IDS policy definition considerations

IDS policies can be defined with different condition type values.

The supported condition types are as follows:

SCANGLOBAL

This policy is searched by condition type only. The highest priority scan global rule is mapped at policy change and cached. The policy defines the FastScan and SlowScan parameters, and the reporting and tracing actions to take when a scan is detected. The statistics reporting option is not applicable to scan processing. Scan processing does not impose limits, discard packets, or reset connections.

SCANEVENT

These policies are searched by condition type and a protocol condition of ICMP, ICMPv6, TCP, or UDP. For protocols TCP and UDP, the policy search also includes the local destination port and the bound IP address. For ICMP and ICMPv6, the highest priority scan event rule is mapped at policy change and cached. The TCP and UDP rules are mapped when a potentially countable event occurs. If the event is associated with a bound socket, the rule is cached. The policies associated with these rules define the sensitivity level to use for counting events towards the scan thresholds and the source exclusion list to use for the mapped events. Packet tracing occurs if the action associated with the scan global rule activates tracing and the sensitivity level indicates that the event is countable. The statistics reporting option is not applicable to scan processing. Scan processing does not impose limits, discard packets, or reset connections.

ATTACK

There are several attack types. For each attack type, the highest priority rule is mapped at policy change and cached. The reporting and statistics actions are supported for all attack types. The tracing action is supported for all attack types except EE XID flood, TCP queue size, and global TCP stall. For each attack type, the policy is searched by only condition type and attack type.

Tip: You can configure a discard action in the IDS configuration file as ActionType ATTACK DISCARD, and in the LDAP configuration using the ibm-idsTypeActions:LIMIT attribute.

Other supported actions are defined for each attack type. The supported attack types are:

MALFORMED_PACKET

Malformed packets are always discarded by the stack, even if no discard was requested by the policy.

FLOOD

Flood packets are always discarded by the stack, even if no discard was requested by the policy.

ICMP_REDIRECT

ICMP redirect packets are discarded if this policy specifies discard.

IP_FRAGMENT

If this policy specifies discard, fragmented datagrams are discarded if a fragmentation overlay is detected that changes the data in the packet, including changes to the length of the packet.

RESTRICTED_IP_OPTIONS

A list of restricted IP options is specified for this attack type. IP option 0 (end of list) and 1 (NO-OP) cannot be restricted and are ignored if specified. If this policy specifies discard, IPv4 packets are discarded if they contain an IP option that is specified in the list of restricted IP options.

RESTRICTED_IPV6_DST_OPTIONS

A list of restricted IPv6 destination options is required for this attack type. You cannot restrict options 0 (Pad1) or 1 (PadN); they are always allowed. If this policy specifies discard, IPv6 packets are discarded if they contain an IPv6 destination options extension header with an option that is specified in the list of restricted IPv6 destination options.

RESTRICTED_IPV6_HOP_OPTIONS

A list of restricted IPv6 hop-by-hop options is required for this attack type. You cannot restrict options 0 (Pad1) or 1 (PadN); they are always allowed. If this policy specifies discard, IPv6 packets are discarded if they contain an IPv6 hop-by-hop extension header with an option that is specified in the list of restricted IPv6 hop-by-hop options.

RESTRICTED_IP_PROTOCOL

A list of restricted IP protocols is required for this attack type. IP protocols 1 (ICMP), 6 (TCP), and 17 (UDP) cannot be restricted and are ignored if specified. If this policy specifies discard, IPv4 packets are discarded if they contain a protocol that is specified in the list of restricted IP protocols.

RESTRICTED_IPV6_NEXT_HDR

A list of restricted IPv6 next header values is required for this attack type. You cannot restrict next header values 6 (TCP), 17 (UDP), or 58 (ICMPv6); they are always allowed. If this policy specifies discard, IPv6 packets are discarded if they contain a next header value that is specified in the list of restricted IPv6 next headers.

OUTBOUND_RAW

A list of restricted IP protocols is required for this attack type. If this policy specifies discard, outbound IPv4 raw packets that meet any of the following criteria are discarded:

• Written to a raw socket that has a source IP address that is not in the stack's home list
• Fragmented by the application
• Specifies one of the ICMP reply types
• Specifies a protocol that is in the list of restricted IP protocols

OUTBOUND_RAW_IPV6

A list of restricted IP protocols is required for this attack type. If this policy specifies discard, outbound IPv6 raw packets that meet any of the following criteria are discarded:

• Specifies one of the ICMPv6 reply types
• Specifies one of the ICMPv6 neighbor discovery (ND) types
• Specifies one of the ICMPv6 multicast listener discovery (MLD) types
• Specifies a protocol that is in the list of restricted IP protocols

PERPETUAL_ECHO

A list of local UDP ports and a list of remote UDP ports is necessary with this attack type. Each port list is limited by the stack to the first 20 ports specified. The ports in each inbound UDP packet are checked against these lists. The destination port is checked against the local port list. The source port is checked against the local port list if the source IP address is in the stack's home list. Otherwise, the source port is checked against the remote port list. If this policy specifies discard, UDP packets with both ports in the checked port lists are discarded.

When defining the policy in LDAP, this attack type condition must be specified in a complex rule using CNF and multiple condition levels. The attack type condition is at one of the condition levels. There must be a list of conditions defining the local port list at a second level. There must be a list of conditions defining the remote port list at a third level. The negated flag is ignored by the stack on port list conditions.

EE_LDLC_CHECK

EE signaling data received on a port other than the signaling port is discarded if this policy specifies discard. An exclusion list is applied if one is configured. An EE packet is not flagged as an attack if the source IP address is found in the exclusion list.

EE_PORT_CHECK

EE packets with different source and destination ports are discarded if this policy specifies discard. An exclusion list is applied if one is configured. An EE packet is not flagged as an attack if the source IP address is found in the exclusion list.

EE_MALFORMED_PACKET

Malformed EE packets are discarded if this policy specifies discard. An exclusion list is applied if one is configured. A malformed EE packet is not flagged as an attack if the source IP address is found in the exclusion list.

EE_XID_FLOOD

An EE XID flood is detected when a large number of EE XID exchanges time out. No discard action is associated with this attack type. An exclusion list is applied if one is configured. An EE XID time out is not counted as part of flood detection if the source address of the XID is found in the exclusion list.

DATA_HIDING

If this policy specifies discard and enables checking of IP option pad fields or embedded packets within an ICMP error message, packets containing hidden data are discarded.

TCP_QUEUE_SIZE

If this policy specifies reset, the TCP connection is reset if the send, receive, or out-of-order queue becomes constrained. A queue can be constrained due to the amount of data on the queue or the age of the data on the queue. A queue size is specified in the conditions. A list of remote IP addresses, that are to be excluded when monitoring the send queue, can optionally be specified in the conditions.

GLOBAL_TCP_STALL

If this policy specifies reset, the stalled TCP connections are reset when a global TCP stall condition is detected.

TR

These policies are searched by condition type, protocol (TCP or UDP), local IP address, and local port. TCP rules are mapped when a local application does a listen on a socket or when an inbound connection handshake is completed. UDP rules are mapped when an inbound packet arrives at a local bound socket. UDP TR policy supersedes the TCPIP PROFILE setting of UDPQUEUELIMIT for covered ports. Mapped rules are cached and associated with the bound socket.

For TCP, the policy defines the total number of allowed connections, the percentage of remaining available connections any single source IP can acquire and whether these limits are applied globally across all applications using this port number or applied individually to each application using an instance of this port number. For UDP, the policy defines which of the four available queue sizes is applied to each application using this port number. TR actions define the reporting, statistics and tracing actions for covered ports. If the policy specifies action LIMIT, connections or packets that exceed the limits are discarded.

Notes:

1. For TCP, a total connection limit or percentage available limit of zero, with an action of LIMIT effectively quiesces the application.
2. For TCP, a local host IP address cannot be specified in any condition if a TR TCP limit scope value of PORT is specified.
3. For UDP, a policy for a port without an action of LIMIT effectively makes the application unlimited.
4. Each LDAP IDS TR action must specify at least one ibm-idsTypeActions attribute.