Example: Traffic regulation policy

This sample traffic regulation policy traces suspicious traffic across the network, such as an unusually high rate of TCP connections.

Traffic regulation events correlate to completed handshakes for connections. The intrusion detection system generates statistics and when user-specified thresholds are met, the system generates an audit record. Use the ibm-idsMaxEventMessage parameter in the IDS policy file to limit the number of records written to the audit journal.

This policy points to a single IDS traffic regulation (TR) condition and a single IDS action. The IDS condition selects the TCP protocol, local port 8000, and a local host IP address.

The IDS action specifies a TCP connection limit of 1000 for the listening server, a statistics interval of 10 minutes, and 10 percent of the TR connections. This example shows the local host IP addresses as a range of addresses from 9.10.11.000 through 9.10.11.255.

  ibm-idsConditionAuxClass     rule1     # IDS condition
  {
  ibm-idsConditionType         TR
  ibm-idsLocalPortRange        8000
  ibm-idsProtocolRange         6
  ibm-idsLocalHostIPAddress    2-9.10.11.000-24
  policyIdsActionName          idsact1 
  }

  ibm_idsActionAuxClass        idsact1   # IDS action
  {
  ibm-idsActionType            TR
  ibm-idsStatInterval          10
  ibm-idsTRtcpTotalConnections 1000
  ibm-idsTRtcpPercentage       10
	}
Parent topic: Change the intrusion detection policy file