Manualshelf

User guide

ManualsBrandsIBM Manualscomputers & electronicsProventia G, Mntc
919293949596979899100
Chapter 9: Configuring Other Intrusion Prevention Settings
100
User-Defined Event Contexts
Introduction When you create a user-defined event signature, you select a context that tells the
appliance the type and particular part of a network packet to monitor for events. After
you specify the context, you add a string that tells the appliance exactly what to look for
when it scans the packet. See “Regular Expressions in User-Defined Events” on page 105
for more information.
For example, the email_subject context configures the appliance to monitor the subject
line of email packets (messages).
DNS_Query context Most programs use domain names to access resources on the Internet. These programs
search for the DNS name on a server to determine the specific IP of an Internet resource.
Use the DNS_Query context to monitor access to particular sites or classes of sites without
knowing specific IP addresses.
Monitors
The DNS_Query context monitors the DNS name in DNS query and DNS reply
packets over UDP and TCP. The appliance compares the information in the String box
to the expanded (human-readable) version of the domain name in these packets.
If a user accesses a site directly using an IP address, the DNS lookup does not occur,
and the appliance cannot detect the event.
To monitor for a particular URL, remember that the domain name is only the first
element. For example, //www.cnn.com is the first element in http://www.cnn.com/
stories. Use the URL_Data context (see “URL_Data context” on page 103) to detect the
rest of the URL.
Examples
You could use the DNS_Query context along with a string value of
www.microsoft.com to monitor users accessing the Microsoft Web site.
If you are concerned about users on your site accessing hacker-related materials on
the Internet, you could monitor access to domains such as the following:
hackernews.com
rootshell.com
Email_Receiver
context
Use the Email_Receiver context to monitor incoming or outgoing email to a particular
recipient.
Monitors
The Email_Receiver context monitors the receiver address part of the email header
using the SMTP, POP, IMAP protocols. When the appliance detects an event that
matches a signature using the Email_Receiver context, you can determine which
protocol the email used by examining the details of the event.
Note: This context does not monitor email sent with the MAPI protocol.
Examples
If you suspect that someone is using “social engineering” to manipulate certain
employees, you can monitor inbound email to those employees’ addresses and log the
source IPs. Or if you suspect someone is leaking proprietary information within your
company to a particular outside email address, you could track email to that address.