friedkiwi/ibm-information-center
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
master
ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzaub_5.4.0.1/rzaubeventscan.htm

140 lines
8.9 KiB
HTML
Raw Permalink Blame History

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="reference" />
<meta name="DC.Title" content="Scan events" />
<meta name="abstract" content="The intrusion detection system detects scans to individual ports." />
<meta name="description" content="The intrusion detection system detects scans to individual ports." />
<meta name="DC.Relation" scheme="URI" content="rzaubanalyze.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzaubeventscan" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Scan events</title>
</head>
<body id="rzaubeventscan"><a name="rzaubeventscan"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Scan events</h1>
<div><p>The intrusion detection system detects scans to individual ports. </p>
<div class="section"><p>Through statistics gathering and auditing, the
intrusion detection system determines whether the system has been the target
of a global scan. When the TCP/IP stack detects an intrusion event is detected,
the stack calls the intrusion detection function and generates statistics
and audit records.</p>
<p>If an IDS scan policy does not exist
in the IDS policy file, no action is taken. If an IDS scan policy exists,
the intrusion detection system creates an audit record when it detects a scan
event.</p>
</div>
<div class="section" id="rzaubeventscan__tcpscan"><a name="rzaubeventscan__tcpscan"><!-- --></a><h4 class="sectiontitle">TCP port scans</h4>You can classify TCP events
as normal, possibly suspicious, or highly suspicious. In the IDS policy, you
can define restricted ports that no one can use.<div class="p">The intrusion detection
system (IDS) scans and classifies the following types of TCP events. Typically,
the TCP/IP stack discards the suspicious event.
<div class="tablenoborder"><a name="rzaubeventscan__tcptab"><!-- --></a><table cellpadding="4" cellspacing="0" summary="" id="rzaubeventscan__tcptab" frame="border" border="1" rules="all"><caption>Table 1. TCP
scan events classified as suspicious</caption><thead align="left"><tr><th valign="top" width="33.33333333333333%" id="d0e32">Scan Event</th>
<th valign="top" width="33.33333333333333%" id="d0e34">TCP/IP Connection State</th>
<th valign="top" width="33.33333333333333%" id="d0e36">Event Classification</th>
</tr>
</thead>
<tbody><tr valign="top"><td valign="top" width="33.33333333333333%" headers="d0e32 ">Receive any packet</td>
<td valign="top" width="33.33333333333333%" headers="d0e34 ">Unbound, not restricted</td>
<td valign="top" width="33.33333333333333%" headers="d0e36 ">Possibly suspicious (possibly a failed application)</td>
</tr>
<tr><td valign="top" width="33.33333333333333%" headers="d0e32 "><span>Receive a packet with the reset (RST)
bit set in the TCP header. (In this situation, the host immediately terminates
the connection, which results in a denial of service until that connection
is reestablished.)</span></td>
<td valign="top" width="33.33333333333333%" headers="d0e34 ">Half-open connection</td>
<td valign="top" width="33.33333333333333%" headers="d0e36 ">Possibly suspicious (peer covering tracks)</td>
</tr>
<tr><td valign="top" width="33.33333333333333%" headers="d0e32 ">Final timeout</td>
<td valign="top" width="33.33333333333333%" headers="d0e34 ">Any connected state</td>
<td valign="top" width="33.33333333333333%" headers="d0e36 ">Possibly suspicious (peer abandoned connection)</td>
</tr>
<tr valign="top"><td valign="top" width="33.33333333333333%" headers="d0e32 ">Receive unexpected flags</td>
<td valign="top" width="33.33333333333333%" headers="d0e34 ">Any</td>
<td valign="top" width="33.33333333333333%" headers="d0e36 ">Highly suspicious</td>
</tr>
<tr><td valign="top" width="33.33333333333333%" headers="d0e32 ">Receive any packet from a restricted TCP/IP port</td>
<td valign="top" width="33.33333333333333%" headers="d0e34 ">This TCP/IP port is RESERVED</td>
<td valign="top" width="33.33333333333333%" headers="d0e36 ">Highly suspicious</td>
</tr>
<tr><td valign="top" width="33.33333333333333%" headers="d0e32 ">Final timeout</td>
<td valign="top" width="33.33333333333333%" headers="d0e34 ">Half-open connection</td>
<td valign="top" width="33.33333333333333%" headers="d0e36 ">Highly suspicious (peer abandoned handshake)</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
<div class="section" id="rzaubeventscan__udpscan"><a name="rzaubeventscan__udpscan"><!-- --></a><h4 class="sectiontitle">User Datagram Protocol (UDP) port scans</h4>You
can classify UDP events as normal, possibly suspicious, or highly suspicious.
In the IDS policy, you can define restricted ports that no one can use. Any
datagram received for a restricted port is treated as a highly suspicious
event. Datagrams received for unbound but unrestricted ports are treated as
possibly suspicious events. Datagrams received for bound ports that are rejected
by the QoS policy <span>or FW filters</span> are treated as possibly
suspicious. All other datagrams received for bound ports are treated as normal
events.<p>If an IDS scan policy does not exist in the IDS policy
file, no action is taken. If an IDS scan policy exists, the intrusion detection
system creates an audit record when it detects a scan event. </p>
<div class="tablenoborder"><a name="rzaubeventscan__udptab"><!-- --></a><table cellpadding="4" cellspacing="0" summary="" id="rzaubeventscan__udptab" frame="border" border="1" rules="all"><caption>Table 2. UDP scan events</caption><thead align="left"><tr><th valign="top" width="33.33333333333333%" id="d0e100">Scan Event</th>
<th valign="top" width="33.33333333333333%" id="d0e102">TCP/IP Connection State</th>
<th valign="top" width="33.33333333333333%" id="d0e104">Event Classification</th>
</tr>
</thead>
<tbody><tr valign="top"><td valign="top" width="33.33333333333333%" headers="d0e100 ">QoS policy rejects packet</td>
<td valign="top" width="33.33333333333333%" headers="d0e102 ">Bound </td>
<td valign="top" width="33.33333333333333%" headers="d0e104 ">Normal </td>
</tr>
<tr><td valign="top" width="33.33333333333333%" headers="d0e100 ">Receive any packet</td>
<td valign="top" width="33.33333333333333%" headers="d0e102 ">Bound</td>
<td valign="top" width="33.33333333333333%" headers="d0e104 ">Normal</td>
</tr>
<tr><td valign="top" width="33.33333333333333%" headers="d0e100 ">FW filtering rejects packet</td>
<td valign="top" width="33.33333333333333%" headers="d0e102 ">Bound</td>
<td valign="top" width="33.33333333333333%" headers="d0e104 ">Possibly suspicious</td>
</tr>
<tr valign="top"><td valign="top" width="33.33333333333333%" headers="d0e100 ">Receive any packet</td>
<td valign="top" width="33.33333333333333%" headers="d0e102 ">Unbound</td>
<td valign="top" width="33.33333333333333%" headers="d0e104 ">Possibly suspicious (possibly failed application)</td>
</tr>
<tr><td valign="top" width="33.33333333333333%" headers="d0e100 ">Receive any packet</td>
<td valign="top" width="33.33333333333333%" headers="d0e102 ">This TCP/IP port is restricted</td>
<td valign="top" width="33.33333333333333%" headers="d0e104 ">Highly suspicious</td>
</tr>
</tbody>
</table>
</div>
</div>
<div class="section" id="rzaubeventscan__icmpscan"><a name="rzaubeventscan__icmpscan"><!-- --></a><h4 class="sectiontitle">Internet Control Message Protocol (ICMP) port
scans</h4><p>You can use ICMP requests to map network topology. Any request
sent to a subnet base or broadcast address is treated as a highly suspicious
event. Echo (ping) requests and timestamp requests are very common, so they
are treated as normal events. <span>The intrusion detection system
audits ICMP redirect events.</span></p>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzaubanalyze.htm" title="Learn how to analyze the auditing data for intrusion detection activities, and obtain reference information about the fields in the IM audit record.">Analyze the auditing data</a></div>
</div>
</div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink