Example: Traffic regulation policy

This example traffic regulation policy traces suspicious traffic across the network, such as an unusually high rate of TCP connections.

Traffic regulation events correlate to completed handshakes for connections. The intrusion detection system tracks the TCP traffic over the IP addresses and ports that are specified in the IDS policy. When user-specified thresholds are met, IDS generates an intrusion event.

This intrusion detection policy specifies a TCP connection limit of 1000, a TCP connection percentage of 100%, a statistics interval of 60 minutes, and a maximum number of 5 event messages. When IDS detects the 1001st TCP connection to port 8000 at local addresses through, it sends the intrusion notification to the specified e-mail addresses and logs the notification to the audit journal. Use the Intrusion Detection Events page to display the logged events. IDS can send a maximum of five intrusion notifications within each 60-minute interval.

The number of audit records that the system generates depends on the value of the Maximum event messages in the intrusion detection policy file.

Table 1. Traffic regulation policy example
Setting Value
Policy name TR_policy
Policy type Traffic regulation (TCP)
Threshold for the total number of TCP connections 1000
TCP connection percentage 100
Local IP addresses
Local ports 8000
Remote IP addresses All IP addresses
Remote ports All ports
Statistics interval 60 minutes
Maximum event messages 5
Send e-mail notification1 Yes
1 IDS sends e-mail notification only if you have enabled this support in the IDS Properties page, which is where the e-mail addresses are specified.