association detection syntax rule
The following is an example of the syntax rules of the third-generation IPS correlation signature engine: `assoc: rate; tid: 5990; count: 10; seconds: 15; suppress: 300; track: src-dst;` According to the preceding rule, the association is performed based on the source and destination addresses. If the basic signature 5990 is matched 10 times within 15 seconds, the associated signature is matched. To add the basic signature to the blocklist, the blocklist time is 300 seconds. #### assoc A correlation event is a new security threat event formed by multiple simple threat events based on specific correlations. Assoc is a detection rule that describes correlation events. Keywords supported by assoc: | Keyword | Field Description | | ------------ | ------------ | | rate | Indicates the correlation detection of the occurrence times of an event. | | concurrent | Indicates the correlation detection when multiple threat events occur at the same time. | | sequence | Indicates the correlation detection of multiple threat events that occur in a specified sequence.| #### tid Tid indicates the ID of the basic event to be collected, which is the same as tid in the basic threat event. Each rate can have multiple tid elements. 【**Specification**】A correlation rule can contain a maximum of eight tids, which are separated by spaces. #### count Count indicates the threshold of the event specified by tid. The value is a decimal number. count indicates the number of times that the event corresponding to any tid exceeds the threshold in a specified time range. 【**Specification**】Value range of count is [1,65535]. #### seconds Seconds indicates the time range for statistics collection. Within the specified time range, the number of times that the event indicated by tid occurs. If the value of tid exceeds the value of count, the event is considered toomany. 【**Specification**】The value is a decimal number. The event unit is second. The value range is as follows:[1,7200] #### suppress Suppress indicates the event log compression time. For the same rate associated event, the event log is reported only once within the specified time range. In addition, if you want to add a user to the blocklist, the time when the user is added to the blocklist is also the time when the user is added to the blocklist. 【**Specification**】The value is a decimal number. The event unit is second. The value range is as follows:[1,86400] 【**Restriction**】It is recommended that the unit be minute. Because the product blocklist time is minute, the system rounds up the integer minute based on the event. For example, 100 seconds will be added to the blocklist for 2 minutes. #### track Track indicates the associated object. It refers to the condition based on which events specified in the correlation rule are associated. The value of track determines the statistics collection method and action. The values of track are described as follows: | value |Description | | ------------ | ------------ | | src | All events in a rule are associated based on the source address of the event. If the source address of the event is different, statistics and association are performed separately. There is no requirement for sessions. That is, events can appear in the same session or different sessions. | | src-nosession | All events in a rule are associated based on the source address of the event. If an event occurs multiple times in a session, the event is counted only once. This correlation detection mode supports only rate and does not support concurrent or sequence.| | dst | All events in a rule are associated based on the destination address of the event. If the destination address of the event is different, statistics and association are performed separately. There is no requirement for sessions. That is, events can appear in the same session or different sessions. | | dst-nosession | All events in a rule are associated based on the destination address of the event. If an event occurs multiple times in a session, the event is counted only once. This correlation detection mode supports only rate and does not support concurrent or sequence.| | src-dst | All events in a rule are associated based on the source and destination IP addresses of the events. If the source and destination IP addresses are different, statistics and association are performed separately. There is no requirement for sessions. That is, events can appear in the same session or different sessions. | | src-dst-nosession | All events in a rule are associated based on the source and destination addresses of the events. If an event occurs multiple times in a session, the event is counted only once. This correlation detection mode supports only rate and does not support concurrent or sequence.| | session | All events in a rule are collected and correlated based on the same session (same quintuple). | [**Note**]Correlation signature rules are supported since V600R022C10.