IDS Policies defined in LDAP

This topic lists the LDAP object classes and attributes used to define IDS policy objects. The default and allowable values for IDS-specific attributes are included, as well as information showing the allowable combinations of attributes in various types of IDS policies. See LDAP definition files for more information about object classes and their attributes. See z/OS Communications Server: IP Configuration Guide for additional guidance about defining IDS policies.

Restriction: Not all IDS policy options are available in Lightweight Directory Access Protocol (LDAP) configuration file. You cannot use LDAP to do the following tasks:
  • Specify that ICMPv6 traffic should be monitored for scan events
  • Exclude IPv6 addresses from the scan exclusion list
  • Define rules for the following attack types:
    • DATA_HIDING
    • EE_LDLC_CHECK
    • EE_MALFORMED_PACKET
    • EE_PORT_CHECK
    • EE_XID_FLOOD
    • GLOBAL_TCP_STALL
    • OUTBOUND_RAW_IPV6
    • RESTRICTED_IPV6_DST_OPTIONS
    • RESTRICTED_IPV6_HOP_OPTIONS
    • RESTRICTED_IPV6_NEXT_HDR
    • TCP_QUEUE_SIZE
  • Define TCP traffic regulation policy that specifies IPv6 addresses
  • Define UDP traffic regulation policy that specifies IPv6 addresses
The following Object classes are useful in building an LDAP tree structure of policy groups of rules and policy repositories of reusable conditions and actions.
  • objectclass ibm-policy
  • objectclass ibm-policyGroup
  • objectclass ibm-policyRepository
  • objectclass ibm-policyGroupContainmentAuxClass
  • objectclass ibm-policyRuleContainmentAuxClass
The following Object classes are useful in building IDS rule, condition association, rule-specific condition, reusable condition, action association, rule-specific action and reusable action objects.
  • objectclass ibm-policyRule
  • objectclass ibm-policyRuleConditionAssociation
  • objectclass ibm-policyRuleActionAssociation
  • objectclass ibm-policyInstance
  • objectclass ibm-policyConditionInstance
  • objectclass ibm-policyActionInstance
  • objectclass ibm-policyConditionAuxClass
  • objectclass ibm-policyActionAuxClass
  • objectclass ibm-policyTimePeriodConditionAuxClass
The following Object classes are required for IDS-specific condition objects. These classes are not permitted in QoS specific policies.
  • objectclass ibm-idsConditionAuxClass
  • objectclass ibm-idsAttackConditionAuxClass
  • objectclass ibm-idsIPAttackConditionAuxClass
  • objectclass ibm-idsFloodAttackActionsAuxClass
  • objectclass ibm-idsTrafficRegulationConditionAuxClass
  • objectclass ibm-idsScanConditionAuxClass
  • objectclass ibm-idsScanEventConditionAuxClass
  • objectclass ibm-idsTransportConditionAuxClass
  • objectclass ibm-idsHostConditionAuxClass
The following Object classes are required for IDS-specific action objects. These classes are not permitted in QoS specific policies.
  • objectclass ibm-idsActionAuxClass
  • objectclass ibm-idsNotificationAuxClass
  • objectclass ibm-idsAttackActionsAuxClass
  • objectclass ibm-idsTrafficRegulationActionAuxClass
  • objectclass ibm-idsTRtcpActionAuxClass
  • objectclass ibm-idsTRudpActionAuxClass
  • objectclass ibm-idsScanActionAuxClass
  • objectclass ibm-idsScanSensitivityActionAuxClass
  • objectclass ibm-idsScanExclusionActionAuxClass
The following Object classes are not permitted in IDS specific objects either because they are only valid for Version 2 policies or because they are only permitted in QoS specific objects.
  • objectclass ibm-policyCondition
  • objectclass ibm-policyTimePeriodCondition
  • objectclass ibm-networkingPolicyCondition
  • objectclass ibm-policyAction
  • objectclass ibm-serviceCategories
  • objectclass ibm-networkingPolicyConditionAuxClass
  • objectclass ibm-routeConditionAuxClass
  • objectclass ibm-hostConditionAuxClass
  • objectclass ibm-applicationConditionAuxClass
  • objectclass ibm-serviceCategoriesAuxClass
  • objectclass ibm-policyGroupLoadDistributionAuxClass
  • objectclass SetSubnetPrioTosMask

IDS-specific condition attributes, their object class, as well as allowed and default values are listed in Table 1.

Table 1. IDS-specific condition attributes
Attribute Class Allowed and default values
ibm-idsConditionType ibm-idsConditionAuxClass
  • ATTACK
  • TR
  • SCAN_GLOBAL
  • SCAN_EVENT

No default

ibm-idsAttackType ibm-idsAttackConditionAuxClass
  • MALFORMED_

    PACKET
  • FLOOD
  • OUTBOUND_RAW
  • PERPETUAL_ECHO
  • IP_FRAGMENT
  • RESTRICTED_IP_

    OPTIONS
  • RESTRICTED_IP_

    PROTOCOL
  • ICMP_REDIRECT

No default

ibm-idsIPOptionRange ibm-idsIPAttackConditionAuxClass 1 - 255

Default is 0 (all)
ibm-idsLocalPortRange ibm-idsTransportConditionAuxClass 0–65535

Default is 0 (all)
ibm-idsRemotePortRange ibm-idsTransportConditionAuxClass 0 - 65535

Default is 0 (all)
ibm-idsProtocolRange ibm-idsTransportConditionAuxClass 0 - 255

Default is Protocol 0
ibm-idsLocalHostIPAddress ibm-idsHostConditionAuxClass Any valid IP address

Default is 0 (all)
ibm-idsRemoteHostIPAddress ibm-idsHostConditionAuxClass Any valid IP address

Default is 0 (all)

IDS-specific action attributes, their object class, and allowed and default values are shown in Table 2.

Table 2. IDS-specific action attributes
Attribute Class Allowed values
ibm-idsIfcFloodPercentage ibm-idsFloodAttackActionsAuxClass 5 - 100

Default is 10.
ibm-idsIfcFloodMinDiscard ibm-idsFloodAttackActionsAuxClass 100 - 4 294 967 295

Minimum number of discards that must occur in a one minute interval for an interface flood condition to exist. Default is 1 000.
ibm-idsActionType ibm-idsActionAuxClass
  • ATTACK
  • TR
  • SCAN_GLOBAL
  • SCAN_EVENT

No default
ibm-idsNotification ibm-idsNotificationAuxClass
  • NONE
  • SYSLOG
  • SYSLOGDETAIL
  • CONSOLE

No default
ibm-idsStatInterval ibm-idsNotificationAuxClass 0 - 4 294 967 295

Default is 60
ibm-idsLoggingLevel ibm-idsNotificationAuxClass 0 - 7
These values map to syslogd priority levels as follows:
0
Emerg/panic
1
Alert
2
Crit
3
Error
4
Warning
5
Notice
6
Info
7
Debug

Default is 0
ibm-idsTypeActions ibm-idsNotificationAuxClass
  • STATISTICS
  • EXCEPTSTATS
  • LOG
  • LIMIT

No default
ibm-idsTraceData ibm-idsNotificationAuxClass
  • NONE
  • HEADER
  • FULL
  • RECORDSIZE

Default is HEADER
ibm-idsTraceRecordSize ibm-idsNotificationAuxClass 0 - 4 294 967 295

Default is 100
ibm-idsMaxEventMessage ibm-idsAttackActionsAuxClass 0 - 4 294 967 295

Default is 0

ibm-idsTRtcpTotalConnections ibm-idsTRtcpActionAuxClass 0 - 65 535

Default is 65535
ibm-idsTRtcpPercentage ibm-idsTRtcpActionAuxClass 0 - 100

Default is100
ibm-idsTRtcpLimitScope ibm-idsTRtcpActionAuxClass
  • PORT
  • PORT_INSTANCE

Default is PORT_INSTANCE
ibm-idsTRudpQueueSize ibm-idsTRudpActionAuxClass
  • VERY_LONG
  • LONG
  • SHORT
  • VERY_SHORT

Default is VERY_LONG
ibm-idsFSInterval ibm-idsScanActionAuxClass 1 - 1440

Default is 1
ibm-idsFSThreshold ibm-idsScanActionAuxClass 1 - 64

Default is 5
ibm-idsSSInterval ibm-idsScanActionAuxClass 0 - 1 440

Default is 120
ibm-idsSSThreshold ibm-idsScanActionAuxClass 0 - 64

Default is 10
ibm-idsSensitivity ibm-idsScanSensitivityActionAuxClass
  • NONE
  • HIGH
  • MEDIUM
  • LOW

No default
ibm-idsScanExclusion ibm-idsScanExclusionActionAuxClass Any valid IP address, 0 - 65 535 for ports

Default is 0 (none)

The tables in this topic list the combinations of attributes that are used for different types of IDS policy. Mapping conditions are the attributes used by the code when searching for rules.

Use the following guidelines for interpreting the following tables:
  • Quoted strings are literal attribute values.
  • X indicates not supported; the containing policy is not mapped.
  • I indicates ignored.
  • A indicates allowed.
  • R indicates required.

Table 3 lists the IDS scan global policies.

Table 3. IDS scan global policies
Mapping conditions
ibm-idsConditionType "SCAN_GLOBAL"
Other Conditions
ibm-idsAttackType X
ibm-idsIPOptionRange X
ibm-idsLocalPortRange X
ibm-idsRemotePortRange X
ibm-idsProtocolRange X
ibm-idsLocalHostIPAddress X
ibm-idsRemoteHostIPAddress X
Actions
ibm-idsActionType "SCAN_GLOBAL" (1)
ibm-idsTypeActions A (2)
ibm-idsNotification A
ibm-idsLoggingLevel A
ibm-idsStatInterval I
ibm-idsMaxEventMessage I
ibm-idsTraceData A
ibm-idsTraceRecordSize A
ibm-idsTRtcpTotalConnections I
ibm-idsTRtcpPercentage I
ibm-idsTRtcpLimitScope I
ibm-idsTRudpQueueSize I
ibm-idsFSInterval A
ibm-idsFSThreshold A
ibm-idsSSInterval A
ibm-idsSSThreshold A
ibm-idsSensitivity I
ibm-idsScanExclusion I
ibm-idsIfcFloodPercentage I
ibm-idsIfcFloodMinDiscard I
Notes:
  1. Additional values are allowed in same action.
  2. STATISTICS, EXCEPTSTATS ignored.

Table 4 lists the IDS scan event policies.

Table 4. IDS scan event policies (ICMP)
Mapping conditions
ibm-idsConditionType "SCAN_EVENT" (1)
ibm-idsProtocolRange "1" (ICMP)
Other Conditions
ibm-idsAttackType X
ibm-idsIPOptionRange X
ibm-idsLocalPortRange X
ibm-idsRemotePortRange X
ibm-idsLocalHostIPAddress X
ibm-idsRemoteHostIPAddress X
Actions
ibm-idsActionType "SCAN_EVENT" (2)
ibm-idsTypeActions I
ibm-idsNotification I
ibm-idsLoggingLevel I
ibm-idsStatInterval I
ibm-idsMaxEventMessage I
ibm-idsTraceData I
ibm-idsTraceRecordSize I
ibm-idsTRtcpTotalConnections I
ibm-idsTRtcpPercentage I
ibm-idsTRtcpLimitScope I
ibm-idsTRudpQueueSize I
ibm-idsFSInterval I
ibm-idsFSThreshold I
ibm-idsSSInterval I
ibm-idsSSThreshold I
ibm-idsSensitivity A
ibm-idsScanExclusion A
ibm-idsIfcFloodPercentage I
ibm-idsIfcFloodMinDiscard I
Notes:
  1. A SCAN EVENT rule that includes ICMP in the protocol range is not mapped for ICMP if it also includes a local host IP address or port condition.
  2. Additional values are allowed in same action.

Table 5 lists more IDS scan event policies.

Table 5. IDS scan event policies (TCP and UDP)
Mapping conditions
ibm-idsConditionType "SCAN_EVENT" (1)
ibm-idsProtocolRange "6" (TCP) | "17" (UDP)
ibm-idsLocalHostIPAddress A
ibm-idsLocalPortRange A
Other conditions
ibm-idsAttackType X
ibm-idsIPOptionRange X
ibm-idsRemotePortRange X
ibm-idsRemoteHostIPAddress X
Actions
ibm-idsActionType "SCAN_EVENT" (2)
ibm-idsTypeActions I
ibm-idsNotification I
ibm-idsLoggingLevel I
ibm-idsStatInterval I
ibm-idsMaxEventMessage I
ibm-idsTraceData I
ibm-idsTraceRecordSize I
ibm-idsTRtcpTotalConnections I
ibm-idsTRtcpPercentage I
ibm-idsTRtcpLimitScope I
ibm-idsTRudpQueueSize I
ibm-idsFSInterval I
ibm-idsFSThreshold I
ibm-idsSSInterval I
ibm-idsSSThreshold I
ibm-idsSensitivity A
ibm-idsScanExclusion A
ibm-idsIfcFloodPercentage I
ibm-idsIfcFloodMinDiscard I
Notes:
  1. A SCAN EVENT rule that includes ICMP in the protocol range is not mapped for ICMP if it also includes a local host IP address or port condition.
  2. Additional values are allowed in same action.

Table 6 lists IDS attack policies.

Table 6. IDS attack policies (FLOOD)
Mapping conditions
ibm-idsConditionType "ATTACK"
ibm-idsAttackType "FLOOD"
Other conditions
ibm-idsIPOptionRange I
ibm-idsLocalPortRange I
ibm-idsRemotePortRange I
ibm-idsProtocolRange I
ibm-idsLocalHostIPAddress I
ibm-idsRemoteHostIPAddress I
Actions
ibm-idsActionType "ATTACK" (1)
ibm-idsTypeActions A (2)
ibm-idsNotification A (3)
ibm-idsLoggingLevel A
ibm-idsStatInterval A
ibm-idsMaxEventMessage A
ibm-idsTraceData A
ibm-idsTraceRecordSize A
ibm-idsTRtcpTotalConnections I
ibm-idsTRtcpPercentage I
ibm-idsTRtcpLimitScope I
ibm-idsTRudpQueueSize I
ibm-idsFSInterval I
ibm-idsFSThreshold I
ibm-idsSSInterval I
ibm-idsSSThreshold I
ibm-idsSensitivity I
ibm-idsScanExclusion I
ibm-idsIfcFloodPercentage A
ibm-idsIfcFloodMinDiscard A
Notes:
  1. Additional values are allowed in same action.
  2. LIMIT is ignored. Packets identified as part of a flood are always discarded.
  3. SYSLOGDETAIL is equivalent to SYSLOG.

Table 7 lists the IDS attack policies (MALFORMED).

Table 7. IDS attack policies (MALFORMED)
Mapping conditions
ibm-idsConditionType "ATTACK"
ibm-idsAttackType "MALFORMED_PACKET"
Other conditions
ibm-idsIPOptionRange I
ibm-idsLocalPortRange I
ibm-idsRemotePortRange I
ibm-idsProtocolRange I
ibm-idsLocalHostIPAddress I
ibm-idsRemoteHostIPAddress I
Actions
ibm-idsActionType "ATTACK" (1)
ibm-idsTypeActions A (2)
ibm-idsNotification A (3)
ibm-idsLoggingLevel A
ibm-idsStatInterval A
ibm-idsMaxEventMessage A
ibm-idsTraceData A
ibm-idsTraceRecordSize A
ibm-idsTRtcpTotalConnections I
ibm-idsTRtcpPercentage I
ibm-idsTRtcpLimitScope I
ibm-idsTRudpQueueSize I
ibm-idsFSInterval I
ibm-idsFSThreshold I
ibm-idsSSInterval I
ibm-idsSSThreshold I
ibm-idsSensitivity I
ibm-idsScanExclusion I
ibm-idsIfcFloodPercentage I
ibm-idsIfcFloodMinDiscard I
Notes:
  1. Additional values are allowed in same action.
  2. LIMIT is ignored. Malformed packets are always discarded.
  3. SYSLOGDETAIL is equivalent to SYSLOG.

Table 8 lists more IDS attack policies.

Table 8. IDS attack policies (FRAGMENT and REDIRECT)
Mapping conditions
ibm-idsConditionType "ATTACK"
ibm-idsAttackType "IP_FRAGMENT" | "ICMP_REDIRECT"
Other conditions
ibm-idsIPOptionRange I
ibm-idsLocalPortRange I
ibm-idsRemotePortRange I
ibm-idsProtocolRange I
ibm-idsLocalHostIPAddress I
ibm-idsRemoteHostIPAddress I
Actions
ibm-idsActionType "ATTACK" (1)
ibm-idsTypeActions A
ibm-idsNotification A (2)
ibm-idsLoggingLevel A
ibm-idsStatInterval A
ibm-idsMaxEventMessage A
ibm-idsTraceData A
ibm-idsTraceRecordSize A
ibm-idsTRtcpTotalConnections I
ibm-idsTRtcpPercentage I
ibm-idsTRtcpLimitScope I
ibm-idsTRudpQueueSize I
ibm-idsFSInterval I
ibm-idsFSThreshold I
ibm-idsSSInterval I
ibm-idsSSThreshold I
ibm-idsSensitivity I
ibm-idsScanExclusion I
ibm-idsIfcFloodPercentage I
ibm-idsIfcFloodMinDiscard I
Notes:
  1. Additional values are allowed in same action.
  2. SYSLOGDETAIL is equivalent to SYSLOG.

Table 9 lists more IDS attack policies.

Table 9. IDS attack policies (RESTRICTED PROTOCOL and RAW)
Mapping conditions
ibm-idsConditionType "ATTACK"
ibm-idsAttackType "RESTRICTED_IP_PROTOCOL" | "OUTBOUND_RAW"
Other conditions
ibm-idsIPOptionRange I
ibm-idsLocalPortRange I
ibm-idsRemotePortRange I
ibm-idsProtocolRange A (1)
ibm-idsLocalHostIPAddress I
ibm-idsRemoteHostIPAddress I
Actions
ibm-idsActionType "ATTACK" (2)
ibm-idsTypeActions A
ibm-idsNotification A (3)
ibm-idsLoggingLevel A
ibm-idsStatInterval A
ibm-idsMaxEventMessage A
ibm-idsTraceData A
ibm-idsTraceRecordSize A
ibm-idsTRtcpTotalConnections I
ibm-idsTRtcpPercentage I
ibm-idsTRtcpLimitScope I
ibm-idsTRudpQueueSize I
ibm-idsFSInterval I
ibm-idsFSThreshold I
ibm-idsSSInterval I
ibm-idsSSThreshold I
ibm-idsSensitivity I
ibm-idsScanExclusion I
ibm-idsIfcFloodPercentage I
ibm-idsIfcFloodMinDiscard I
Notes:
  1. If no protocol ranges are specified, no protocols are restricted. Protocols 1 (ICMP), 6 (TCP), and 17 (UDP) are treated differently for RESTRICTED_IP_PROTOCOL and OUTBOUND_RAW. They are ignored if present in a RESTRICTED_IP_PROTOCOL policy. They are obeyed if present in an OUTBOUND_RAW policy.
  2. Additional values are allowed in same action.
  3. SYSLOGDETAIL is equivalent to SYSLOG.

Table 10 lists more IDS attack policies.

Table 10. IDS attack policies (RESTRICTED OPTIONS)
Mapping conditions
ibm-idsConditionType "ATTACK"
ibm-idsAttackType "RESTRICTED_IP_OPTIONS"
Other conditions
ibm-idsIPOptionRange (3) A
ibm-idsLocalPortRange I
ibm-idsRemotePortRange I
ibm-idsProtocolRange I
ibm-idsLocalHostIPAddress I
ibm-idsRemoteHostIPAddress I
Actions
ibm-idsActionType "ATTACK" (1)
ibm-idsTypeActions A
ibm-idsNotification A (2)
ibm-idsLoggingLevel A
ibm-idsStatInterval A
ibm-idsMaxEventMessage A
ibm-idsTraceData A
ibm-idsTraceRecordSize A
ibm-idsTRtcpTotalConnections I
ibm-idsTRtcpPercentage I
ibm-idsTRtcpLimitScope I
ibm-idsTRudpQueueSize I
ibm-idsFSInterval I
ibm-idsFSThreshold I
ibm-idsSSInterval I
ibm-idsSSThreshold I
ibm-idsSensitivity I
ibm-idsScanExclusion I
ibm-idsIfcFloodPercentage I
ibm-idsIfcFloodMinDiscard I
Notes:
  1. Additional values are allowed in same action.
  2. SYSLOGDETAIL is equivalent to SYSLOG.
  3. If no option ranges are specified, all options are restricted. Options 0 (end of option list) and 1 (no-operation) are always allowed. They are ignored if present.

Table 11 lists more IDS attack policies.

Table 11. IDS attack policies (PERPETUAL ECHO)
Mapping conditions
ibm-idsConditionType "ATTACK"
ibm-idsAttackType "PERPETUAL_ECHO" (1)
Other conditions
ibm-idsIPOptionRange I
ibm-idsLocalPortRange R (1), (2)
ibm-idsRemotePortRange R (1), (2)
ibm-idsProtocolRange I
ibm-idsLocalHostIPAddress I
ibm-idsRemoteHostIPAddress I
Actions
ibm-idsActionType "ATTACK" (3)
ibm-idsTypeActions A
ibm-idsNotification A (4)
ibm-idsLoggingLevel A
ibm-idsStatInterval A
ibm-idsMaxEventMessage A
ibm-idsTraceData A
ibm-idsTraceRecordSize A
ibm-idsTRtcpTotalConnections I
ibm-idsTRtcpPercentage I
ibm-idsTRtcpLimitScope I
ibm-idsTRudpQueueSize I
ibm-idsFSInterval I
ibm-idsFSThreshold I
ibm-idsSSInterval I
ibm-idsSSThreshold I
ibm-idsSensitivity I
ibm-idsScanExclusion I
ibm-idsIfcFloodPercentage I
ibm-idsIfcFloodMinDiscard I
Notes:
  1. This must be CNF with three condition levels. One condition level has ibm-idsAttackType, a second has one or more ibm-idsLocalPortRange conditions, and a third has one or more ibm-idsRemotePortRange conditions.
  2. Only the first 20 ports specified is used.
  3. Additional values are allowed in same action.
  4. SYSLOGDETAIL is equivalent to SYSLOG.

Table 12 lists IDS traffic regulation (TR) policies.

Table 12. IDS TR policies
Mapping Conditions
  • ibm-idsConditionType
  • ibm-idsProtocolRange
  • ibm-idsLocalHostIPAddress
  • ibm-idsLocalPortRange
  • "TR"
  • "6" (TCP)
  • A
  • A
  • "TR"
  • "17" (UDP)
  • A
  • A
Other conditions  
  • ibm-idsAttackType
  • ibm-idsIPOptionRangeLocalPortRange
  • ibm-idsRemotePortRange
  • ibm-idsRemoteHostIPAddress
  • X
  • X
  • X
  • X
  • X
  • X
  • X
  • X
Actions  
  • ibm-idsActionType
  • ibm-idsTypeActions
  • ibm-idsNotification
  • ibm-idsLoggingLevel
  • ibm-idsStatInterval
  • ibm-idsMaxEventMessage
  • ibm-idsTraceData
  • ibm-idsTraceRecordSize
  • ibm-idsTRtcpTotalConnections
  • ibm-idsTRtcpPercentage
  • ibm-idsTRtcpLimitScope
  • ibm-idsTRudpQueueSize
  • ibm-idsFSInterval
  • ibm-idsFSThreshold
  • ibm-idsSSInterval
  • ibm-idsSSThreshold
  • ibm-idsSensitivity
  • ibm-idsScanExclusion
  • ibm-idsIfcFloodPercentage
  • ibm-idsIfcFloodMinDiscard
  • ibm-idsIfcFloodMinDiscard
  • "TR" (1)
  • A
  • A
  • A
  • A
  • I
  • A
  • A
  • A
  • A
  • A
  • I
  • I
  • I
  • I
  • I
  • I
  • I
  • I
  • I
  • I
  • "TR" (1)
  • A
  • A
  • A
  • A
  • I
  • A
  • A
  • I
  • I
  • I
  • A
  • I
  • I
  • I
  • I
  • I
  • I
  • I
  • I
  • I
Notes:
  1. Additional values are allowed in same action.
Parent topic: Intrusion detection services policy