cancel
Showing results for 
Search instead for 
Did you mean: 
btlyric
Level 12

Logging file names, types and sizes for multiple embedded objects

Jump to solution

Say that you have a connection that is sending (or receiving) multiple embedded objects to (from) a remote server.

Say that you want to log the file name, type and size for each of those objects.

If you do Body.Filename, MediaType and Body.Size in the logging cycle alone, you won't get what you're looking for.

So let's add a rule set that identifies the Embedded Objects based on specific criteria and then set some User-Defined propertie:

User-Defined.BodyFilename = Body.Filename

User-Defined.MediaType = MediaType (from signature/ensured)

User-Defined.BodySize = Body.Size

Now, when we reach the logging cycle we can log the three User-Defined values and we'll get what we're looking for unless there's more than one embedded object.

What's the best solution for this situation?

0 Kudos
1 Solution

Accepted Solutions
asabban
Level 17

Re: Logging file names, types and sizes for multiple embedded objects

Jump to solution

Hello,

instead of logging in the log cycle you could log directly from the policy by calling the appropriate event.

I have done this in the past to find out which member of an archive exactly contains malicious code, and it worked quite well. I actually would not apply such a rule for all users, but use if for debugging purposes only. Some objects have so many embedded objects that you have up to 5 MB of plain log file being written when filtering the file, which slows down the overall performance or could kill MWG by using too much IO resources or filling the hard disks.

Best,

Andre

0 Kudos
3 Replies
asabban
Level 17

Re: Logging file names, types and sizes for multiple embedded objects

Jump to solution

Hello,

instead of logging in the log cycle you could log directly from the policy by calling the appropriate event.

I have done this in the past to find out which member of an archive exactly contains malicious code, and it worked quite well. I actually would not apply such a rule for all users, but use if for debugging purposes only. Some objects have so many embedded objects that you have up to 5 MB of plain log file being written when filtering the file, which slows down the overall performance or could kill MWG by using too much IO resources or filling the hard disks.

Best,

Andre

0 Kudos
btlyric
Level 12

Re: Logging file names, types and sizes for multiple embedded objects

Jump to solution

Can I log to the same log file that is used in the logging cycle?

0 Kudos
asabban
Level 17

Re: Logging file names, types and sizes for multiple embedded objects

Jump to solution

Yes, that is not a problem.

Best,

Andre

0 Kudos