cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
ThomasSu
Level 9
Report Inappropriate Content
Message 1 of 5

file size upload to website when the behavior is allowed

Hi We want to get all the file size which is allowed to upload. MWG seems only log it if it was blocked. Any good rule or solution to archive the request?
4 Replies
fw_mon
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 5

Re: file size upload to website when the behavior is allowed

one of several ways to accomplish this is to  extend your access log with NumberToString(Body.BytesToServer) property.

Comparing this number with NumberToString(Body.BytesToClient) and considering the HTTP verb (POST, PUT) you can see if a particular web request looks like an upload.

 

ThomasSu
Level 9
Report Inappropriate Content
Message 3 of 5

Re: file size upload to website when the behavior is allowed

Hi fw_mon,

 

Thanks your information. That's we did in the access log. But the MWG's log behavior seems only log the last hit rule and allow behavior don't record the size info.

 

Regards,

Thomas

aloksard
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 5

Re: file size upload to website when the behavior is allowed

Hi,

Hope you are doing well.

You can either use Content-Length from the request header or Body.Size parameter to get the file size uploaded.

It may be better to use Content-Length from the request header instead of Body.Size - partially to avoid having to receive the whole file before calculating the size.
 
String.ToNumber (Header.Get ("Content-Length"))
 
 
Also you can get names of the file uploaded.
 

 

I was able to get a rule set configured in order to get name of the files uploaded with some testing. Content-Disposition is the field which contains name of the files uploaded in majority of the cases.

 

I did testing with few websites like https://dlptest.com/https://files.fm/https://uploadfiles.io/  etc and was successfully to see the name of the files uploaded in access.log.

 

NOTE:- Make sure you have SSL Scanner enabled in order to inspect HTTPS traffic and enable composite opener rule enabled as well.

 

Please do the following modification in the rule mentioned in below:

 

Step1: Please enable the rule called " Enable composite opener".

 

Step 2: Please create a new rule called " test"  under the enable composite opener rule.

 

Step3: In the new rule " Test " the criteria we need to add should be mentioned in below:

 

Body.HasMimeHeader(String) -> equals -> true.

 

NOTE: Parameter value that needs to add in property "Body.HasMIMEHeader"  should be mentioned in below:

Body.HasMimeHeader(String) -> parameters -> parameter value -> Content-Disposition

 

AND

 

Body.HasMimeHeaderParameter (String,String) ->  true

 

NOTE: Parameter value that needs to add in property "Body.HasMimeHeaderParameter"  should be mentioned in below:

Body.HasMimeHeaderParameter (String,String) -> Parameters -> Parameter value -> Name (string)

-> Content-Disposition. and MIME Parameter name -> filename.

 

NOTE: I have shared a snapshot of the rule.

 

 

Step4: In same test rule inside the event tab we need to write those parameter values for that we have configured the below:

 

Test rule -> Event -> Add -> User-defined.log -> Body.HasMimeHeaderParameter (String,String) -> Parameters -> Parameter value -> Name (string)  -> Content-Disposition. and

MIME Parameter name -> filename.

 

NOTE: Please find the ruleset snapshot attached along.

 

Step5: Policy --> Ruleset --> LogHandler --> Access.log --> Write.access.log --> Edit --> Events --> Edit -->

Add --> Parameter Property -->  User-defined.log (We are calling this property which has configured ) --> Add

--> Parameter value --> " (add this symbol).

 

 

Step 6:- Go to Policy->Settings-> File System Logging-> Access Log configuration-> Log Header-> at end add filename.

 

 

NOTE: Please re-arrange the properties as defined in the snapshot attached along with this email.

 

 

Please refer attached screenshots. Above steps can be taken as a reference point.

 

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

 

Regards

Alok Sarda

aloksard
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 5 of 5

Re: file size upload to website when the behavior is allowed

Hi,

Also to get file name over Dropbox and Google drive follow below instructions:-

Please import and test the attached rule sets.

 

Rule Set 1 : 2019-04-13_19-56_FileNameLogging

 

-- For capturing file names

-- To be imported after “SSL Scanner” and “Composite Opener”

 

Rule Set 2 : 2019-04-13_20-23_Uploads Log

 

-- For Logging captured file names to log file “uploads.log”

 

The above rule sets are only for reference. Please make necessary changes to suit your organization requirements.

 

Regards

Alok Sarda

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community