Hi Thomas,
First of all, I thank you for your time and great interest to my situation.
Q1) your exception rules E-2.3 and E-2.4 are only valid for R80.xx gateways because only these GWs understand the exception by blade. Is this the case ?
A1) I have distributed setup and both my GW and Management are 80.10 (take 91 installed)
MY RULE BASE:
MY CUSTOM APPLICATION SITE OBJECT
before you warn me:
after I fixed the RegExs and installed the policy at 03.05.2018 11:45 AM (GMT+3):
And the exception did not work, log created again:
Also I had enabled the log and I can provide hole file if required.
6947][3 May 12:29:00][DLPU_MNGR] dlpu_mngr_http_conn_free: [150EC] freeing at Date: May 3, 2018
12:29:00
[6947][3 May 12:29:00][DLPU_MNGR] dlpu_mngr_http_session_free: freeing.. sid=6029318
[6947][3 May 12:29:00][DLPU_MNGR] dlpu_mngr_av_free_file_data: freeing AV file data for file authrootstl.cab
[6947][3 May 12:29:00][DLPU_MNGR] dlpu_mngr_av_free_file_data: file_data->current_file_path/opt/CPsuite-R80/fw1/tmp/dlp/{5D13B48D-C98A-2153-2700-5854E04ADBCF}
[6947][3 May 12:29:00][DLPU_COMM] dlpu_comm_read_handler: Done processing, 0 bytes left on buffer
[6947][3 May 12:29:00][DLPU_COMM] dlpu_comm_read_handler: Buffer position at 0
[6947][3 May 12:29:00][TED_CLIENT] [TED_CLIENT (TD::All)] ted_client_get_umsess_data: About to set_umsess_data for file /opt/CPsuite-R80/fw1/tmp/te/dlpu_tmp_files_0-1/{BEACFC1A-F07A-F349-8127-57588740B994}
[6947][3 May 12:29:00][TE_IS_TRACE] [TE_IS_TRACE (TD::All)] te_is::SocketApiClient::SendObject: sending data:
(
:connection (
:src_ip (10.44.0.159)
:src_port (2323)
:dst_ip (93.184.221.240)
:dst_port (80)
:protocol (6)
)
:meta_data (
:file_orig_name (authrootstl.cab)
:file_path ("/opt/CPsuite-R80/fw1/tmp/te/dlpu_tmp_files_0-1/{BEACFC1A-F07A-F349-8127-57588740B994}")
:file_type (cab)
:file_len (53747)
:protocol (http)
:rule_id (6)
:free_text (dlpu_te)
:should_track (1)
:malware_rule_id ("{D9126BC2-EB6D-4478-B5E8-0062F2597393}")
:scope_ip (10.44.0.159)
:conn_id (86252)
:session_id (6029318)
:instance_id (1)
:investigation_path (PATH_TE)
:cdir (2)
)
:http_data (
:url ("http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab")
)
:smtp_data (
:to ()
:from ()
:subject ()
:body_path ()
)
Continues...
6947][3 May 12:29:00][TE_IS_TRACE] [TE_IS_TRACE (TD::All)] te_is::SocketApiClient::OnListenerCallback: got data:
(
:event_id ("{82CB902E-2A21-D04C-9C1C-C8FFEDA78D44}")
:action (accept)
:confidence (none)
:done (1)
:file_path ("/opt/CPsuite-R80/fw1/tmp/te/dlpu_tmp_files_0-1/{BEACFC1A-F07A-F349-8127-57588740B994}")
:md5_string (b41d1f286e73f8a1a9b8da8131bcc814)
:investigation_path (PATH_TE)
:additional_data ()
:body_path ()
)
[6947][3 May 12:29:00][TED_CLIENT] [TED_CLIENT (TD::All)] TedClientListener::OnListenerCallback: got response:
(
:event_id ("{82CB902E-2A21-D04C-9C1C-C8FFEDA78D44}")
:action (accept)
:confidence (none)
:done (1)
:file_path ("/opt/CPsuite-R80/fw1/tmp/te/dlpu_tmp_files_0-1/{BEACFC1A-F07A-F349-8127-57588740B994}")
:md5_string (b41d1f286e73f8a1a9b8da8131bcc814)
:investigation_path (PATH_TE)
:additional_data ()
:body_path ()
)
[6947][3 May 12:29:00][TED_CLIENT] [TED_CLIENT (TD::All)] TedClientListener::OnListenerCallback: sending results to kernel
(
:event_id ("{82CB902E-2A21-D04C-9C1C-C8FFEDA78D44}")
:action (accept)
:confidence (none)
:done (1)
:file_path ("/opt/CPsuite-R80/fw1/tmp/te/dlpu_tmp_files_0-1/{BEACFC1A-F07A-F349-8127-57588740B994}")
:md5_string (b41d1f286e73f8a1a9b8da8131bcc814)
:investigation_path (PATH_TE)
:additional_data ()
:body_path ()
)