tag

tag

Use this keyword in a signature to mark a session with a named tag, or to check whether a tag has been set for a session.

Pattern matching with IPS signatures is essentially packet-based. The tag keyword is mainly used when attack patterns appear in more than one packet or in different directions. A signature that matches an earlier packet in an attack can mark the session with a named tag, and the existence of the tag can be tested when ensuing packets in the same session are scanned.

The matching algorithm guarantees the order in which signatures are scanned. The signatures are sorted based on their tag dependencies. During packet inspection, the signatures are matched in this order, so that signatures that depend on other signatures are always scanned later in the process.

Syntax:

--tag <op>, [!}<name>[,timer,tuple[,all_sessions]];

<name> indicates the name of a tag.

[!] is only allowed in test operations. It returns true if the tag does not exist.

The <op> value determines which operation is performed.

<op>	Description
set	Mark the session with a named tag.
pset	Mark the session with a named tag and remember the last reference point. This reference point can be referred by using `lasttag` for keywords `distance`, `within`, `distance_abs`, and `within_abs`.
clear	Remove the specified tag from the session.
toggle	Toggle the specified tag (`set <=> clear`) in the session.
test	Test the existence of the specified tag. Add `!` if the signature is to test the nonexistence of the specified tag.
reset	Clear all tags from the session.
quiet	Suppress logging when the signature is matched and ignores the signature’s action. `QUIET` is normally included in the signature that `SET` the tag. Signatures with `--tag set;` should also have `--tag quiet` and `--status hidden;`.
cset	Set a cross session tag. Modifier `timer`, `tuple` and `all_sessions` are valid only when the `op` is `cset`. These modifiers altogether define which session should be marked with the named `tag`.
timer	The tag will be automatically removed after given seconds. If it equals 0 the specified tag will be removed immediately.
tuple	Accepts a combination (separated by ",") of `src_ip`, `dst_ip`, `src_port`, `dst_port`, and `protocol`. To reduce the performance impact, it only accepts following combinations: src_ip dst_ip src_ip,dst_ip src_ip,dst_ip,dst_port src_ip,dst_ip,dst_port,protocol src_ip,dst_ip,protocol src_ip,protocol src_ip,src_port src_ip,src_port,protocol dst_ip,dst_port dst_ip,protocol Dst_ip,dst_port,protocol
all_sessions	Copy the tag into both existing and new sessions. Without this, engine only copies the tag to the new sessions to reduce the performance impact.

The name of a tag should only contain printable characters. It should not contain spaces, commas, exclamation marks, or semicolons.

By default, a newly-created tag is in the un-set state.

Patterns in tag set and tag test signatures can appear in the same packet together.

Examples:

--tag set,Tag.Rsync.Argument;

--tag clear,tag.login;

--tag test,Tag.Rsync.Argument;

--tag test, !DHTML.EDIT.CONTROL.CLSID;

tag

Use this keyword in a signature to mark a session with a named tag, or to check whether a tag has been set for a session.

Syntax:

--tag <op>, [!}<name>[,timer,tuple[,all_sessions]];

<name> indicates the name of a tag.

[!] is only allowed in test operations. It returns true if the tag does not exist.

The <op> value determines which operation is performed.

<op>

Description

set

Mark the session with a named tag.

pset

Mark the session with a named tag and remember the last reference point. This reference point can be referred by using lasttag for keywords distance, within, distance_abs, and within_abs.

clear

Remove the specified tag from the session.

toggle

Toggle the specified tag (set <=> clear) in the session.

test

Test the existence of the specified tag. Add ! if the signature is to test the nonexistence of the specified tag.

reset

Clear all tags from the session.

quiet

Suppress logging when the signature is matched and ignores the signature’s action. QUIET is normally included in the signature that SET the tag. Signatures with --tag set; should also have --tag quiet and --status hidden;.

cset

Set a cross session tag. Modifier timer, tuple and all_sessions are valid only when the op is cset. These modifiers altogether define which session should be marked with the named tag.

timer

The tag will be automatically removed after given seconds. If it equals 0 the specified tag will be removed immediately.

tuple

Accepts a combination (separated by ",") of src_ip, dst_ip, src_port, dst_port, and protocol. To reduce the performance impact, it only accepts following combinations:

src_ip

dst_ip

src_ip,dst_ip

src_ip,dst_ip,dst_port

src_ip,dst_ip,dst_port,protocol

src_ip,dst_ip,protocol

src_ip,protocol

src_ip,src_port

src_ip,src_port,protocol

dst_ip,dst_port

dst_ip,protocol

Dst_ip,dst_port,protocol

all_sessions

Copy the tag into both existing and new sessions. Without this, engine only copies the tag to the new sessions to reduce the performance impact.

The name of a tag should only contain printable characters. It should not contain spaces, commas, exclamation marks, or semicolons.

By default, a newly-created tag is in the un-set state.

Patterns in tag set and tag test signatures can appear in the same packet together.

Examples:

--tag set,Tag.Rsync.Argument;

--tag clear,tag.login;

--tag test,Tag.Rsync.Argument;

--tag test, !DHTML.EDIT.CONTROL.CLSID;

Custom IPS and Application Control Signature Syntax Guide

tag

Syntax:

Examples:

tag

Syntax:

Examples: