Solved

Block file upload through Python application

Posted on 2014-12-10
23
124 Views
Last Modified: 2016-02-10
Block file upload through Python application
Hi, I would like a  develop a python application, which will help to block file attachement via webmail.
how to start this project and we need to start this project.
So just my question is there for writing a project  in python which will protec data leakage detection.
first I want to block only via webemail.
0
Comment
Question by:s_raj93
  • 9
  • 6
  • 6
23 Comments
 
LVL 61

Expert Comment

by:gheist
ID: 40493232
Can you share what python-based webmail you need to be fixed?
Without that - a python script alone is not in position to help you.
0
 
LVL 61

Expert Comment

by:btan
ID: 40493366
actually this is very saying DLP is needed. writing code for that will be substantial efforts esp if re-inventing with codes...maybe need to reconsider again the effort. There is one sharing that may be useful

NAFT - http://blog.didierstevens.com/programs/network-appliance-forensic-toolkit/
NTOP - http://www.forensicswiki.org/wiki/Ntop & http://www.ntop.org/ntop/extending-ntop-using-python/

You will need some parser or equv to recognise the http (and https too) protocol and scrap out the attachment and also you need to be able to handle https session since most webemail is in https mode already. So some man-in-the-middle proxy or equv is required. some material for info

extraction from html - http://www.diveintopython.net/html_processing/extracting_data.html
scraping - http://blog.miguelgrinberg.com/post/easy-web-scraping-with-python


you can also check out the sharing of DLP policy to see the use case
http://www.symantec.com/connect/articles/dlp-policy-block-uploading-file-type-web-httphttps
0
 

Author Comment

by:s_raj93
ID: 40495521
Currently I would like to block system level.
ex. 1. opened gmail webmail.
        2. click on compose message then message box will open.
3. now when i will click on 'attachment icon'  Then in general term open dialog box will open.

Now what i am trying to do  while clicking on attachment icon from compose windows, block the open dialog box.
so what will happened , user will not able to attach any kind of file.

If any wrong in question pls suggest me and guide me.
0
 
LVL 61

Expert Comment

by:btan
ID: 40495610
you need some sort of browser add in or control the browser proxy to direct to another device rather then at endpoint. what is suggested looks into the network layer which can be considered if the proxy setting in browser is locked to go through. I do note that user need not use only have that "hardened" PC to go webemail etc..nonetheless, the proxy lockdown is just one suggestion as writing plugin for such block action specific for webemail may need more effort

Burp is a proxy listener that can intercept web traffic and below is extension in python
http://labs.neohapsis.com/2013/09/16/burp-extensions-in-python-pentesting-custom-web-services/

more on Burp suite for info http://blog.nvisium.com/2014/01/setting-up-burpsuite-with-firefox-and.html
0
 

Author Comment

by:s_raj93
ID: 40495654
Please check this software function. how does this software not need any proxy. its directory block file attachment dialog box.
Please Please  sir advice me.
0
 
LVL 61

Expert Comment

by:btan
ID: 40495772
Burp is a proxy listener meaning browser need to configure to point to Burp. Pardon if it is not clear.
0
 

Author Comment

by:s_raj93
ID: 40496185
Software name- insta-lockdown
Www.copynotify.com

Please check this software function. how does this software not need any proxy. its direct block file attachment dialog box.
Please Please  sir advice me.
0
 
LVL 61

Expert Comment

by:btan
ID: 40496240
proxy is just one mean. if you have application listening to window messages or even have kernel driver written to hook into the network stack, you can of course still do what is stated. There many means to skin a cat, so dont get me wrong. Neither will there be the most perfect option. We are trying to balance the effort worth against the time deadline.

copynotify (or the personal edition is called InstaLockDown) is a DLP which I previously stated is probably what you are looking at. It does various data channel intercept which include the attachment block. I do not see it as proxy per se unless you saw upon its installtion the proxy setting in browser is changed. Eventually an DLP capable agent will need to be installed in the workstation to do this use case. There are various filtering schemes too http://en.wikipedia.org/wiki/Content-control_software#Types_of_filtering
0
 

Author Comment

by:s_raj93
ID: 40496381
I am agree with your suggestion . Could you please guide me how to start this project in python.
How client application agent will block attachments.

Please guide me to write this project in python. or suggest me is it possible in python to make this client application.

or need other programming language skill.
0
 
LVL 61

Expert Comment

by:gheist
ID: 40496683
How do you hook python to your traffic? squid?
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 61

Expert Comment

by:btan
ID: 40497422
I was thinking of proxy so as not re-inventing the wheel and extend it to examine the intercepted packet. as mentioned the local proxy setting need to be configured to pass through this proxy installed...e.g. extend burp in python via IBurpExtender. However, I have not done that though
http://blog.ombrepixel.com/post/2010/08/30/Extending-Burp-Suite-in-Python

In fact there are other python proxy CherryProxy or python-proxy to filter the http/https transaction
http://www.decalage.info/python/cherryproxy
https://code.google.com/p/python-proxy/

maybe worth to just grab the agent readily as shared too since the programming aspects will still need exploring and time invest ...
0
 
LVL 61

Expert Comment

by:gheist
ID: 40497855
Proxy does not intercept packets.
Stop reading about BURPing, just read on a bit on ISO-OSI model etc networking basics.
0
 
LVL 61

Expert Comment

by:btan
ID: 40497907
To clarify,  Burp is http proxy intercepting the HTTP request and response. Thanks for pointing out.
0
 
LVL 61

Expert Comment

by:gheist
ID: 40498189
Well - you need some mechanism to intercept traffic.
Then you need some estabilished proxy like squid.
Then you can plug any scripts to filter requests, be it python, javascript, ruby or VBA.
0
 

Author Comment

by:s_raj93
ID: 40498216
What I am asking ,? For this thre  is no answer or comment,you guys are behind proxy. I don't want proxy,I want system level interruption,
0
 
LVL 61

Expert Comment

by:btan
ID: 40498389
If you are still of interest

Windows Packet Divert - https://reqrypt.org/windivert.html
(allows user-mode applications to capture/modify/drop network packets sent to/from the Windows network stack)

Pcapy - http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=tool&name=Pcapy
( enables python scripts to capture packets on the network )
Similarly, pypcap - https://code.google.com/p/pypcap/
0
 
LVL 61

Expert Comment

by:gheist
ID: 40498637
System level - cool... How do you hook python into windows driver?
0
 
LVL 61

Expert Comment

by:btan
ID: 40498836
For the windivert case, it uses WinDivert.sys driver and have pydivert like an appls via the WinDivert.dll (etc) to interface with windivert driver.
0
 

Author Comment

by:s_raj93
ID: 40518594
I dint get answer till now
0
 
LVL 61

Accepted Solution

by:
gheist earned 250 total points
ID: 40518812
Answer is:
"NO IT IS NOT POSSIBLE"
How long it will it take to read it?
0
 
LVL 61

Assisted Solution

by:btan
btan earned 250 total points
ID: 40519144
you need a driver and i doubt you want to venture that to intercept the kernel network stack. else look at the available option stated. eventually there isnt a straightforward script to do all interception
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Join & Write a Comment

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now