Alert Rules

Overview

This section covers the use of alerts and their configuration, available under the Alerts menu in WinProxy. Alerts can be used to notify the system administrator when certain events take place. For example, it is especially important to know when WinProxy catches a virus being sent through SMTP because this means that the virus resides somewhere on your network. The alert can take several forms, including sending an email message and writing to a log file.

The Alerts Main Screen


Figure 4.13: The Alerts main screen. Rule #1 is a Virus rule.

There are two items in the Alerts menu: Set Rules and View Logs. Choosing Set Rules will open the Alerts main screen. This screen is made up of the Menu Bar, Tool Bar and two window panes. The left pane lists the different types of alerts in a tree view. It is organized by the type of event that triggers an alert. The right pane displays individual alert rules. Selecting a type of event on the left reveals the individual rules associated with that event.

Menu Bar

File Menu:The Alert Settings dialog box lets you configure general alert settings. These settings apply to all alerts; properties for individual alerts are configured by editing each rule.


Figure 4.14: The Alert Settings dialog box controls the basic behavior of Alerts.

When the Enable Alerts box is checked, WinProxy will apply all alert rules defined in the Alerts main screen. If this box is unchecked rules will not be applied, even if they are defined.

Among the alert features is the ability to send alerts via Email. In order for WinProxy to send an alert, it must know which mail server to use. The SMTP server IP address is the address of the mail server. This server is probably the same server that you use to send your own email. If you do not know the name or IP address of you SMTP server, you should be able to find it in the settings section of you email program (Outlook, Eudora, etc.). The return address for the Alert Email can be any email address you specify. Some SMTP servers require that the return address be a valid email address on that server, so be careful that your server will accept the outgoing mail from WinProxy. WinProxy will try to connect to the Mail Server on the port you specify.

Some alerts are written to a log file in addition to or instead of being sent via email. The Log file: filename box is where you can tell WinProxy where to keep your default log file. You can call it anything you want, although is should be of the type ".log". The log can be kept in any directory you choose. Just make sure there is enough space on the drive.

You may keep more than one set of alert rules on the WinProxy computer. It may be convenient to have several alert definition files with slightly different rules to be enforced at different times. The file menu is where you choose which set of rules you are using. Each set of rules is saved as an ".xml" file. WinProxy uses a file called Alerts.xml in the WinProxy directory by default. Commands in the File menu allow you to create new alert definition files or open, save, or set a new file as the default.

View Menu: The View Menu affects the layout of the two panes in the window. The top two commands, Expand All and Collapse All, affect the tree view in the Left Pane. The lower commands affect the view of the Right Pane. They work just like the same commands found in the View Menu in Windows Explorer.

Options Menu: This menu allows you to determine characteristics of rules already established. The Disable option can work two ways. If a rule or rules are selected in the Right Pane and this option is selected, those rules will be disabled. The disabled rules will be marked with a red "X" in the Right Pane. If a heading in the Left Pane is selected, Disable will affect all rules under the heading. This will be marked by the yellow rule icon turning gray.


Figure 4.15: All Smart Filter rules are disabled, and two individual rules under Virus are disabled.

The Don't trigger parent Alerts option can be used to avoid sending multiple alerts for the same event. Consider, for example, the case of two alert rules. One is defined under the Black List heading and the other is defined under the Alerts parent heading. Ordinarily, an event that would trigger the Black List rule would also trigger the Alerts rule. By activating the Don't trigger parent Alerts option for the Black List heading, the Alerts rule will not be triggered.

NOTE:This option applies to headings and sub-headings in the Left Pane only. If a particular heading has more than one rule, selecting only one of those rules and then choosing the Don't trigger parent alerts option means that none of the alert rules in the heading will "cascade up" to other headings.

Alert Rule Menu: The Alert Rule Menu contains commands that affect the rules listed in the Right Pane of the window. Cut, Copy and Paste can be used to place copies of rules under different headings. Add is used to create new rules, and Properties is used to edit individual rules that have already been created.

Toolbar

The Toolbar contains easy shortcuts to commands otherwise found in the Menu Bar. Hovering your mouse pointer over each icon will give you a tool tip that names the command. The commands are Enable Alerts from Settings; Properties, Add, and Delete from the Alert Rule Menu; and Next View Mode from the View menu.

Left and Right Pane

The majority of the Alerts main screen is taken up by the left and right panes of the window. This display works much the same way as the familiar Windows Explorer program. The tree of headings and sub-headings on the left lists the types of alerts possible, and the pane on the right lists specific alert rules. Each heading on the left can have its own set of alert rules. The headings are marked by various icons representing different conditions.

Icon States
No Icon No rules are defined for this heading
Yellow Rule Rules are defined, and at least one is active
Grey Rule Rules are defined, but none are enabled
Up Arrow Trigger Parent Alerts is turned on
Red "X" The feature is turned off in WinProxy

When a heading is selected, a small box appears around the icon, and the individual alert rules for that heading are displayed in the Right Pane. When the Right Pane is in "Detail" view, the rules can be sorted by clicking on the column heading. Clicking on the Name column will alphabetize the rules.

WINPROXY STILL STOPS THE VIRUS!Keep in mind that all alerts are triggered when WinProxy detects an attempt to make one of these transgressions. When a virus is detected or a Black list rule is triggered, WinProxy still keeps the virus from reaching its destination or keeps the user from reaching the disallowed web site.

Alerts: This is the master heading. Any rule placed in this heading will be triggered whenever an event occurs, regardless of the type of event. The only time that this is not true is when a heading below it has been disabled. If the Smart filters heading has been disabled (the icon will turn gray), a rule placed in the Alerts heading will be triggered by a virus, black list, or white list violation, but it will not be triggered by the Smart filter.


Figure 4.16: The "All Rules" alert will not be triggered by a Smart Filter event because Smart Filter rules are disabled.

Virus: A Virus rule would be triggered each time WinProxy detects a virus. If rules are defined under the Virus heading, WinProxy eliminates the virus first, then performs the instructions contained in the rule. A Virus rule can be limited to being triggered only by certain methods of transport. These settings are found in the individual Properties for each rule. A virus can arrive on your network in a file obtained through File Transport Protocol (FTP), or from a web page (HTTP) or via email. POP3 is incoming email (mail you receive from others) and SMTP is email you send out. In the case of SMTP, WinProxy is protecting the recipient of the message; it keeps you from sending a virus to your friends.

WARNING!!!If WinProxy detects a virus that is being transported via SMTP, it means that you have the virus on your network already! WinProxy will keep you from spreading the virus, but you must find it and eliminate it from your network. A good Alert Rule will tell you the sender of the virus and the name of the virus: this should be enough to track it down.

Smart filters: If you have purchased a SmartFilter license, you can send an alert each time a computer on your network tries to access a forbidden site.

Black list and White list: These alerts are triggered in the same way as the SmartFilter alerts. If you enforce a Black list or a White list, you can make an alert rule to notify you when an attempt is made to access a site that is disallowed. Like Virus rules, Black list and White list rules can be limited by transport protocol.

Creating Alert Rules

An alert rule can be added by choosing Add from the Alert Rule menu, or Right-Clicking on a heading and choosing Add Rule, or by Right-Clicking in the Right Pane of the window and choosing Add. When you add a rule, you are presented with a Properties box for the new rule. The Properties box is at the heart of alert rule-making. It has three tabs where you will define how each rule operates.

General tab: The General tab allows you to give the rule a name and a description and if appropriate, transport protocols. There is also a checkbox for disabling the rule. A disabled rule appears in the Right Pane with a red "X" icon. It can be re-enabled by opening the properties and deselecting the Disabled checkbox. Virus, Black List, and White List rules can be limited by which method of transport will trigger the alert. By default, all transport protocols are enabled, but you can turn them on or off individually.


Figure 4.17: The General tab allows you name and describe the rule.

Respond tab: There are four ways that an alert rule can respond to an event. It can send an Email or a Message, write an entry into a Log File, or run a Program. When sending an Email, the respond tab asks for an email address (usually the address of the system administrator) in the form: name@isp.com. It also provides boxes where you can enter the subject and text of the message. The Insert Auto Text drop-down box contains a list of variables that can be generated in each alert. For example, your email message to the system administrator can contain the name of the virus that was caught or the user that was sending it.

The Message type of rule is only available in Windows NT/2000/Me/XP. It will send a message to the destination using the Net Send method.


Figure 4.18: This alert rule will send an email message to the recipient specified.

A rule that writes to a Log File will add an entry to the file whenever the rule is triggered. The entry will contain the text typed into the Message Text field and can contain Auto Text. If Use default log file is checked, the log file entry field will be disabled and WinProxy will write to the default log file defined in the Alert Settings dialog box (File/Alert Settings). If this box is unchecked, you may enter the name and location of any log file you wish. You may have as many log files on the WinProxy machine as you wish. In fact, you might find it convenient to keep a different log for each type of alert.

When you choose Program in the Respond by drop-down box, WinProxy will run a program that you specify each time the rule is triggered. This can be any program, including batch files. Running programs and batch files, combined with the option of including command line parameters, makes the Program option extremely powerful and flexible.


Figure 4.19: Insert Auto Text allows you to include details about the event. This log file rule will record the time when an event happened.

Time Restrictions tab: Settings on this tab allow control over both when an alert is triggered and when the response to the alert is sent. Source time restrictions set parameters for when an alert rule is active. If an event happens outside of the Source hours, it will not trigger the alert. The Response time restrictions let you control when the response to an alert happens.


Figure 4.20: Time Restrictions can affect either whether the rule is triggered at all (source) or when the alert is recorded (Response).

Perhaps you want to know about all alerts, but you don't want to be notified after midnight. With the proper settings, the Response restrictions can make it so that you only receive alerts between 8:00 am and 5:00 pm. For both Source and Response, the Anytime checkbox means that they are active 24 hours a day. When this box is unchecked, the detailed time restrictions list becomes available. Click the Add button to add a time restriction. Clicking on the times and days will allow you to enter the parameters for your time restriction.

A NOTE OF CAUTION:The alert rules are very flexible. Carefully consider the effects of each rule before they are put into place. For example, it is possible to make a rule that is only triggered when a virus arrives via FTP between noon and 1:00 pm on a Tuesday. It may never be triggered, but WinProxy might still be catching viri at other times. Conversely, sending an email message to the network administrator every time the Whitelist is violated could end up overflowing the mailbox.

Additional Links

Search

Authorization

 
Forgot your password?
Register

Subscribe

Subscribe to company news