Example: Perpetual echo policy

This example is of an IDS attack-type policy that targets perpetual echoes on local port 7 and remote port 7.

UDP port 7 is the echo port. In an attack, if the header specifies the source and target ports as port 7, the UDP datagram echoes back and forth between the local port 7 and the remote UDP port 7.

When a perpetual echo occurs on port 7, IDS sends an intrusion notification to the Intrusion Detection Events page and to the audit journal, but it does not send an e-mail notification.

Each event that is detected is logged. Ensure that IDS does not overload the system if it is logging large numbers of events. If IDS is logging too many events, you can reduce the number of events being logged by using any of the following methods:
  • Using variable dynamic throttling.
  • Changing the IDS policy to monitor fewer IP addresses.
  • Limiting the maximum number of messages.
Table 1. Perpetual echo policy example
Setting Value
Policy name Echoes_policy
Policy type Attack
Attack type Perpetual echo
Local IP addresses All IP addresses
Local ports 7
Remote IP addresses All IP addresses
Remote ports 7
Send messages for each intrusion Yes
Send e-mail notification No