Example: detecting the use of forbidden software

Engine-specific examples of using custom Situations to detect traffic patterns associated with specific software.

Firewall engine

Company A has a Firewall that inspects all outgoing web traffic against the Inspection Policy. The use of instant messaging clients across the Internet is forbidden in the company. The Inspection Policy is set to detect and log Situations with the Instant Messaging Tag.

The company’s administrators have found out that some internal users have started chatting using a new little-known instant messaging client that does not have a default Situation yet. The communications seem to be standard HTTP directly from client to client. The administrators find one distinctive characteristic in the software: when started, the software in question always connects to a particular address to check for updates using HTTP.

The administrators:
  1. Create a custom Situation element with the name “Software X”.
  2. Add the HTTP Request URI Context to the Situation and type in a regular expression that contains the address they want the Situation to find using the SMC regular expression syntax.
  3. Add the default system Tag Instant Messaging to the Situation.
  4. Refresh the Firewall’s policy.
  5. Open the Logs view and filter the view using the “Software X” Situation as the filtering criteria.
  6. See which computers use the forbidden software and remove the software from the computers shown in the logs.

IPS engine

Company A has an IPS engine deployed in between their internal network and the Internet. The IPS engine uses a policy that is based on the IPS Template policy.

The administrators find out that some of the internal users have installed a piece of software on their computers that the company’s security policy forbids. They consider this software a security risk.

The administrators decide that they would like to detect the use of the software so that they can find out which users have installed it. The administrators find one simple but distinctive characteristic in the software: when started, the software in question always connects to a particular address to check for updates using HTTP.

The administrators:
  1. Create a custom Situation element with the name “Software X”.
  2. Add the HTTP Client Stream Context to the Situation and type in a regular expression that contains the address they want the Situation to find using the SMC regular expression syntax.
  3. Add one of the default Situation Types under Traffic Identification to the Situation.
  4. Select the correct options for logging the traffic in the Rules tree in the Inspection Policy and install the policy on the IPS engine.
  5. Open the Logs view and filter the view using the “Software X” Situation as the filtering criteria.
  6. See which computers use the forbidden software and take action based on which IP addresses are shown in the logs.