Example: Intrusion detection scan policy

Example: Intrusion detection scan policy

This example shows a scan policy that uses a stand-alone condition and action.
The TCP/IP stack detects port scans on a port-by-port basis. The stack itself cannot detect a global scan. When a port scan is suspected, it generates a SCAN_EVENT that calls the intrusion detection system. The intrusion detection system processes the scan event and calls the SCAN_GLOBAL code to generate statistics and monitor thresholds.
This action implies that an audit record is cut if the number of scans within a 1-minute interval exceeds 100, or if the number of scans within a 10-minute interval exceeds 200.
This IDS policy targets TCP ports 1 through 5000 for suspicious events.
  ibm-idsConditionAuxClass     idscond10  # IDS condition   {
  ibm-idsConditionType         SCAN_EVENT   ibm-policyIdsActionName      idsscan1   ibm-idsProtocolRange         6   ibm-idsLocalPortRange        1-5000   }
  ibm-idsActionAuxClass        idsscan1   # IDS action   {
  ibm-idsActionType            SCAN_GLOBAL   ibm-idsFSInterval            1   ibm-idsFSThreshold           100        # fast scanning threshold   ibm-idsSSInterval            10   ibm-idsSSThreshold           200        # slow scanning threshold   }
Parent topic:
Editing the intrusion detection policy file