Add Tag elements to Situation elements

You can use Tag elements to group Situation elements and Situation Type elements to classify Situations.

You can use predefined Tags or create new ones according to any criteria (for example, create a Tag for grouping together related services). Situation Types are predefined, and you cannot create new Situation Types. You can associate multiple Tags with one Situation, but only one Situation Type can be associated with each Situation.

You can use the Tags and/or Situation Types to represent a group of Situations in the Rules and Exceptions of the Inspection Policy. This allows you to match a rule to all Situations that contain the Tag or Situation Type. Situations that are associated with a Situation Type are automatically included in the Rules tree.

When you are editing the Situation properties, you can add tags.
Note: If a Tag or Situation Type you add to a Situation is in use in some Inspection Policy, the new Situation is automatically included in the policy when you save the Situation. The engines start matching traffic to the Situation when you refresh the policy.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. In the Situation properties, switch to the Tags tab.
  2. Click Add Tags and select a Tag type from the list that opens.
  3. Select the Tags you want to use with this Situation and click Select.
  4. Click OK to confirm the Situation properties change.

Situation Properties dialog box

Use this dialog box to configure a Situation element.

Note: We recommend that you use only the predefined Situation elements included in dynamic update packages. The use of custom Situations is an advanced feature that requires technical expertise.
Option Definition
General tab
Name Specifies a unique name for the Situation.
Comment An optional comment for your own reference.
Vulnerability Lists the known vulnerabilities associated with the Situation, if available.
Situation Type Shows the Situation Type with which to associate this Situation.
Select Opens the Select Element dialog box.

You can only select one Situation Type for each Situation. The Situation Type specifies the branch of the Rules tree under which the Situation is included.

Description Use the Description field to describe the traffic pattern that the Situation represents. This description is shown, for example, in log entries.
Severity Select a Severity for the Situation. The Severity is shown in the logs and can be used in Alert Policies as a criterion for alert escalation.
Attacker Select how the Attacker is determined when the Situation matches. This information is used for block listing and in log entries.
  • None — Does not define the Attacker and Target information, so block listing entries cannot be created using the Attacker and Target options.
  • IP Source or IP Destination— The IP addresses of the (last) packet that triggers the Situation. Because the packet can be a request or a reply, make sure to select the option correctly based on the pattern that the situation detects to avoid reversed labeling.
  • Connection Source or Connection Destination — IP addresses depend on which host opened the connection and provide a constant point of reference to the client and server in the communications.
Target Select how the Target is determined when the Situation matches. This information is used for block listing and in log entries.
  • None — Does not define the Attacker and Target information, so block listing entries cannot be created using the Attacker and Target options.
  • IP Source or IP Destination— The IP addresses of the (last) packet that triggers the Situation. Because the packet can be a request or a reply, make sure to select the option correctly based on the pattern that the situation detects to avoid reversed labeling.
  • Connection Source or Connection Destination — IP addresses depend on which host opened the connection and provide a constant point of reference to the client and server in the communications.
Last Update in Shows the dynamic update package number that the Situation was included in or changed in.
Supported Engine Versions Specifies the supported engine versions for the Situation.
Category Includes the Situation in predefined categories.
Select Opens the Category Selection dialog box.
Option Definition
Context tab
Context Shows the selected Context for this Situation.
Select Opens the Select Context dialog box.
Note: These contexts are updated dynamically and can change.
Option Definition
Tags tab
Name Shows the name of the tag.
Comment Shows the comment associated with the tag.
Type Shows the type of tag.
Add Tags Opens the dialog box to add a tag. Select from the available options:
  • Hardware
  • Operating System
  • Situation Tag
  • Software