12.10.7. Configuring scenarios

You configure scenarios at the security-policy scenarios level using UPL. For more details on the command structure, see Configuring Rules Using UPL.

To configure scenario conditions and combine them definitions are used. Each definition is assigned a unique custom name by which it can be referred to. Scenario conditions can be set via one-line or multi-line command entry.

Use def scenario_cond to create or set scenario conditions. The def scenario_cond has the following structure:

def scenario_cond <scenario_condition_name> 
scenario_conditions 
end

Parameters used when configuring different types of scenario conditions are discussed later.

After specifying the conditions, the general properties of the scenario must be set. Available parameters:

Parameter

Description

OK

Action for scenario creation.

scenario_cond

Custom name of a definition containing scenario conditions: scenario_cond = condition_example.

enabled

Enable/disable the scenario:

  • enabled(true);

  • enabled(false).

name

Scenario name: name("Example scenario name").

desc

Scenario description: desc("Description for scenario created as an example").

trigger

Apply the triggered scenario to:

  • trigger(one_user) - the rule that uses the scenario will be applied only to the user for whom the scenario was triggered.

  • trigger(all_users) - the rule that uses the scenario will be applied to all users listed in the rule's Users/Groups field.

duration

Specify an activity period for the scenario (in minutes).

operation_mode

Specify the trigger mode for the scenario:

  • operation_mode(all) - the scenario will trigger if all are met.

  • operation_mode(any) - the scenario will trigger if at least one of the conditions is met.

Note

All conditions must be specified when scenario updating, i.e. current scenario conditions will be replaced by the set ones.

Let us consider the example of creating a scenario with Traffic limit condition (multiline input used). The scenario will be applied to all users during 1 minute; traffic limit is 1GB per day:

To update a scenario, use the following command:

Admin@UGOS# create security-policy scenarios 1 upl-rule \ 
... def scenario_cond scenario_cond_test 
... traffic_limit(2GB) \ 
... period(day) \ 
... scond_type(traffic) 
... end 
... OK \ 
... scenario_cond = scenario_cond_test 
... name(test) \ 
... trigger(all_users) \ 
... duration (1)

To update, for example, the amount of traffic:

Admin@UGOS# set security-policy scenarios 3 upl-rule \ 
...def scenario_cond scenario_cond_test 
...traffic_limit(2GB) \ 
...period(day) \ 
...scond_type(traffic) 
...end 
...OK \ 
...scenario_cond = scenario_cond_test

12.10.7.1. URL category conditions

To create or update a scenario with a URL category condition, use the following parameters:

Parameter

Description

category

URL categories or groups of URL categories: category = (lib.category(URL_CATEGORY_GROUP), URL_CATEGORY_NAME).

scond_type

Condition type: scond_type(url_category).

count_interval

Time interval in which the specified number of triggered events should occur (in minutes): count_interval().

max_event_count

Number of triggered events: max_event_count().

12.10.7.2. Virus detected conditions

To create or update a scenario with a Virus detection condition, use the following parameters:

Parameter

Description

scond_type

Condition type: scond_type(virus_detection).

12.10.7.3. Application conditions

To create or update a scenario with an Application condition, use the parameters listed in the table:

Parameter

Description

application

Categories of applications or groups of applications:

  • application = lib.applicationgroup(APP_GROUP) or application = lib.applicationgroup(all);

  • application = lib.category(APPS_CATEGORY_NAME).

scond_type

Condition type: scond_type(app).

count_interval

Time interval in which the specified number of triggered events should occur (in minutes): count_interval().

max_event_count

Number of triggered events: max_event_count().

12.10.7.4. IPS conditions

To create or update a scenario with a IPS condition, use the following parameters:

Parameter

Description

ips_tl

Threat levels:

  • ips_tl(very_low);

  • ips_tl(low);

  • ips_tl(medium);

  • ips_tl(high);

  • ips_tl(very_high).

scond_type

Condition type: scond_type(ips).

12.10.7.5. Content type conditions

To create or update a scenario with a Content type condition, use the following parameters:

Parameter

Description

response.header.Content-Type

Content type: response.header.Content-Type = lib.mime(MIME_CATEGORIES_LIST).

scond_type

Condition type: scond_type(mime_type).

count_interval

Time interval in which the specified number of triggered events should occur (in minutes): count_interval().

max_event_count

Number of triggered events: max_event_count().

12.10.7.6. Packet size conditions

To set a Packet size condition, use the following parameters:

Parameter

Description

packet_size

A packet size that needs to be exceeded for the condition to trigger:

  • packet_size(1): packet size is 1B;

  • packet_size(1KB): packet size is 1KB;

  • packet_size(1MB): packet size is 1MB;

  • packet_size(1GB): packet size is 1GB.

scond_type

Condition type: scond_type(net_packet_size).

12.10.7.7. Sessions per IP address conditions

To create or update a scenario with a Sessions per IP condition, use the parameters listed in the table:

Parameter

Description

scond_type

Condition type: scond_type(sessions_per_ip).

sessions_limit

The maximum number of sessions per IP address: sessions_limit().

12.10.7.8. Traffic limit conditions

To create or update a scenario with a Traffic limit condition, use the following parameters:

Parameter

Description

scond_type

Condition type: scond_type(traffic).

period

Period:

  • period(minute): a minute;

  • period(hour): an hour;

  • period(day): a day;

  • period(week): a week;

  • period(month): a month.

traffic-limit

The traffic limit:

  • traffic_limit(1): traffic limit of 1B;

  • traffic_limit (1KB): traffic limit of 1KB;

  • traffic_limit (1MB): traffic limit of 1MB;

  • traffic_limit (1GB): traffic limit of 1GB.

12.10.7.9. Health check conditions

To configure a scenario with a Health check condition, use the parameters listed in the following table:

Parameter

Description

scond_type

Condition type: scond_type(health_check).

health_check_method

Perform health check using:

  • health_check_method(ping): ICMP ping.

  • health_check_method(dns): DNS request.

  • health_check_method(get): HTTP GET request.

url.address

Address for the check: IP address for the ICMP ping or DNS request: url.address = "1.1.1.1".

url.domain

FQDN for the check using a DNS request or URL for HTTP GET request: url.domain = "example.ru".

gateway

Gateway: gateway().

Important! The gateway needs to be created in advance.

health_result

Result:

  • health_result(positive).

  • health_result(negative).

health_request_timeout

Connection timeout (in seconds): health_request_timeout().

health_answer_timeout

Response timeout for HTTP GET check (in seconds): health_answer_timeout().

health_type_request

DNS query type:

  • health_type_request(a);

  • health_type_request(aaaa);

  • health_type_request(cname);

  • health_type_request(ns);

  • health_type_request(ptr).

max_event_count

Number of triggered events after which the scenario condition triggers: max_event_count().

count_interval

How long the condition is active (in minutes): count_interval().