Details: Intrusion detection policy directives

 

This table provides detailed information about the intrusion types and intrusion detection policy directives.

Key Condition type Attack type
D = Depends on type of attack AT = Attack FL = FLOOD
I = Ignored SE = SCAN_EVENT IF = IP_FRAGMENT
O = Optional SG = SCAN_GLOBAL IR = ICMP_REDIRECT
R = Required TR = Traffic regulation MP = MALFORMED_PACKET
X = Not supported OR = OUTBOUND_RAW
PE = PERPETUAL_ECHO
RO = RESTRICTED_IP_OPTIONS
RP = RESTRICTED_IP_PROTOCOL

Table 1. Intrusion types and associated IDS policy directives
Directive ibm-idsConditionType ibm-idsAttackType
Condition directives TR SE SG2 AT MP FL OR IR PE IF RO RP
ibm-idsIPOptionRange X X I D X X X X X X R X
ibm-idsLocalHostIPAddress R R I O O O X O O O O O
ibm-idsLocalPortRange1 O R I O O O X O O O O O
ibm-idsProtocolRange R X I D X X X X X X X X
ibm-idsRemoteHostIPAddress O O I O O O X O O O O O
ibm-idsRemotePortRange O O I O O O X O O O O O
ibm-policyIdsActionName R R R R R R X R R R R R
Action directives TR SE SG2 AT MP FL OR IR PE IF RO RP
ibm-idsActionType R R R R R R X R R R R R
ibm-idsFSInterval3 X O O X X X X X X X X X
ibm-idsFSThreshold X O O X X X X X X X X X
ibm-idsMaxEventMessage O O O O O O X O O O O O
ibm-idsSSInterval X O O X X X X X X X X X
ibm-idsSSThreshold X O O X X X X X X X X X
ibm-idsStatInterval O I I O O O X O O O O O
ibm-idsTRtcpLimitScope O X X X X X X X X X X X
ibm-idsTRtcpPercentage R X X X X X X X X X X X
ibm-idsTRtcpTotalConnections R X X X X X X X X X X X
ibm-idsTRudpQueueSize O X X X X X X X X X X X
Footnotes:

  1. If no local port range is given, the condition applies to all local ports.

  2. Although SCAN_GLOBAL conditions are not supported, SCAN_GLOBAL actions might be applied to SCAN_EVENT conditions. The TCP/IP stack can detect only single scan events.

  3. If the scan action directives are not specifically assigned values in the policy file, these directives (ibm-idsFSInterval, ibm-idsFSThreshold, ibm-idsSSInterval, and ibm-idsSSThreshold) are assigned the default values.

For TR events, the QoS server has to be recycled to reset the percentage or the count of connections. When the ibm-idsMaxEventMessage value is reached for a given action, no more audit records are created for any condition associated with that action until the QoS server is recycled. The following directives that do not appear in the above table are ignored:

  • ibm-ICMPRedirect

  • ibm-idsLoggingLevel

  • ibm-idsMessageDest

  • ibm-idsNotification

  • ibm-idsScanExclusion

  • ibm-idsSensitivity

  • ibm-idsTypeActions

 

Parent topic:

Editing the intrusion detection policy file