IDS console output

Under certain conditions, IDS suppresses console messages to avoid flooding the system console.

Scan detection is reported at most once per fast scan interval for a particular source IP address. If a scan is continually detected for the same source IP address, consider adding this address to your scan exclusion list (if this user is legitimately accessing resources). The installation also has the option of requesting notification to syslogd rather than to the console. The same criteria is used for reporting scans to syslogd as to the console.

IDS attack policy actions support the maximum event message parameter. If specified, this limits the number of times the same attack type is reported to the system console within any 5-minute time period.

Traffic regulation for protocol TCP suppresses console reporting of the following three events that could occur repeatedly.
  • Only the first connection denied, when an application exceeds the TR TCP total connections limit, is reported during each port constrained period.
  • Only the first connection denied, when a source host exceeds the TR TCP percentage available limit, is reported until the number of connections by that source host to this application drops below 88% of the limit and at least 2 connections below the limit.
  • Connections that would exceed the TR TCP percentage of available connections per source host, but are allowed because of a higher value in QoS policy, are reported to syslogd only.
Parent topic: Diagnosing IDS output problems