Context options for Situation elements
Context elements define what the Situation element matches. Adding a context to a Situation allows you to define what kinds of patterns you want to look for in the traffic.
For example, you can specify that you want to look for a certain character sequence in an HTTP stream from the client to the server.
When you select a context, a set of options or a field for entering a regular expression as parameters for the context is added to the Situation element. The parameters define the pattern you want to look for in the traffic.
The following types of contexts are available:
Context | Description |
---|---|
Anti-Malware | Anti-Malware contexts are used to detect malware. |
DoS Detection | DoS detection contexts provide parameters for detecting DoS (Denial of Service) events in network traffic. |
File | File contexts are used to detect malicious or suspicious content in transferred files regardless of the transport protocol used. When a file is detected, the file is inspected to identify the file type. When the file type is identified, more specific inspection can be applied to the file. |
Protocol-specific contexts |
Protocol-specific contexts are used to detect a particular characteristic in the network traffic. For example, you can detect a certain option number used in IP packets, or set the maximum length for particular arguments in FTP commands. For contexts that have particular values to be filled in (instead of a regular expression), the parameters you define in the contexts often actually determine what is regarded as normal. Anything above/below/outside/not matching these values is regarded as a match for the Situation. In some cases, you might define what the Situation does not match. Using protocol-specific contexts requires basic knowledge of the underlying network protocols and how the traffic in your network uses those protocols. For more information about what a particular context is used for, see the Properties dialog box of the context. |
Scan Detection | Scan detection contexts provide parameters for detecting attempts to scan which IP addresses are in use or which ports are open in your systems. |
System | System contexts are used for errors and other system events. System Contexts are internal to the SMC, and they cannot be edited in any way. |