Example: Intrusion detection scan policy

This example is of a scan policy that uses stand-alone conditions and actions.

The TCP/IP stack detects port scans on a port-by-port basis. The stack itself cannot detect a global scan. When a port scan is suspected, it generates a SCAN_EVENT that calls the intrusion detection system. The intrusion detection system processes the scan event and calls the SCAN_GLOBAL code to generate statistics and monitor thresholds.

This IDS policy targets TCP ports 1 through 5000 for suspicious events. 

  ibm-idsConditionAuxClass     idscond10  # IDS condition
  {
  ibm-idsConditionType         SCAN_EVENT
  ibm-policyIdsActionName      idsscan1
  ibm-idsProtocolRange         6
  ibm-idsLocalPortRange        1-5000
  }
  ibm-idsActionAuxClass        idsscan1   # IDS action
  {
  ibm-idsActionType            SCAN_GLOBAL
  ibm-idsFSInterval            10
  ibm-idsFSThreshold           10         # fast scanning threshold
  ibm-idsSSInterval            100
  ibm-idsSSThreshold           20         # slow scanning threshold
  }
Parent topic: Change the intrusion detection policy file