Getting started with Situation elements
Situation elements define a pattern in traffic that the engine looks for.
The patterns and events are defined by selecting a Context for the Situation element. The Context contains the information on the traffic to be matched, and the options you can set for the matching process.
The Inspection Policy defines how the Situation elements are matched to traffic and what action the engine takes when a match is found.
Correlation Situation elements are Situation elements that group event data to find patterns in that data.
Situation elements also provide a description that is shown in the logs, and a link to relevant external information (CVE/BID/MS/TA) in the form of a Vulnerability element attached to the Situation.
You can group Situations together using Tags. The Tag elements are shown as branches in the Situations tree and they can be used in policies to represent all Situations that are associated with that Tag. For example, using the Tag Windows in a rule means that the rule matches all Situations that are classified as concerning Windows systems.
Associating a Situation with a Situation Type includes the Situation in the Rules tree in the Inspection Policy, which is grouped according to the Situation Type.
Correlation Context | Usage Context |
---|---|
Compress | Engine Only |
Count | Engine Only |
Group | Engine Only |
Match | Engine Only |
Sequence | Log Server Only |
By default, correlation is done on both the Engine and the Log Server for custom Correlation Situations.