Scan events

The intrusion detection system detects scans to individual ports.

Through statistics gathering and auditing, the intrusion detection system determines whether the system has been the target of a global scan. When the TCP/IP stack detects an intrusion event is detected, the stack calls the intrusion detection function and generates statistics and audit records.

If an IDS scan policy does not exist in the IDS policy file, no action is taken. If an IDS scan policy exists, the intrusion detection system creates an audit record when it detects a scan event.

TCP port scans

You can classify TCP events as normal, possibly suspicious, or highly suspicious. In the IDS policy, you can define restricted ports that no one can use.

The intrusion detection system (IDS) scans and classifies the following types of TCP events. Typically, the TCP/IP stack discards the suspicious event.

Table 1. TCP scan events classified as suspicious
Scan Event	TCP/IP Connection State	Event Classification
Receive any packet	Unbound, not restricted	Possibly suspicious (possibly a failed application)
Receive a packet with the reset (RST) bit set in the TCP header. (In this situation, the host immediately terminates the connection, which results in a denial of service until that connection is reestablished.)	Half-open connection	Possibly suspicious (peer covering tracks)
Final timeout	Any connected state	Possibly suspicious (peer abandoned connection)
Receive unexpected flags	Any	Highly suspicious
Receive any packet from a restricted TCP/IP port	This TCP/IP port is RESERVED	Highly suspicious
Final timeout	Half-open connection	Highly suspicious (peer abandoned handshake)

User Datagram Protocol (UDP) port scans

You can classify UDP events as normal, possibly suspicious, or highly suspicious. In the IDS policy, you can define restricted ports that no one can use. Any datagram received for a restricted port is treated as a highly suspicious event. Datagrams received for unbound but unrestricted ports are treated as possibly suspicious events. Datagrams received for bound ports that are rejected by the QoS policy or FW filters are treated as possibly suspicious. All other datagrams received for bound ports are treated as normal events.

If an IDS scan policy does not exist in the IDS policy file, no action is taken. If an IDS scan policy exists, the intrusion detection system creates an audit record when it detects a scan event.

Table 2. UDP scan events
Scan Event	TCP/IP Connection State	Event Classification
QoS policy rejects packet	Bound	Normal
Receive any packet	Bound	Normal
FW filtering rejects packet	Bound	Possibly suspicious
Receive any packet	Unbound	Possibly suspicious (possibly failed application)
Receive any packet	This TCP/IP port is restricted	Highly suspicious

Internet Control Message Protocol (ICMP) port scans

You can use ICMP requests to map network topology. Any request sent to a subnet base or broadcast address is treated as a highly suspicious event. Echo (ping) requests and timestamp requests are very common, so they are treated as normal events. The intrusion detection system audits ICMP redirect events.