the

Action1.jpg

Set the parameters:

Action2.jpg

Change the action in the filter by expression:

Block1.JPG

And the results are an email you should receive:

Email.JPG

It's a lot easier to do in MWG7.

0 Kudos
nsgmike
Level 7

Re: Alert on Filter by Expression?

How do you do this in MWG 7?

Thanks

0 Kudos
eelsasser
Level 15

Re: Alert on Filter by Expression?

Here's an example of how I'd do it in 7. I justd added the events to the Media Type Block Rule.

EnabledBlock Types From List General Download Media Type Blocklist
1: MediaType.EnsuredTypes at least one in list
General Download Media Type Blocklist
Block<MediaType (block list)>Statistics.Counter.Increment("BlockedByMediaFilter",1)<Default>
Set
User-Defined.emailBody =
     "Dear Administrator," +
     String.CRLF +
     "Content was blocked by the media filter." +
     String.CRLF +
     "URL: " +
     URL +
     String.CRLF +
     "Media Type: " +
     MediaType.ToString(MediaType.FromHeader) +
     String.CRLF +
     "User: " +
     Authentication.UserName +
     String.CRLF +
     "Date: " +
     DateTime.ToWebReporterString
Email.Send("god@lordchariot.com","Blocked Content Alert",
User-Defined.emailBody)<SMTPServer>


This is what the email output would look like:

Image1.gif

0 Kudos
ittech
Level 13

Re: Alert on Filter by Expression?

Could I view a block due to Media Type in the Web Reporter?

0 Kudos
nsgmike
Level 7

Re: Alert on Filter by Expression?

Erik,

Do you have a walkthrough of setting up the event?

0 Kudos
eelsasser
Level 15

Re: Alert on Filter by Expression?

Mike,

I presume you mean for MWG7? This is the event.

Put that in the events section of the rule that is doing the blocking. (change you email address and setup the <SMTP server> configuration for your environment)

Set User-Defined.emailBody =
     "Dear Administrator," +
     String.CRLF +
     "Content was blocked by the media filter." +
     String.CRLF +
     "URL: " +
     URL +
     String.CRLF +
     "Media Type: " +
     MediaType.ToString(MediaType.FromHeader) +
     String.CRLF +
     "User: " +
     Authentication.UserName +
     String.CRLF +
     "Date: " +
     DateTime.ToWebReporterString
Email.Send("god@lordchariot.com","Blocked Content Alert",
User-Defined.emailBody)<SMTPServer>

0 Kudos
DBO
Level 9

Re: Alert on Filter by Expression?

If I modify or add templates, I understand I have to reboot the server right?

Ce message a été modifié par: DBO on 08/02/11 18:53:37 CST
0 Kudos
eelsasser
Level 15

Re: Alert on Filter by Expression?

Technically, no. You need to reload templates.

If you have the Administration shell turned on, usually on port 9092, you can do that without reboot.

SSH to port 9092 and logon with the GUI password.

Here's an example of me SSH'ing to the OS on port 22 as root, and then SSH to localhost:9092. (It's easier for me that way)

[root@WebGateway ~]# ssh admin@localhost -p 9092
admin@localhost's password:

McAfee Web Gateway Secure Administration Shell 6.8.7
Copyright (C)2003-2009 McAfee Inc.

Last Login: Thu Dec  9 13:50:51 2010 from 127.0.0.1

admin@WebGateway> reload templates
admin@WebGateway> quit
Connection to localhost closed.
[root@WebGateway ~]#

0 Kudos
DBO
Level 9

Re: Alert on Filter by Expression?

Thank you, will try that

Now, I have created a small template and it almost work (after I reset the security flag on the files I FTP to the appliance)...

Here the Template:

URL: %u
User name: %A
Workstation: %J
IP Adress: %i
Politique: %g
Date: %t
Catégorie de l'URL: %C

Here the result. 

URL: http://www.cam.org/card.exe
User Name: www.cam.org
Poste client: z500wxpg15966.le500.loto-quebec.com
Adresse IP: 10.8.64.30
Politique: JeuxEnLigne
Date: 08/Feb/2011:19:52:26 -0500
Catégorie de l'URL: shell expression list

The username variable %A is not resolving to the correct value

0 Kudos