Open DLP

June 12, 2010, by | Start Discussion


OpenDLP

Andrew Gavin released OpenDLP (version 0.1) on 30th April 2010 on code.google.com, a free and open source, agent-based, centrally-managed, massively distributable data loss prevention tool.

OpenDLP can simultaneously identify sensitive data at rest on hundreds or thousands of Microsoft Windows systems from a centralized web application. It also helps to implement basic scanning on files lying on your organization’s workstations and servers.  OpenDLP has two components: a web application and an agent.

Web Application

  • Automatically deploys and starts agents over NetBIOS
  • When done, automatically stops, uninstalls, and deletes agents over NetBIOS
  • Pause, resume, and forcefully uninstall agents in an entire scan or on   individual systems
  • Concurrently and securely receive results from hundreds or thousands of   deployed agents
  • Create Perl-compatible regular expressions (PCREs) for finding sensitive data at rest
  • Create reusable profiles for scans that include white listing or blacklisting   directories and file extensions
  • Review findings and identify false positives
  • Export results as XML
  • Written in Perl with MySQL backend

Agent

  • Runs on Windows 2000 and later versions
  • Written in C , no .NET Framework requirements
  • Runs as a Windows Service at low priority so users do not see or feel it
  • Resumes automatically upon system reboot with no user interaction
  • Securely transmits results to web application at user-defined intervals
  • Uses PCREs to identify sensitive data inside files
  • Performs additional checks on potential credit card numbers to reduce false positives

Platform Requirement

OpenDLP tool basically runs on Windows 2000 and later versions with no special .NET Framework requirement. It runs as a Windows Service at low priority so users do not see or feel it.

OpenDLP resumes automatically upon system reboot with no user interaction. It uses PCREs to identify sensitive data inside files. The code is written in Perl and stores data into a MySQL database.

OpenDLP securely transmits results to web application at user-defined intervals over two-way-trusted SSL connection. It also uses PCREs (Perl Compatible Regular Expressions) to identify sensitive data inside files. Performs additional checks on potential credit card numbers to reduce false positives.

OpenDLP is released as GPL and all the source code is provided. 

As mentioned by Xavier Martin [@xme] on his blog – http://blog.rootshell.be/2010/04/30/keep-an-eye-on-your-data-using-opendlp/

The source code of agent reveals that:

  • The agent scans the following storage types: floppy, thumb drive, flash card reader, HDD, flash drive, CD-ROM and RAM disk.
  • White/blacklists are available to prevent some files to be scanned.
  • Filters based on file extensions.
  • libcurl is used to communicate with the server (using SSL)

Once finished, the scan results can be reviewed via the WebGUI and exported as XML for further processing. The search for breaches is performed via Perl regular expressions. The default set of regex is very low but gives a good idea of the “power” of regex. Some regex by Xavier is mentioned in the box below.

Future Development

Andrew Gavin has already a list of future enhancements.

  • Zip support to agent, to read Office 2007 and OpenOffice files.
  • Support for Microsoft Word and OpenOffice formats.
  • A sniffer mode listening for outbound sensitive data.

Applications of OpenDLP Tool

  • Automatically deploy and start agents over Netbios/SMB
  • When done, automatically stop, uninstall, and delete agents over Netbios/SMB
  • Pause, resume, and forcefully uninstall agents in an entire scan or on individual systems
  • Concurrently and securely receive results from hundreds or thousands of deployed agents over two-way-trusted SSL connection
  • Create Perl-compatible regular expressions (PCREs) for finding sensitive data at rest
  • Create reusable profiles for scans that include white listing or blacklisting directories and file extensions
  • Review findings and identify false positives
  • Export results as XML
  • Written in Perl with MySQL backend

Author bio not avialable

Leave a Reply