How can I determine which word triggered a dictionary list in attachment?
We have IronPort C160 and an outgoing message was blocked due to our language filters. The logs indicate that an attached word document matches
Since the dictionary match is not in the actual body of the e-mail, the triggered phrase is not highlighted in our policy view in the web gui. I can download the attachment and after reading it, I find no issues with it at all (its a legitimate policy from a VP to an Auditor). I am going to release the email as was requested. However I am just curious as to what in carnation is triggering the dictionary match. Is there any way to find this out? Sometimes there are some nonsense words that we do find from time to time and we remove them from the dictionaries.
Re: How can I determine which word triggered a dictionary list i
I wrote a Perl script to solve this problem. It loads the patterns from an exported content dictionary, then reads stdin and attempts to match each line against the patterns, and prints the matches it finds. AsyncOS uses Python's "re" module under the hood, so Perl's regex interpreter isn't the best match, but it gets the job done. This script would be better written in Python, but I don't know Python.
There are a few caveats to using a script like this. First, IronPort doesn't document exactly what regex patterns underly their Smart Identifiers, so you won't be able to interpret these. Second, the "match whole words" and "case senstive" settings are not exported with a dictionary. If you want to respect them then you'll need to use something like command line options on your script to signal them. For me, it was sufficient to ignore the "match whole words" setting and to make all matches case insenstive.
How can I determine which word triggered a dictionary list in at
The GUI does show the offending phrase found by a content rule if the rule places the offending message in a quarantine, though I get the impression that Asyncos simply acts once the rule threshold is reached and does not test the remainder of the dictionary.
If memory serves, the filter will get the message first before any content rule so any test would also need to impose a temporary condition on the filter.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...