User guide

ManualsBrandsIBM Manualscomputers & electronicsProventia G, Mntc

101

102

103

104

105

106

107

108

109

110

User-Defined Event Contexts

101

Proventia Network IPS G and GX Appliance User Guide

Email_Sender

context

Use the Email_Sender context to monitor incoming or outgoing email from a particular

recipient.

● Monitors

The Email_Sender context monitors the sender address part of the email header using

the SMTP, POP, IMAP protocols. When the appliance detects an event that matches a

signature using the Email_Sender context, you can examine the details of the event to

determine which protocol the email used.

Note: This context does not monitor email sent with the MAPI protocol.

● Examples

Use the Email_Sender context to detect instances of social engineering or other

employee manipulation (inbound) or to detect information leaks from your company

(outbound).

Email_Subject

context

Use the Email_Subject context to monitor the subject line of email.

● Monitors

The Email_Subject context monitors the subject line in the email header of messages

using the SMTP, POP, and IMAP protocols.

Note: This context does not monitor email sent with the MAPI protocol.

● Examples

You can create signatures to detect information leaks by monitoring for important

project names or file names.

You can also use Email_Subject to detect viruses, such as the I LOVEYOU virus.

Tip: Because viruses and other attacks have developed programs that systematically

change the subject line, use the Email_Content context to track these virus types.

File_Name context Use the File_Name context to monitor who accesses sensitive files over the network in

your organization.

● Monitors

The File_Name context detects when someone (or a program) attempts to remotely

read a file or write to a file with any of the following protocols:

■ TFTP

■ FTP

■ Windows file sharing (CIFS or Samba)

■ NFS

Note: NFS can open files without directly referencing the file name. Using this

context to monitor NFS access to a file may not be 100% effective.

● Example

When the Explorer worm of 1999 propagated over a Windows network, it attempted

to write to certain files on remote Windows shares. With a worm like this, you can

monitor for attempts to access files and stop the worm from propagating locally.