tag Syntax
The **tag** syntax supports multiple rules for intra-session correlation detection. This section describes how to use the **tag** syntax. #### tag Syntax Rules **tag** syntax format: ``` tag: { set | unset } , <tag-name>; tag: check, [!]<tag-name>; tag: reset; ``` Description of operation keywords | Operation Type | Description | | :--------- | :----------------------------------------------------------- | | set | Records the tag after the signature is matched. | | unset | Clears the specified tag after the signature is matched. | | check | Checks whether the specified tag exists in the session. | | reset | Clears all tags in a session. | | tag-name | Tag name, which can be customized. The value can contain only digits, letters, dots (.), underscores (_), and hyphens (-). | | ! | "NOT" syntax. If the modified **tag-name** is not matched, the current **tag** check item is valid. | Example: ``` Example 1: Rule 1: content: "hello"; content: "world"; tag: set, TAG.Test.1; action: allow; Rule 2: content: "abcdefg"; tag: check, TAG.Test.1; Example 2: Rule 3: content: "hello"; tag: set, TAG.Test.2; action: allow; Rule 4: content: "world"; tag: check, TAG.Test2; tag: unset, TAG.Test.2; tag: set, TAG.Test.3; Rule 5: content: "abcdefg"; tag: check, TAG.Test.3; ``` In the preceding signature rules, the detection process is as follows: - In rule 1, when both **hello** and **world** feature strings are matched, **tag: set** is used to record the tag as **TAG.Test.1**, indicating that the tag is matched. **action: allow;** indicates that the current action is Allow. - In rule 2, after **abcdefg** is matched, the system checks whether **TAG.Test.1** has ever matched a tag according to **tag: check, TAG.Test.1;**. If yes, signature 2 is matched. Note that the two rules associated with **tag** can be written in one signature or two different signatures. If rule 1 and rule 2 are in one signature, the signature is matched and the default action is performed. If rule 1 and rule 2 are in two different signatures and the two signatures have only the respective one rule, the signature corresponding to rule 2 is matched and the default action is performed. Rule 1 is configured with **action: allow**; therefore, only the Allow action is performed and no response is made although the signature corresponding to rule 1 is matched. - In rule 3, after **hello** is matched, the **TAG.Test.2**" detection tag is set and the action is Allow. - In rule 4, after **world** is matched, **TAG.Test.2** is checked. If **TAG.Test.2** has been set, it is deleted according to **tag: unset, TAG.Test.2** and a new tag **TAG.Test.3** is set. In addition, because no action is configured for the rule, the signature is matched and the default action of TID=2 is performed. - In rule 5, after **abcdefg** is matched, **TAG.Test.3** is checked. If **TAG.Test.3** has been set, the signature is matched again and the default action of TID=2 is performed. **Restrictions:** - A signature can contain multiple groups of **tag** rules, and a group of **tag** association rules can be distributed in multiple signatures. The logic relationship is determined when a rule is written. - The detection scope of each **tag** basic rule (tag: set/unset/reset) can be packet, message, or session, but the detection scope of detection rule (tag: check) must be session. - **<tag-name>** is globally unique. - The **tag** rule must contain the **content** or **pcre** detection item. The rule that contains only the **tag** detection item is not allowed. - When multiple tags are combined, ensure that each **tag** is matched in a different packet. If two **tag**s are matched in one packet, you need to combine the rules into one **tag**. #### action Syntax Rules **action** is used to identify the response action of the current rule. Currently, it needs to be used with **tag**. The syntax is as follows: ``` action: allow; ``` Response modes in the default situation and when **action:allow** is configured | Response Action | Description | | :------------ | :----------------------------------------- | | Default | When **action** is not written in the rule, the default action of the signature is used. | | action: allow | The action is Allow, which is used with the **tag** rule. |