Situations configuration overview

Configuring Situation elements involves several main steps.

The Situation element uses different elements to form a representation of the traffic that you want to detect in your Inspection Policy. The purpose of these elements is as follows:
  • The Tag elements help you to create simpler policies with less effort. Tag elements represent all Situations that are associated with that Tag. For example, using the Tag “Windows” in a rule means that the rule matches all Situations that concern Windows systems.
  • The Situation Type elements define the general category of the Situation and the branch of the Rules tree under which the Situation appears (such as Attacks or Successful Attacks). One Situation Type can be associated with each Situation.
  • The Context element defines the traffic patterns the Situation detects. The Context binds the Situation to a certain type of traffic and gives you a set of options or a field for entering a regular expression.
  • The Vulnerability element associates your custom Situation with a commonly known vulnerability. It allows you to attach a description of the Vulnerability and references to public vulnerability databases (which are shown in the Logs view if a match is found).

The Context is the only mandatory element in a Situation. However, it is recommended to consistently associate all relevant Tags with each custom Situation you create. The vulnerability description is not mandatory, but it is helpful to have it for Situations that detect some publicly known issue.

Figure: Elements in the configuration

  1. Create a Situation element.
  2. Give the Situation a Context, and fill in the context information according to the patterns in traffic that you want to match.
  3. (Optional) Associate the Situation with the relevant Tags.
  4. (Optional) Associate the custom situation description with a relevant Vulnerability.
  5. Use the Situation in the Inspection Policy.