Example: Traffic regulation policy

 

This example traffic regulation policy traces suspicious traffic across the network, such as an unusually high rate of TCP connections.

Traffic regulation events correlate to completed handshakes for connections. The intrusion detection system generates statistics and when user-specified thresholds are met, the system generates an audit record. Use the ibm-idsMaxEventMessage parameter in the IDS policy file to limit the number of records written to the audit journal for a given action.

This policy points to a single IDS traffic regulation condition and a single IDS action. The IDS condition selects the TCP protocol, local port 8000, and a local host IP address.

The IDS action specifies a TCP connection limit of 1000 for the listening server, a statistics interval of 10 minutes, and 10 percent of the TR connections. This example shows the local host IP addresses as a range of addresses from 9.10.11.000 through 9.10.11.255. An audit record is created if more than 10 percent of all connections are to the IP addresses within the range of 9.10.11.000 through 9.10.11.255.

  ibm-idsConditionAuxClass     rule1     # IDS condition   {
  ibm-idsConditionType         TR   ibm-idsLocalPortRange        8000   ibm-idsProtocolRange         6   ibm-idsLocalHostIPAddress    2-9.10.11.000-24   ibm-policyIdsActionName      idsact1 
  }

  ibm_idsActionAuxClass        idsact1   # IDS action   {
  ibm-idsActionType            TR   ibm-idsStatInterval          10   ibm-idsTRtcpTotalConnections 1000   ibm-idsTRtcpPercentage       10   }

 

Parent topic:

Editing the intrusion detection policy file