Situation elements
Situation elements are used in Inspection rules to define patterns that deep packet inspection looks for in traffic.
The Situations tree is constructed differently compared to most other trees. The Situations tree contains several alternative groupings, so most Situations are shown in several places. The groupings allow you to easily find Situations that are specific to the task at hand. For example, Situations specific to the HTTP protocol (some of which are specific to particular web browsers) are stored at the following location in the Situations tree:
.Some branches are groupings that you can add to yourself. You can use most of these branches in Inspection rules. The Situation Type groupings are used as the basis for the tree-based Inspection rules configuration in Inspection Policy elements.
Situations and their groupings are updated in dynamic update packages. The following table lists the default branches at the time of writing this document.
Tree branch | Explanation | |
---|---|---|
All Situations | All Situations in the system without any grouping. | |
By Context | Anti-Malware | Events triggered in the malware scan. |
Correlations | Correlation Situations for detecting patterns in event data. | |
DoS Detection | Situations for detecting DoS (denial-of-service) attacks. | |
DXL | Legacy situations related to McAfee Threat Intelligence Exchange (TIE). McAfee Threat Intelligence Exchange (TIE) is no longer supported in Engine 6.10 and higher. | |
Files | Situations based on identifying file types from traffic. Content identified based on file type fingerprints is redirected to appropriate file streams. | |
Protocols | Situations that identify protocols from traffic. | |
Scan Detection | Situations for detecting network scans. | |
System | System-internal events. | |
By Tag | By Hardware | Situations that detect something specific to a particular hardware platform grouped by platform (for example, x86 (32-bit) or x86-64 (64-bit)). An example of something hardware specific is an attempt to exploit a known vulnerability that only exists on a particular platform. |
By Operating System | Situations that detect something specific to a particular operating system, grouped by operating system (for example, Windows (for all Windows versions) or Windows 2000). | |
By Situation Tag | Free-form grouping for some special use cases. The Recent Updates branch is especially useful. The branches dynamically list Situations that have been recently added to the system in the 1–5 most recent dynamic update packages. (This list helps in tuning your policies.) | |
By Software | Situations that detect something specific to a particular software, grouped by brand or product name (for example, Adobe Acrobat or Microsoft Office). | |
By Type | These Situations are shown as the main Rules tree in the Inspection rules. | |
By Vulnerability | Situations that detect attempts to exploit known vulnerabilities grouped by vulnerability name. | |
Custom Situations | Custom Situations that the administrators create. Custom Situations can also appear in the other branches. |