Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
1232 Views 8 Replies Latest reply: Feb 3, 2013 11:20 PM by mcyp RSS
mcyp Newcomer 5 posts since
Jan 28, 2013
Currently Being Moderated

Jan 28, 2013 8:04 AM

Reporting on top upload websites with Web Reporter

Hello,

 

I need to generate a report showing the top 10 sites that the most data have been uploaded to. The goal is to identify potential fraudulous data leakage.

I went through existing reports and reports sections but I don't find how to enable this information in reports.

Do you know if it is possible ? If not, are you monitoring such information through other means ?

 

Regards,

  • sroering McAfee SME 459 posts since
    Feb 10, 2011
    Currently Being Moderated
    1. Jan 28, 2013 8:38 AM (in response to mcyp)
    Re: Reporting on top upload websites with Web Reporter

    Please note that Web Reporter only as useful as the data in the logs.  Regarding bytes, there are 4 different values, but Web Reporter only has one inbound and one outbound byte values.

     

    Outbound:

    1) From client to proxy (bytes_from_client)

    2) From proxy to the web server (bytes_to_server)

     

    Inbount

    1) From web server to proxy (bytes_from_server)

    2) From proxy to the client. (bytes_to_client)

     

    Page 38 of the product guide

    https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/ 24000/PD24232/en_US/wr_521_pg_en-us.pdf

     

    If you are worried about possible data leakage then you are probably interested most in bytes_to_server.  Keep in mind that if you block sites like bittorrent, (and assuming HTTP or SSL Scanner enabled if HTTPS), then you would not see any bytes_to_server, but there would be bytes_from_client.  So hopefully this makes you think about which 2 values are most important to you.  If you put all 4 values in your log file I don't know which 2 are used, but my guess would be first value (from left to right). 

     

     

    Once you have the byte values in the log, you just need to create a report with the appropriate byte value (caution: bytes = sum of inbound and outbound bytes).  On the column properties tab of the query, sort bytes descending to push the largest values to the top.

     

    https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/ 24000/PD24230/en_US/wr_521_ug_en-us.pdf

  • sroering McAfee SME 459 posts since
    Feb 10, 2011
    Currently Being Moderated
    3. Jan 29, 2013 8:14 AM (in response to mcyp)
    Re: Reporting on top upload websites with Web Reporter

    I see bytes in the bytes_to_client field of your log, so you should see data in bytes_to_client for new data.  Of course existing data would still be 0 as you mentioned. The log structure looks fine. If you made a mistake, the log job would fail, or would be successful with 100% error lines.

     

    Is new data still showing 0 bytes_to_client?

  • sroering McAfee SME 459 posts since
    Feb 10, 2011
    Currently Being Moderated
    5. Jan 29, 2013 10:10 AM (in response to mcyp)
    Re: Reporting on top upload websites with Web Reporter

    I would say that your newer logs are failing to import. As I said in my previous post, either the jobs are failing (usually due to problem with the header)  or the status is "Successful" but with 100% of the lines as an error (problem with log lines not matching the header).

     

     

    The auto-discover will work correctly but it depends on a good log format. Modifying the log format is very prone to making mistakes for even experienced people since there is no error checking.

  • sroering McAfee SME 459 posts since
    Feb 10, 2011
    Currently Being Moderated
    7. Jan 29, 2013 10:31 AM (in response to mcyp)
    Re: Reporting on top upload websites with Web Reporter

    The problem is not the auto-detect.  Even custom log parser won't work if your log structure is not correct. 

     

    Find the problem with the access log structure per my suggestions above.

     

    You should never use the custom log format. It does not handle block codes for Web Gateway.

More Like This

  • Retrieving data ...

Bookmarked By (2)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points