Define Context options for Situation elements

The Context gives the Situation the information on which patterns you want it to match in the traffic.

For example, you might want to look for a certain character sequence in an HTTP stream from the client to the server.

The Content gives you a set of options or a field for entering a regular expression that you can use to define the pattern you want to look for in the traffic.
Note: Avoid defining the same pattern in different Situation elements. Duplicate situations in the policy can create unintended results and makes the policies difficult to manage.

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. On the Context tab of the Situation Properties dialog box, click Select.
    The available Context categories are shown.
  2. Select the Context you want to associate with this Situation.
    Note:
    • The details related to the Contexts can be different from what is described here because the Contexts might have been updated through dynamic update packages. Read the Release Notes of each update package you import to see which elements are affected.
    • For many Contexts, type in a regular expression.
    • In other cases, open the Properties dialog box for the Context element for more information.
    The options for the selected Context are added to the Situation Properties.

Situation Properties dialog box

Use this dialog box to configure a Situation element.

Note: We recommend that you use only the predefined Situation elements included in dynamic update packages. The use of custom Situations is an advanced feature that requires technical expertise.
Option Definition
General tab
Name Specifies a unique name for the Situation.
Comment An optional comment for your own reference.
Vulnerability Lists the known vulnerabilities associated with the Situation, if available.
Situation Type Shows the Situation Type with which to associate this Situation.
Select Opens the Select Element dialog box.

You can only select one Situation Type for each Situation. The Situation Type specifies the branch of the Rules tree under which the Situation is included.

Description Use the Description field to describe the traffic pattern that the Situation represents. This description is shown, for example, in log entries.
Severity Select a Severity for the Situation. The Severity is shown in the logs and can be used in Alert Policies as a criterion for alert escalation.
Attacker Select how the Attacker is determined when the Situation matches. This information is used for blacklisting and in log entries.
  • None — Does not define the Attacker and Target information, so blacklisting entries cannot be created using the Attacker and Target options.
  • IP Source or IP Destination— The IP addresses of the (last) packet that triggers the Situation. Because the packet can be a request or a reply, make sure to select the option correctly based on the pattern that the situation detects to avoid reversed labeling.
  • Connection Source or Connection Destination — IP addresses depend on which host opened the connection and provide a constant point of reference to the client and server in the communications.
Target Select how the Target is determined when the Situation matches. This information is used for blacklisting and in log entries.
  • None — Does not define the Attacker and Target information, so blacklisting entries cannot be created using the Attacker and Target options.
  • IP Source or IP Destination— The IP addresses of the (last) packet that triggers the Situation. Since the packet can be a request or a reply, make sure to select the option correctly based on the pattern that the situation detects to avoid reversed labeling.
  • Connection Source or Connection Destination — IP addresses depend on which host opened the connection and provide a constant point of reference to the client and server in the communications.
Last Update in Shows the dynamic update package number that the Situation was included in or changed in.
Supported Engine Versions Specifies the supported engine versions for the Situation.
Category Includes the Situation in predefined categories.
Select Opens the Category Selection dialog box.
Option Definition
Context tab
Context Shows the selected Context for this Situation.
Select Opens the Select Context dialog box.
Note: These contexts are updated dynamically and can change.
Option Definition
Tags tab
Name Shows the name of the tag.
Comment Shows the comment associated with the tag.
Type Shows the type of tag.
Add Tags Opens the dialog box to add a tag. Select from the available options:
  • Hardware
  • Operating System
  • Situation Tag
  • Software

Situation Context Properties dialog box

Use this dialog box to view the properties of a Situation Context element.

Option Definition
Name Specifies the unique name of the element.
Comment Shows the comment associated with the Situation Context.
Description Shows the description of the Situation Context.

Situation Context Group dialog box

Use this dialog box to view the properties of Situation Context Group element.

Option Definition
General tab
Name Specifies the name of the element.
Comment Shows the comment associated with the group.
Description Shows the description of the group.
Content tab
Content Shows the contexts within the group.