Example: Traffic regulation policy
This example traffic regulation policy traces suspicious traffic across the network, such as an unusually high rate of TCP connections.
Traffic regulation events correlate to completed handshakes for connections. The intrusion detection system tracks the TCP traffic over the IP addresses and ports that are specified in the IDS policy. When user-specified thresholds are met, IDS generates an intrusion event.
This intrusion detection policy specifies a TCP connection limit of 1000, a TCP connection percentage of 100%, a statistics interval of 60 minutes, and a maximum number of 5 event messages. When IDS detects the 1001st TCP connection to port 8000 at local addresses 9.10.11.000 through 9.10.11.255, it sends the intrusion notification to the specified e-mail addresses and logs the notification to the audit journal. Use the Intrusion Detection Events page to display the logged events. IDS can send a maximum of five intrusion notifications within each 60-minute interval.
The number of audit records that the system generates depends on the value of the Maximum event messages in the intrusion detection policy file.
| Setting | Value |
|---|---|
| Policy name | TR_policy |
| Policy type | Traffic regulation (TCP) |
| Threshold for the total number of TCP connections | 1000 |
| TCP connection percentage | 100 |
| Local IP addresses | 9.10.11.000-9.10.11.255 |
| Local ports | 8000 |
| Remote IP addresses | All IP addresses |
| Remote ports | All ports |
| Statistics interval | 60 minutes |
| Maximum event messages | 5 |
| Send e-mail notification1 | Yes |
| 1 IDS sends e-mail notification only if you have enabled this support in the IDS Properties page, which is where the e-mail addresses are specified. | |