I was just wondering if there was a way via Events or web reporter to automatically send an email when a user IP hits an amount of data. For instance, if a user POSTs 1024MB of data over a single connection, can anything notify?
We have the unlicensed version of web reporter.
Web Reporter isn't the same as a SIEM product. You can schedule a report to run on a schedule, and then e-mail you the result, but you cannot make an event based trigger.
On the Web Gateway, you could enable quotas, and then use the emai.send() event to e-mail you when a quota is reached.
The quota idea will work for an overall days data usage.
I want to be alerted if a client sends for example over 50MB of data to a host. I was eyeing up the BytesFromClient property which would be exactly what I need but looks like can only be used for writting to a log file.
Is there another way to accomplish this?
Using a rule that only applies to the request cycle (I threw my test rule in with the upload media type filtering), you can use Body.Size is greater than <bytes>. Here I used 1MB:
I was playing with that yesterday, this works great for download notifications, but it will not let me know of any uploads.
For example, if you goto gmail and upload a 4MB attachment, I would want to have that alert.
It will block uploads over X bytes, too.
The notification part is going to be nearly impossible to address with most AJAX sites.
The uploads occur out of band of the web page being rendered. If you are lucky, the site will at least have some sort of error message as a result of a 403 status code. But it has to be programmed into the site in order to properly indicate the error.
This is the case wil almost any kind of block that is introduced on an AJAX site, including application controls and DLP blocks. it's how the web itself works and has nothing to do with MWG specifically. Try it with anyone else like Blue Coat/Websense/ironPort/etc. You get the same results.
The best you can hope to achieve is to have an email notification sent to the user to tell him what's blocked.on 7/8/14 11:24:36 AM EDT