IDS scan policy example
The goal of scan policy is to detect all scanners with potentially malicious intent while avoiding large numbers of false positives. You can make this process more efficient by reserving all unused low ports in the TCPIP profile. This will allow you to use the low sensitivity setting on scans for these ports. As you investigate the scans detected, you will initially find your own network management tools. These can be explicitly excluded. If you include UDP ephemeral ports in a high sensitivity policy, you will discover that your DNS servers show up as scanners. You can explicitly exclude these as well. To activate scan policy, a scan global rule and at least one scan event rule must be defined.
- Scan Global
Defines a global set of parameters for detecting scans, and also defines reporting parameters for scan events.
- A Fast Scan is defined as 5 unique events in 2 minutes from a single source IP address.
- A Slow Scan is defined as 10 unique events in 480 minutes (8 hours).
- The first 200 bytes of the packet associated with each countable event will be traced.
- When a scan is detected an event will be written to syslog warning level, along with a detailed list of all the unique events included in the scan.
- No message will be written to the console.
- Scan Event Low
Defines a set of traffic for which low sensitivity scan detection will be performed. Inbound traffic to all TCP and UDP ports between 1 and 1023 will be monitored. It is recommended that unused low ports be RESERVED in the TCPIP Profile.
- Scan Event Medium
Defines a set of traffic for which medium sensitivity scan detection will be performed. ICMP and ICMPv6 inbound traffic will be monitored.
The following example is an IDS configuration file:
########################################################################
########################################################################
# Scan Policies
########################################################################
#-----------------------------------------------------------------------
# Scan - IDSRule
#-----------------------------------------------------------------------
IDSRule ScanEventLowTcp-rule
{
ConditionType ScanEvent
Priority 2
IDSScanEventConditionRef ScanTcpLowCondition
IDSActionRef ScanEventLow-action
}
IDSRule ScanEventLowUdp-rule
{
ConditionType ScanEvent
Priority 2
IDSScanEventConditionRef ScanUdpLowCondition
IDSActionRef ScanEventLow-action
}
IDSRule ScanEventMedium-rule
{
ConditionType ScanEvent
Priority 2
IDSScanEventCondition
{
Protocol Icmp
}
IDSActionRef ScanEventMedium-action
}
IDSRule ScanEventMedium-rule-v6
{
ConditionType ScanEvent
Priority 2
IDSScanEventCondition
{
Protocol Icmpv6
}
IDSActionRef ScanEventMedium-action
}
IDSRule ScanGlobal-rule
{
ConditionType ScanGlobal
Priority 2
IDSActionRef ScanGlobal-action
IDSScanGlobalCondition # inline condition
{
FSinterval 2
SSInterval 480
}
}
#-----------------------------------------------------------------------
# Scan - IDSScanEventCondition
#-----------------------------------------------------------------------
IDSScanEventCondition ScanTcpLowCondition
{
Sensitivity Low
Protocol Tcp
LocalPortRange 1 1023
}
IDSScanEventCondition ScanUdpLowCondition
{
Sensitivity Low
Protocol 17 # Udp
LocalPortRange 1 1023
}
#-----------------------------------------------------------------------
# Scan - IDSAction
#-----------------------------------------------------------------------
IDSAction ScanEventLow-action
{
ActionType ScanEvent count
}
IDSAction ScanEventMedium-action
{
ActionType ScanEvent count
}
IDSAction ScanGlobal-action
{
ActionType ScanGlobal
IDSReportSet ScanGlobalReportSet
{
TypeActions Log
LogDetail Yes
TraceData RecordSize
TraceRecordSize 200
}
}
If you are using LDAP to define policy, see IDS scan policy example.
- Define that ICMPv6 traffic should be monitored for scan events
- Exclude IPv6 addresses in the scan exclusion list