IDSScanGlobalCondition statement

Use the IDSScanGlobalCondition statement for global scan detection and reporting. The action defines the reporting and tracing actions to take when a scan event is detected.

Rule: You can configure only one IDSRule statement with an IDSScanGlobalCondition parameter. If you configure multiple scan global rules with different names, the first instance is used and all others are discarded as errors. If you configure multiple scan global rules with the same name, the last instance is used.

Syntax


>>-IDSScanGlobalCondition--+------+--| Put Braces and Parameters on Separate Lines |-><
                           '-name-'                                                    

Put Braces and Parameters on Separate Lines

|--+-{-------------------------------------+--------------------|
   +-| IDSScanGlobalCondition Parameters |-+   
   '-}-------------------------------------'   

IDSScanGlobalCondition Parameters

   .-FSInterval 1-.  .-FSThreshold 5-.  .-SSInterval 120-.   
|--+--------------+--+---------------+--+----------------+------>
   '-FSInterval n-'  '-FSThreshold n-'  '-SSInterval n---'   

   .-SSThreshold 10-.   
>--+----------------+-------------------------------------------|
   '-SSThreshold n--'

Parameters

name: A string 1 -32 characters in length specifying the name of this IDSScanGlobalCondition statement.
Rule: If this IDSScanGlobalCondition statement is not specified inline within another statement, a name value must be provided. If a name is not specified for an inline IDSScanGlobalCondition statement, a nonpersistent system name is created.
FSInterval: Indicates the interval in minutes for monitoring for fast scans. Valid values are in the range 1 - 1440. The default value is 1.
FSThreshold: Indicates the fast scanning threshold. A fast scan is detected if the number of events from a single source meets or exceeds this threshold and occur within the interval defined by the FSInterval value. Valid values are in the range 1 - 64. The default value is 5.
SSInterval: Indicates the interval in minutes for monitoring for slow scans. Valid values are in the range 0 - 1440. The default value is 120. The value specified must be greater than the value specified for the FSInterval parameter. However, a value of 0 can be specified to indicate that no slow scan processing should be performed.
SSThreshold: Indicates the slow scanning threshold. A slow scan is detected if the number of events from a single source meets or exceeds this threshold and occurs within the interval defined by the SSInterval value. Valid values are in the range 0 - 64. The default value is 10. The value specified must be greater than the value specified for the FSThreshold parameter. However, a value of 0 can be specified to indicate that no slow scan processing should be performed.