Details: Intrusion detection policy directives
This table provides detailed information about the intrusion types and intrusion detection policy directives.
Key Condition type Attack type D = Depends on type of attack AT = Attack FL = FLOOD I = Ignored SE = SCAN_EVENT IF = IP_FRAGMENT O = Optional SG = SCAN_GLOBAL IR = ICMP_REDIRECT R = Required TR = Traffic regulation MP = MALFORMED_PACKET X = Not supported OR = OUTBOUND_RAW PE = PERPETUAL_ECHO RO = RESTRICTED_IP_OPTIONS RP = RESTRICTED_IP_PROTOCOL
Table 1. Intrusion types and associated IDS policy directives Directive ibm-idsConditionType ibm-idsAttackType Condition directives TR SE SG2 AT MP FL OR IR PE IF RO RP ibm-idsIPOptionRange X X I D X X X X X X R X ibm-idsLocalHostIPAddress R R I O O O X O O O O O ibm-idsLocalPortRange1 O R I O O O X O O O O O ibm-idsProtocolRange R X I D X X X X X X X X ibm-idsRemoteHostIPAddress O O I O O O X O O O O O ibm-idsRemotePortRange O O I O O O X O O O O O ibm-policyIdsActionName R R R R R R X R R R R R Action directives TR SE SG2 AT MP FL OR IR PE IF RO RP ibm-idsActionType R R R R R R X R R R R R ibm-idsFSInterval3 X O O X X X X X X X X X ibm-idsFSThreshold X O O X X X X X X X X X ibm-idsMaxEventMessage O O O O O O X O O O O O ibm-idsSSInterval X O O X X X X X X X X X ibm-idsSSThreshold X O O X X X X X X X X X ibm-idsStatInterval O I I O O O X O O O O O ibm-idsTRtcpLimitScope O X X X X X X X X X X X ibm-idsTRtcpPercentage R X X X X X X X X X X X ibm-idsTRtcpTotalConnections R X X X X X X X X X X X ibm-idsTRudpQueueSize O X X X X X X X X X X X Footnotes:
- If no local port range is given, the condition applies to all local ports.
- Although SCAN_GLOBAL conditions are not supported, SCAN_GLOBAL actions might be applied to SCAN_EVENT conditions. The TCP/IP stack can detect only single scan events.
- If the scan action directives are not specifically assigned values in the policy file, these directives (ibm-idsFSInterval, ibm-idsFSThreshold, ibm-idsSSInterval, and ibm-idsSSThreshold) are assigned the default values.
For TR events, the QoS server has to be recycled to reset the percentage or the count of connections. When the ibm-idsMaxEventMessage value is reached for a given action, no more audit records are created for any condition associated with that action until the QoS server is recycled. The following directives that do not appear in the above table are ignored:
- ibm-ICMPRedirect
- ibm-idsLoggingLevel
- ibm-idsMessageDest
- ibm-idsNotification
- ibm-idsScanExclusion
- ibm-idsSensitivity
- ibm-idsTypeActions
Parent topic:
Editing the intrusion detection policy file