Scan policies
Scans are recognized when a single source IP address makes multiple attempts to gather information within a defined period of time. Although a scan is not harmful, many serious attacks, especially access violation attacks, are preceded by scans to gather information. Scans must use reliable source IP addresses and can be interesting events to monitor.
IDS support defines a scanner as a source host that accesses multiple unique resources (ports or interfaces) over a specified period of time. You can specify the number of unique resources (Threshold) and the time period (Interval) by policy. Two categories of scans are supported:
- Fast scan
Many resources are rapidly accessed in a short time period (usually less than 5 minutes and program driven)
- Slow scan
Different resources are intermittently accessed over a longer period of time (many hours). This could be a scanner trying to avoid detection.
The following scenarios are some examples of a scanner:
- Source host A has a program that loops through all low ports and tries to connect to each port on target host X (fast scan). Each port is considered a unique resource.
- Source host B manually sends a ping command to each interface on target host X, and then tries to access well-known ports on target host X (most likely a slow scan). Each interface accessed by a ping command is considered a unique resource, and each port accessed is considered a unique resource.
The following scenario is not considered to be an example of a scanner:
- Source host C starts 20 connections to port 23. Because these connections are to the same port, only one unique resource is accessed, and host C is not considered a scanner.
Scans like the one in the following scenario might not be detected by IDS:
- Source host E issues a ping command to IP addresses 9.1.1.1 through 9.255.255.255. Because host X collects data only for the ping commands that are directed to interfaces of host X, this event is not detected by host X as a scan. Network IDS might detect this as wide scan.
Scan policy provides the ability to specify the following conditions and actions:
- Fast scan time interval
- Slow scan time interval
- Fast scan threshold
- Slow scan threshold
- Exclude well-known legitimate scanners by using an exclusion list
- Specify a sensitivity level by port or port range (to reduce performance impacts)
- Provide notification of a detected scan by issuing a console message or a syslogd message
- Trace potential scan packets
The individual packets used in a scan are categorized as normal, possibly suspicious, or very suspicious. To control the performance impact and analysis load of scan monitoring, set the sensitivity level for potential scan events to high, medium, or low.
Table 1 shows how the policy-specified sensitivity affects the counting of scan events. The event suspicion level is determined by the stack.
| Sensitivity (from policy) | Normal event | Possibly suspicious event | Very suspicious event |
|---|---|---|---|
| Low | counted | ||
| Medium | counted | counted | |
| High | counted | counted | counted |
To help reduce or eliminate false positive results, IDS allows policy-specified source IP addresses, subnet masks, and optionally, source port numbers, to be excluded from scan detection. For UDP and TCP port scans, you can limit scan detection to specific destination port ranges. You can specify the sensitivity level (high, medium, or low) for these port ranges.
Another way that IDS reduces false positive results is by counting only unique events from a specific source IP address within a scan interval. An event is considered unique if the IP protocol, destination IP address, and destination port (UDP or TCP) or type (ICMP) have not been encountered before during this scan interval.
IDS scan policy supports a fast scan interval and threshold, and a slow scan interval and threshold:
- Fast scan
A fast scan is recognized if the number of unique events within the fast scan interval reaches the fast scan threshold.
- Slow scan
A slow scan is recognized if the number of unique events within the slow scan interval reaches the slow scan threshold.
IDS counts scan events using an internal interval that is no greater than half of the fast scan interval. During an internal interval, after the number of unique events reaches the slow scan threshold, additional events are not counted. These additional events are traced if requested by policy using the trace data parameter in the action.
Scan events are categorized by the following scan types:
- ICMP scans
- ICMPv6 scans
- UDP port scans
- TCP port scans
Any countable scan event is counted against the origin source IP address, and the total number of countable events from all categories is compared to the policy thresholds. When an origin source IP address has reached the fast or slow threshold defined by policy, the following actions are taken if you requested them using the notification options in the action:
- A notification is sent to the traffic regulation management daemon (TRMD) for logging to syslogd
- A console message is issued
- The packet is logged to the IDS packet trace
When IDS detects a scan for a particular source IP address, no further scan events are reported for that source IP address during the specified interval. The intervals and thresholds for fast and slow scans are global; one set of values applies to all event categories.