The **tag** syntax supports multiple rules for intra-session correlation detection. This section describes how to use the **tag** syntax.

#### tag Syntax Rules

**tag** syntax format:

```
tag: { set | unset } , <tag-name>;
tag: check, [!]<tag-name>;
tag: reset;
```

Description of operation keywords

Example:

```
Example 1:
Rule 1: content: "hello"; content: "world"; tag: set, TAG.Test.1; action: allow;
Rule 2: content: "abcdefg"; tag: check, TAG.Test.1;

Example 2:
Rule 3: content: "hello"; tag: set, TAG.Test.2; action: allow;
Rule 4: content: "world"; tag: check, TAG.Test2; tag: unset, TAG.Test.2; tag: set, TAG.Test.3;
Rule 5: content: "abcdefg"; tag: check, TAG.Test.3;
```

In the preceding signature rules, the detection process is as follows:

- In rule 1, when both **hello** and **world** feature strings are matched, **tag: set** is used to record the tag as **TAG.Test.1**, indicating that the tag is matched. **action: allow;** indicates that the current action is Allow.

- In rule 2, after **abcdefg** is matched, the system checks whether **TAG.Test.1** has ever matched a tag according to **tag: check, TAG.Test.1;**. If yes, signature 2 is matched.

Note that the two rules associated with **tag** can be written in one signature or two different signatures. If rule 1 and rule 2 are in one signature, the signature is matched and the default action is performed. If rule 1 and rule 2 are in two different signatures and the two signatures have only the respective one rule, the signature corresponding to rule 2 is matched and the default action is performed. Rule 1 is configured with **action: allow**; therefore, only the Allow action is performed and no response is made although the signature corresponding to rule 1 is matched.

- In rule 3, after **hello** is matched, the **TAG.Test.2**" detection tag is set and the action is Allow.

- In rule 4, after **world** is matched, **TAG.Test.2** is checked. If **TAG.Test.2** has been set, it is deleted according to **tag: unset, TAG.Test.2** and a new tag **TAG.Test.3** is set. In addition, because no action is configured for the rule, the signature is matched and the default action of TID=2 is performed.

- In rule 5, after **abcdefg** is matched, **TAG.Test.3** is checked. If **TAG.Test.3** has been set, the signature is matched again and the default action of TID=2 is performed.

**Restrictions:**
- A signature can contain multiple groups of **tag** rules, and a group of **tag** association rules can be distributed in multiple signatures. The logic relationship is determined when a rule is written.
- The detection scope of each **tag** basic rule (tag: set/unset/reset) can be packet, message, or session, but the detection scope of detection rule (tag: check) must be session.
- **<tag-name>** is globally unique.
- The **tag** rule must contain the **content** or **pcre** detection item. The rule that contains only the **tag** detection item is not allowed.
- When multiple tags are combined, ensure that each **tag** is matched in a different packet. If two **tag**s are matched in one packet, you need to combine the rules into one **tag**.

#### action Syntax Rules

**action** is used to identify the response action of the current rule. Currently, it needs to be used with **tag**. The syntax is as follows:

```
action: allow;
```

Response modes in the default situation and when **action:allow** is configured