2 Replies Latest reply on Jun 18, 2015 11:23 AM by alexismorales

    Web Post Protection Rule problem

    alexismorales

      Hi, I´m having some issues with the Web Post Protection Rules in DLP Endpoint

       

      I have a lot of false positives in this rules. The problem normally happens when someone does "log in" in a web page.In may cases an incident is generated when the user posts his username and password. The problem is that DLP recognizes information that is stored in the web page, information that the users is not typing, but that it is stored in the html webpage. Have you dealt with these issues? In that case, how do you deal with them?

        • 1. Re: Web Post Protection Rule problem
          DMurali

          What exactly are you looking for in your WPP rules? What kind of information DLP is triggering alerts for?

           

          Basically anything that gets sent to the web server is monitored by DLP whether it is user typed or something the web server sends to the browser and sends back when the user hits submit.

          • 2. Re: Web Post Protection Rule problem
            alexismorales

            DMurali escribió:

             

            What exactly are you looking for in your WPP rules? What kind of information DLP is triggering alerts for?

             

            Basically anything that gets sent to the web server is monitored by DLP whether it is user typed or something the web server sends to the browser and sends back when the user hits submit.

             

            Lets put an example:

             

            My rule is supposed to monitor users (usuarios in spanish) and passwords, so an user logs into a  php page.

             

            DLP Captures this:

             

             

            accion=&usuario=41412xo&password=494240&idioma_id=1&carpeta_base=/facturas/&usua rio1=41412xo&password1=494240

             

            As you said DLP monitors anyting that is sent to a web server, so I suppose that the information above is sent from the browser to the web server.  The usuer is not sending a password or a username, actually he is login to a web page, thing that is totally normal.

             

            I guess the solution is to create excepctions in the dictionaries, giving a negative weight to words like &password  &usuario.