This topic lists the LDAP object classes and attributes used to define IDS policy objects. The default and allowable values for IDS-specific attributes are included, as well as information showing the allowable combinations of attributes in various types of IDS policies. See LDAP definition files for more information about object classes and their attributes. See z/OS Communications Server: IP Configuration Guide for additional guidance about defining IDS policies.
IDS-specific condition attributes, their object class, as well as allowed and default values are listed in Table 1.
Attribute | Class | Allowed and default values |
---|---|---|
ibm-idsConditionType | ibm-idsConditionAuxClass |
No default |
ibm-idsAttackType | ibm-idsAttackConditionAuxClass |
No default |
ibm-idsIPOptionRange | ibm-idsIPAttackConditionAuxClass | 1 - 255 Default is 0 (all) |
ibm-idsLocalPortRange | ibm-idsTransportConditionAuxClass | 0–65535 Default is 0 (all) |
ibm-idsRemotePortRange | ibm-idsTransportConditionAuxClass | 0 - 65535 Default is 0 (all) |
ibm-idsProtocolRange | ibm-idsTransportConditionAuxClass | 0 - 255 Default is Protocol 0 |
ibm-idsLocalHostIPAddress | ibm-idsHostConditionAuxClass | Any valid IP address Default is 0 (all) |
ibm-idsRemoteHostIPAddress | ibm-idsHostConditionAuxClass | Any valid IP address Default is 0 (all) |
IDS-specific action attributes, their object class, and allowed and default values are shown in Table 2.
Attribute | Class | Allowed values |
---|---|---|
ibm-idsIfcFloodPercentage | ibm-idsFloodAttackActionsAuxClass | 5 - 100 Default is 10. |
ibm-idsIfcFloodMinDiscard | ibm-idsFloodAttackActionsAuxClass | 100 - 4 294 967 295 Minimum number of discards that must occur in a one minute interval for an interface flood condition to exist. Default is 1 000. |
ibm-idsActionType | ibm-idsActionAuxClass |
No default |
ibm-idsNotification | ibm-idsNotificationAuxClass |
No default |
ibm-idsStatInterval | ibm-idsNotificationAuxClass | 0 - 4 294 967 295 Default is 60 |
ibm-idsLoggingLevel | ibm-idsNotificationAuxClass | 0 - 7 These values map to syslogd priority
levels as follows:
Default is 0 |
ibm-idsTypeActions | ibm-idsNotificationAuxClass |
No default |
ibm-idsTraceData | ibm-idsNotificationAuxClass |
Default is HEADER |
ibm-idsTraceRecordSize | ibm-idsNotificationAuxClass | 0 - 4 294 967 295 Default is 100 |
ibm-idsMaxEventMessage | ibm-idsAttackActionsAuxClass | 0 - 4 294 967 295 Default is 0 |
ibm-idsTRtcpTotalConnections | ibm-idsTRtcpActionAuxClass | 0 - 65 535 Default is 65535 |
ibm-idsTRtcpPercentage | ibm-idsTRtcpActionAuxClass | 0 - 100 Default is100 |
ibm-idsTRtcpLimitScope | ibm-idsTRtcpActionAuxClass |
Default is PORT_INSTANCE |
ibm-idsTRudpQueueSize | ibm-idsTRudpActionAuxClass |
Default is VERY_LONG |
ibm-idsFSInterval | ibm-idsScanActionAuxClass | 1 - 1440 Default is 1 |
ibm-idsFSThreshold | ibm-idsScanActionAuxClass | 1 - 64 Default is 5 |
ibm-idsSSInterval | ibm-idsScanActionAuxClass | 0 - 1 440 Default is 120 |
ibm-idsSSThreshold | ibm-idsScanActionAuxClass | 0 - 64 Default is 10 |
ibm-idsSensitivity | ibm-idsScanSensitivityActionAuxClass |
No default |
ibm-idsScanExclusion | ibm-idsScanExclusionActionAuxClass | Any valid IP address, 0 - 65 535 for ports Default is 0 (none) |
The tables in this topic list the combinations of attributes that are used for different types of IDS policy. Mapping conditions are the attributes used by the code when searching for rules.
Table 3 lists the IDS scan global policies.
Mapping conditions | |
---|---|
ibm-idsConditionType | "SCAN_GLOBAL" |
Other Conditions | |
ibm-idsAttackType | X |
ibm-idsIPOptionRange | X |
ibm-idsLocalPortRange | X |
ibm-idsRemotePortRange | X |
ibm-idsProtocolRange | X |
ibm-idsLocalHostIPAddress | X |
ibm-idsRemoteHostIPAddress | X |
Actions | |
ibm-idsActionType | "SCAN_GLOBAL" (1) |
ibm-idsTypeActions | A (2) |
ibm-idsNotification | A |
ibm-idsLoggingLevel | A |
ibm-idsStatInterval | I |
ibm-idsMaxEventMessage | I |
ibm-idsTraceData | A |
ibm-idsTraceRecordSize | A |
ibm-idsTRtcpTotalConnections | I |
ibm-idsTRtcpPercentage | I |
ibm-idsTRtcpLimitScope | I |
ibm-idsTRudpQueueSize | I |
ibm-idsFSInterval | A |
ibm-idsFSThreshold | A |
ibm-idsSSInterval | A |
ibm-idsSSThreshold | A |
ibm-idsSensitivity | I |
ibm-idsScanExclusion | I |
ibm-idsIfcFloodPercentage | I |
ibm-idsIfcFloodMinDiscard | I |
Notes:
|
Table 4 lists the IDS scan event policies.
Mapping conditions | |
---|---|
ibm-idsConditionType | "SCAN_EVENT" (1) |
ibm-idsProtocolRange | "1" (ICMP) |
Other Conditions | |
ibm-idsAttackType | X |
ibm-idsIPOptionRange | X |
ibm-idsLocalPortRange | X |
ibm-idsRemotePortRange | X |
ibm-idsLocalHostIPAddress | X |
ibm-idsRemoteHostIPAddress | X |
Actions | |
ibm-idsActionType | "SCAN_EVENT" (2) |
ibm-idsTypeActions | I |
ibm-idsNotification | I |
ibm-idsLoggingLevel | I |
ibm-idsStatInterval | I |
ibm-idsMaxEventMessage | I |
ibm-idsTraceData | I |
ibm-idsTraceRecordSize | I |
ibm-idsTRtcpTotalConnections | I |
ibm-idsTRtcpPercentage | I |
ibm-idsTRtcpLimitScope | I |
ibm-idsTRudpQueueSize | I |
ibm-idsFSInterval | I |
ibm-idsFSThreshold | I |
ibm-idsSSInterval | I |
ibm-idsSSThreshold | I |
ibm-idsSensitivity | A |
ibm-idsScanExclusion | A |
ibm-idsIfcFloodPercentage | I |
ibm-idsIfcFloodMinDiscard | I |
Notes:
|
Table 5 lists more IDS scan event policies.
Mapping conditions | |
---|---|
ibm-idsConditionType | "SCAN_EVENT" (1) |
ibm-idsProtocolRange | "6" (TCP) | "17" (UDP) |
ibm-idsLocalHostIPAddress | A |
ibm-idsLocalPortRange | A |
Other conditions | |
ibm-idsAttackType | X |
ibm-idsIPOptionRange | X |
ibm-idsRemotePortRange | X |
ibm-idsRemoteHostIPAddress | X |
Actions | |
ibm-idsActionType | "SCAN_EVENT" (2) |
ibm-idsTypeActions | I |
ibm-idsNotification | I |
ibm-idsLoggingLevel | I |
ibm-idsStatInterval | I |
ibm-idsMaxEventMessage | I |
ibm-idsTraceData | I |
ibm-idsTraceRecordSize | I |
ibm-idsTRtcpTotalConnections | I |
ibm-idsTRtcpPercentage | I |
ibm-idsTRtcpLimitScope | I |
ibm-idsTRudpQueueSize | I |
ibm-idsFSInterval | I |
ibm-idsFSThreshold | I |
ibm-idsSSInterval | I |
ibm-idsSSThreshold | I |
ibm-idsSensitivity | A |
ibm-idsScanExclusion | A |
ibm-idsIfcFloodPercentage | I |
ibm-idsIfcFloodMinDiscard | I |
Notes:
|
Table 6 lists IDS attack policies.
Mapping conditions | |
---|---|
ibm-idsConditionType | "ATTACK" |
ibm-idsAttackType | "FLOOD" |
Other conditions | |
ibm-idsIPOptionRange | I |
ibm-idsLocalPortRange | I |
ibm-idsRemotePortRange | I |
ibm-idsProtocolRange | I |
ibm-idsLocalHostIPAddress | I |
ibm-idsRemoteHostIPAddress | I |
Actions | |
ibm-idsActionType | "ATTACK" (1) |
ibm-idsTypeActions | A (2) |
ibm-idsNotification | A (3) |
ibm-idsLoggingLevel | A |
ibm-idsStatInterval | A |
ibm-idsMaxEventMessage | A |
ibm-idsTraceData | A |
ibm-idsTraceRecordSize | A |
ibm-idsTRtcpTotalConnections | I |
ibm-idsTRtcpPercentage | I |
ibm-idsTRtcpLimitScope | I |
ibm-idsTRudpQueueSize | I |
ibm-idsFSInterval | I |
ibm-idsFSThreshold | I |
ibm-idsSSInterval | I |
ibm-idsSSThreshold | I |
ibm-idsSensitivity | I |
ibm-idsScanExclusion | I |
ibm-idsIfcFloodPercentage | A |
ibm-idsIfcFloodMinDiscard | A |
Notes:
|
Table 7 lists the IDS attack policies (MALFORMED).
Mapping conditions | |
---|---|
ibm-idsConditionType | "ATTACK" |
ibm-idsAttackType | "MALFORMED_PACKET" |
Other conditions | |
ibm-idsIPOptionRange | I |
ibm-idsLocalPortRange | I |
ibm-idsRemotePortRange | I |
ibm-idsProtocolRange | I |
ibm-idsLocalHostIPAddress | I |
ibm-idsRemoteHostIPAddress | I |
Actions | |
ibm-idsActionType | "ATTACK" (1) |
ibm-idsTypeActions | A (2) |
ibm-idsNotification | A (3) |
ibm-idsLoggingLevel | A |
ibm-idsStatInterval | A |
ibm-idsMaxEventMessage | A |
ibm-idsTraceData | A |
ibm-idsTraceRecordSize | A |
ibm-idsTRtcpTotalConnections | I |
ibm-idsTRtcpPercentage | I |
ibm-idsTRtcpLimitScope | I |
ibm-idsTRudpQueueSize | I |
ibm-idsFSInterval | I |
ibm-idsFSThreshold | I |
ibm-idsSSInterval | I |
ibm-idsSSThreshold | I |
ibm-idsSensitivity | I |
ibm-idsScanExclusion | I |
ibm-idsIfcFloodPercentage | I |
ibm-idsIfcFloodMinDiscard | I |
Notes:
|
Table 8 lists more IDS attack policies.
Mapping conditions | |
---|---|
ibm-idsConditionType | "ATTACK" |
ibm-idsAttackType | "IP_FRAGMENT" | "ICMP_REDIRECT" |
Other conditions | |
ibm-idsIPOptionRange | I |
ibm-idsLocalPortRange | I |
ibm-idsRemotePortRange | I |
ibm-idsProtocolRange | I |
ibm-idsLocalHostIPAddress | I |
ibm-idsRemoteHostIPAddress | I |
Actions | |
ibm-idsActionType | "ATTACK" (1) |
ibm-idsTypeActions | A |
ibm-idsNotification | A (2) |
ibm-idsLoggingLevel | A |
ibm-idsStatInterval | A |
ibm-idsMaxEventMessage | A |
ibm-idsTraceData | A |
ibm-idsTraceRecordSize | A |
ibm-idsTRtcpTotalConnections | I |
ibm-idsTRtcpPercentage | I |
ibm-idsTRtcpLimitScope | I |
ibm-idsTRudpQueueSize | I |
ibm-idsFSInterval | I |
ibm-idsFSThreshold | I |
ibm-idsSSInterval | I |
ibm-idsSSThreshold | I |
ibm-idsSensitivity | I |
ibm-idsScanExclusion | I |
ibm-idsIfcFloodPercentage | I |
ibm-idsIfcFloodMinDiscard | I |
Notes:
|
Table 9 lists more IDS attack policies.
Mapping conditions | |
---|---|
ibm-idsConditionType | "ATTACK" |
ibm-idsAttackType | "RESTRICTED_IP_PROTOCOL" | "OUTBOUND_RAW" |
Other conditions | |
ibm-idsIPOptionRange | I |
ibm-idsLocalPortRange | I |
ibm-idsRemotePortRange | I |
ibm-idsProtocolRange | A (1) |
ibm-idsLocalHostIPAddress | I |
ibm-idsRemoteHostIPAddress | I |
Actions | |
ibm-idsActionType | "ATTACK" (2) |
ibm-idsTypeActions | A |
ibm-idsNotification | A (3) |
ibm-idsLoggingLevel | A |
ibm-idsStatInterval | A |
ibm-idsMaxEventMessage | A |
ibm-idsTraceData | A |
ibm-idsTraceRecordSize | A |
ibm-idsTRtcpTotalConnections | I |
ibm-idsTRtcpPercentage | I |
ibm-idsTRtcpLimitScope | I |
ibm-idsTRudpQueueSize | I |
ibm-idsFSInterval | I |
ibm-idsFSThreshold | I |
ibm-idsSSInterval | I |
ibm-idsSSThreshold | I |
ibm-idsSensitivity | I |
ibm-idsScanExclusion | I |
ibm-idsIfcFloodPercentage | I |
ibm-idsIfcFloodMinDiscard | I |
Notes:
|
Table 10 lists more IDS attack policies.
Mapping conditions | |
---|---|
ibm-idsConditionType | "ATTACK" |
ibm-idsAttackType | "RESTRICTED_IP_OPTIONS" |
Other conditions | |
ibm-idsIPOptionRange (3) | A |
ibm-idsLocalPortRange | I |
ibm-idsRemotePortRange | I |
ibm-idsProtocolRange | I |
ibm-idsLocalHostIPAddress | I |
ibm-idsRemoteHostIPAddress | I |
Actions | |
ibm-idsActionType | "ATTACK" (1) |
ibm-idsTypeActions | A |
ibm-idsNotification | A (2) |
ibm-idsLoggingLevel | A |
ibm-idsStatInterval | A |
ibm-idsMaxEventMessage | A |
ibm-idsTraceData | A |
ibm-idsTraceRecordSize | A |
ibm-idsTRtcpTotalConnections | I |
ibm-idsTRtcpPercentage | I |
ibm-idsTRtcpLimitScope | I |
ibm-idsTRudpQueueSize | I |
ibm-idsFSInterval | I |
ibm-idsFSThreshold | I |
ibm-idsSSInterval | I |
ibm-idsSSThreshold | I |
ibm-idsSensitivity | I |
ibm-idsScanExclusion | I |
ibm-idsIfcFloodPercentage | I |
ibm-idsIfcFloodMinDiscard | I |
Notes:
|
Table 11 lists more IDS attack policies.
Mapping conditions | |
---|---|
ibm-idsConditionType | "ATTACK" |
ibm-idsAttackType | "PERPETUAL_ECHO" (1) |
Other conditions | |
ibm-idsIPOptionRange | I |
ibm-idsLocalPortRange | R (1), (2) |
ibm-idsRemotePortRange | R (1), (2) |
ibm-idsProtocolRange | I |
ibm-idsLocalHostIPAddress | I |
ibm-idsRemoteHostIPAddress | I |
Actions | |
ibm-idsActionType | "ATTACK" (3) |
ibm-idsTypeActions | A |
ibm-idsNotification | A (4) |
ibm-idsLoggingLevel | A |
ibm-idsStatInterval | A |
ibm-idsMaxEventMessage | A |
ibm-idsTraceData | A |
ibm-idsTraceRecordSize | A |
ibm-idsTRtcpTotalConnections | I |
ibm-idsTRtcpPercentage | I |
ibm-idsTRtcpLimitScope | I |
ibm-idsTRudpQueueSize | I |
ibm-idsFSInterval | I |
ibm-idsFSThreshold | I |
ibm-idsSSInterval | I |
ibm-idsSSThreshold | I |
ibm-idsSensitivity | I |
ibm-idsScanExclusion | I |
ibm-idsIfcFloodPercentage | I |
ibm-idsIfcFloodMinDiscard | I |
Notes:
|
Table 12 lists IDS traffic regulation (TR) policies.
Mapping Conditions | ||
---|---|---|
|
|
|
Other conditions | ||
|
|
|
Actions | ||
|
|
|
Notes:
|