Create custom Situation elements
You can create custom Situation elements in addition to using the predefined ones.
Before you begin
Creating new Situation elements requires detailed knowledge of the protocols that you want to inspect and the traffic patterns related to their use.
You can create a Situation element to detect individual events or a Correlation Situation element to detect a group of related events.
A Situation element collects together the related elements and settings and sets the severity value for the Situation. The severity value can be set between Info (the least severe) to Critical (the most severe). You can use the severity value to restrict which Situations added to the Situations cell are considered in Inspection Exceptions and Alert Policies. For example, if a rule matches a large range of Situations you can create separate rules for less severe and more severe Situations.
The predefined Situation elements are updated through dynamic update packages. You can also create new Situation elements to fine-tune the patterns that the engines look for in the traffic.
For more details about the product and how to configure features, click Help or press F1.
Steps
Situation Properties dialog box
Use this dialog box to configure a Situation element.
Option | Definition |
---|---|
General tab | |
Name | Specifies a unique name for the Situation. |
Comment | An optional comment for your own reference. |
Vulnerability | Lists the known vulnerabilities associated with the Situation, if available. |
Situation Type | Shows the Situation Type with which to associate this Situation. |
Select | Opens the
Select Element dialog box.
You can only select one Situation Type for each Situation. The Situation Type specifies the branch of the Rules tree under which the Situation is included. |
Description | Use the Description field to describe the traffic pattern that the Situation represents. This description is shown, for example, in log entries. |
Severity | Select a Severity for the Situation. The Severity is shown in the logs and can be used in Alert Policies as a criterion for alert escalation. |
Attacker | Select how the
Attacker is determined when the Situation matches. This information is used for blacklisting and in log entries.
|
Target | Select how the
Target is determined when the Situation matches. This information is used for blacklisting and in log entries.
|
Last Update in | Shows the dynamic update package number that the Situation was included in or changed in. |
Supported Engine Versions | Specifies the supported engine versions for the Situation. |
Category | Includes the Situation in predefined categories. |
Select | Opens the Category Selection dialog box. |
Option | Definition |
---|---|
Context tab | |
Context | Shows the selected Context for this Situation. |
Select | Opens the
Select Context dialog box.
Note: These contexts are updated dynamically and can change.
|
Option | Definition |
---|---|
Tags tab | |
Name | Shows the name of the tag. |
Comment | Shows the comment associated with the tag. |
Type | Shows the type of tag. |
Add Tags | Opens the dialog box to add a tag. Select from the available options:
|
Correlation Situation Properties dialog box
Use this dialog box to configure a Correlation Situation.
Option | Definition |
---|---|
General tab | |
Name | Specifies a unique name for the Situation. |
Comment | An optional comment for your own reference. |
Vulnerability | Lists the known vulnerabilities associated with the Situation, if available. |
Situation Type | Shows the Situation Type with which to associate this Situation. |
Select | Opens the
Select Element dialog box.
You can only select one Situation Type for each Situation. The Situation Type specifies the branch of the Rules tree under which the Situation is included. |
Description | Use the Description field to describe the traffic pattern that the Situation represents. This description is shown, for example, in log entries. |
Severity | Select a Severity for the Situation. The Severity is shown in the logs and can be used in Alert Policies as a criterion for alert escalation. |
Attacker | Select how the
Attacker is determined when the Situation matches. This information is used for blacklisting and in log entries.
|
Target | Select how the
Target is determined when the Situation matches. This information is used for blacklisting and in log entries.
|
Last Update in | Shows the dynamic update package number that the Situation was included in or changed in. |
Supported Engine Versions | Specifies the supported engine versions for the Situation. |
Category | Includes the Situation in predefined categories. |
Select | Opens the Category Selection dialog box. |
Option | Definition |
---|---|
Context tab | |
Select | Opens the
Select Context dialog box. Select the Context you want to associate with this Correlation Situation:
Note: These contexts are updated dynamically and can change.
|
Option | Definition |
---|---|
Tags tab | |
Name | Shows the name of the tag. |
Comment | Shows the comment associated with the tag. |
Type | Shows the type of tag. |
Add Tags | Opens the dialog box to add a tag. Select from the available options:
|
Event Binding Properties dialog box
Use this dialog box to view the properties of Event Binding elements.
Option | Definition |
---|---|
Name | Specifies a unique name for the event binding. |
Comment | An optional comment for your own reference. |
Resources | Shows a list of log fields. |
Search | Opens a search field for the selected element list. |
Up (Backspace) | Returns to the previous folder. |
Tools |
|
Bindings table | |
First binding | The first set of logs to use in Correlation Situations to bind together different types of events in traffic. |
Second binding | The second set of logs to use in a sequence when using Correlation Situations to bind together different types of events in traffic. |