Intrusion detection system initialization

If the intrusion detection system (IDS) is active, it monitors intrusions when the system is IPLed as well as when the system is running. When you use the IDS GUI to create intrusion detection policies, IDS creates a set of conditions and actions based on the information in the policies.

The following graphic shows how IDS is initialized when you create an intrusion detection policy using the IDS GUI or a program.

Intrusion detection system initialization
  1. When you create an intrusion detection policy, the IDS GUI builds the IDS policy file and activates IDS using the Control Intrusion Detection and Prevention (QTOQIDSC, QtoqIDSControl) API.
    Note: After you create a new policy, IDS is automatically stopped and restarted for the policy to take effect.
  2. The QTOQIDSC API sends the policy information to the IDS control module.
  3. The IDS control module has four functions:
    • Starting IDS. If IDS is started or recycled, IDS control reads the policy file and sends it to the IDS policy file parser.
    • Stopping IDS. If IDS is stopped, IDS control performs internal cleanup functions.
    • Recycling (stopping and restarting) IDS. If you delete an IDS policy, IDS control deletes the IDS task associated with that policy.
    • Retrieving IDS status. This status indicates whether IDS is stopped or active.
  4. The IDS policy file parser creates the IDS task.
  5. The IDS task creates the port table with the condition and action lists.
  6. The IDS port table represents TCP ports 1 through 65 535. This table also has a port 0 provision which applies to all ports. Conditions are assigned to ports using the IDS GUI. Actions are assigned to conditions using the IDS GUI.