Example: Intrusion detection scan policy
This example shows a scan policy that uses a stand-alone condition and action.
The TCP/IP stack detects port scans on a port-by-port basis. The stack itself cannot detect a global scan. When a port scan is suspected, it generates a SCAN_EVENT that calls the intrusion detection system. The intrusion detection system processes the scan event and calls the SCAN_GLOBAL code to generate statistics and monitor thresholds.
This action implies that an audit record is cut if the number of scans within a 1-minute interval exceeds 100, or if the number of scans within a 10-minute interval exceeds 200.
This IDS policy targets TCP ports 1 through 5000 for suspicious events.
ibm-idsConditionAuxClass idscond10 # IDS condition { ibm-idsConditionType SCAN_EVENT ibm-policyIdsActionName idsscan1 ibm-idsProtocolRange 6 ibm-idsLocalPortRange 1-5000 } ibm-idsActionAuxClass idsscan1 # IDS action { ibm-idsActionType SCAN_GLOBAL ibm-idsFSInterval 1 ibm-idsFSThreshold 100 # fast scanning threshold ibm-idsSSInterval 10 ibm-idsSSThreshold 200 # slow scanning threshold }
Parent topic:
Editing the intrusion detection policy file