IDS policies can be defined with different condition type values.
Tip: Condition type is configured in the IDS configuration
file with the ConditionType statement, and in the LDAP configuration
with the ibm-idsConditionType attribute.
The supported condition types are as follows:
- SCANGLOBAL
- This policy is searched by condition type only. The highest priority
scan global rule is mapped at policy change and cached. The policy
defines the FastScan and SlowScan parameters, and the reporting and
tracing actions to take when a scan is detected. The statistics reporting
option is not applicable to scan processing. Scan processing does
not impose limits, discard packets, or reset connections.
- SCANEVENT
- These policies are searched by condition type and a protocol condition
of ICMP, ICMPv6, TCP, or UDP. For protocols TCP and UDP, the policy
search also includes the local destination port and the bound IP address.
For ICMP and ICMPv6, the highest priority scan event rule is mapped
at policy change and cached. The TCP and UDP rules are mapped when
a potentially countable event occurs. If the event is associated with
a bound socket, the rule is cached. The policies associated with these
rules define the sensitivity level to use for counting events towards
the scan thresholds and the source exclusion list to use for the mapped
events. Packet tracing occurs if the action associated with the scan
global rule activates tracing and the sensitivity level indicates
that the event is countable. The statistics reporting option is not
applicable to scan processing. Scan processing does not impose limits,
discard packets, or reset connections.
- ATTACK
- There are several attack types. For each attack type, the highest
priority rule is mapped at policy change and cached. The reporting
and statistics actions are supported for all attack types. The tracing
action is supported for all attack types except EE XID flood, TCP
queue size, and global TCP stall. For each attack type, the policy
is searched by only condition type and attack type.
Tip: You
can configure a discard action in the IDS configuration file as ActionType
ATTACK DISCARD, and in the LDAP configuration using the ibm-idsTypeActions:LIMIT
attribute.
Other supported actions are defined for each
attack type. The supported attack types are:
- MALFORMED_PACKET
- Malformed packets are always discarded by the stack, even if no
discard was requested by the policy.
- FLOOD
- Flood packets are always discarded by the stack, even if no discard
was requested by the policy.
- ICMP_REDIRECT
- ICMP redirect packets are discarded if this policy specifies discard.
- IP_FRAGMENT
- If this policy specifies discard, fragmented datagrams are discarded
if a fragmentation overlay is detected that changes the data in the
packet, including changes to the length of the packet.
- RESTRICTED_IP_OPTIONS
- A list of restricted IP options is specified for this attack type.
IP option 0 (end of list) and 1 (NO-OP) cannot be restricted and are
ignored if specified. If this policy specifies discard, IPv4 packets
are discarded if they contain an IP option that is specified in the
list of restricted IP options.
- RESTRICTED_IPV6_DST_OPTIONS
- A list of restricted IPv6 destination options is required for
this attack type. You cannot restrict options 0 (Pad1) or 1 (PadN);
they are always allowed. If this policy specifies discard, IPv6 packets
are discarded if they contain an IPv6 destination options extension
header with an option that is specified in the list of restricted
IPv6 destination options.
- RESTRICTED_IPV6_HOP_OPTIONS
- A list of restricted IPv6 hop-by-hop options is required for this
attack type. You cannot restrict options 0 (Pad1) or 1 (PadN); they
are always allowed. If this policy specifies discard, IPv6 packets
are discarded if they contain an IPv6 hop-by-hop extension header
with an option that is specified in the list of restricted IPv6 hop-by-hop
options.
- RESTRICTED_IP_PROTOCOL
- A list of restricted IP protocols is required for this attack
type. IP protocols 1 (ICMP), 6 (TCP), and 17 (UDP) cannot be restricted
and are ignored if specified. If this policy specifies discard, IPv4
packets are discarded if they contain a protocol that is specified
in the list of restricted IP protocols.
- RESTRICTED_IPV6_NEXT_HDR
- A list of restricted IPv6 next header values is required for this
attack type. You cannot restrict next header values 6 (TCP), 17 (UDP),
or 58 (ICMPv6); they are always allowed. If this policy specifies
discard, IPv6 packets are discarded if they contain a next header
value that is specified in the list of restricted IPv6 next headers.
- OUTBOUND_RAW
- A list of restricted IP protocols is required for this attack
type. If this policy specifies discard, outbound IPv4 raw packets
that meet any of the following criteria are discarded:
- Written to a raw socket that has a source IP address that is not
in the stack's home list
- Fragmented by the application
- Specifies one of the ICMP reply types
- Specifies a protocol that is in the list of restricted IP protocols
- OUTBOUND_RAW_IPV6
- A list of restricted IP protocols is required for this attack
type. If this policy specifies discard, outbound IPv6 raw packets
that meet any of the following criteria are discarded:
- Specifies one of the ICMPv6 reply types
- Specifies one of the ICMPv6 neighbor discovery (ND) types
- Specifies one of the ICMPv6 multicast listener discovery (MLD)
types
- Specifies a protocol that is in the list of restricted IP protocols
- PERPETUAL_ECHO
- A list of local UDP ports and a list of remote UDP ports is necessary
with this attack type. Each port list is limited by the stack to the
first 20 ports specified. The ports in each inbound UDP packet are
checked against these lists. The destination port is checked against
the local port list. The source port is checked against the local
port list if the source IP address is in the stack's home list. Otherwise,
the source port is checked against the remote port list. If this policy
specifies discard, UDP packets with both ports in the checked port
lists are discarded.
When defining the policy in LDAP, this attack
type condition must be specified in a complex rule using CNF and multiple
condition levels. The attack type condition is at one of the condition
levels. There must be a list of conditions defining the local port
list at a second level. There must be a list of conditions defining
the remote port list at a third level. The negated flag is ignored
by the stack on port list conditions.
- EE_LDLC_CHECK
- EE signaling data received on a port other than the signaling
port is discarded if this policy specifies discard. An exclusion list
is applied if one is configured. An EE packet is not flagged as an
attack if the source IP address is found in the exclusion list.
- EE_PORT_CHECK
- EE packets with different source and destination ports are discarded
if this policy specifies discard. An exclusion list is applied if
one is configured. An EE packet is not flagged as an attack if the
source IP address is found in the exclusion list.
- EE_MALFORMED_PACKET
- Malformed EE packets are discarded if this policy specifies discard.
An exclusion list is applied if one is configured. A malformed EE
packet is not flagged as an attack if the source IP address is found
in the exclusion list.
- EE_XID_FLOOD
- An EE XID flood is detected when a large number of EE XID exchanges
time out. No discard action is associated with this attack type. An
exclusion list is applied if one is configured. An EE XID time out
is not counted as part of flood detection if the source address of
the XID is found in the exclusion list.
- DATA_HIDING
- If this policy specifies discard and enables checking of IP option
pad fields or embedded packets within an ICMP error message, packets
containing hidden data are discarded.
- TCP_QUEUE_SIZE
- If this policy specifies reset, the TCP connection is reset if
the send, receive, or out-of-order queue becomes constrained. A queue
can be constrained due to the amount of data on the queue or the age
of the data on the queue. A queue size is specified in the conditions.
A list of remote IP addresses, that are to be excluded when monitoring
the send queue, can optionally be specified in the conditions.
- GLOBAL_TCP_STALL
- If this policy specifies reset, the stalled TCP connections are
reset when a global TCP stall condition is detected.
- TR
- These policies are searched by condition type, protocol (TCP or
UDP), local IP address, and local port. TCP rules are mapped when
a local application does a listen on a socket or when an inbound connection
handshake is completed. UDP rules are mapped when an inbound packet
arrives at a local bound socket. UDP TR policy supersedes the TCPIP
PROFILE setting of UDPQUEUELIMIT for covered ports. Mapped rules
are cached and associated with the bound socket.
For TCP, the policy
defines the total number of allowed connections, the percentage of
remaining available connections any single source IP can acquire and
whether these limits are applied globally across all applications
using this port number or applied individually to each application
using an instance of this port number. For UDP, the policy defines
which of the four available queue sizes is applied to each application
using this port number. TR actions define the reporting, statistics
and tracing actions for covered ports. If the policy specifies action
LIMIT, connections or packets that exceed the limits are discarded.
Notes: - For TCP, a total connection limit or percentage available limit
of zero, with an action of LIMIT effectively quiesces the application.
- For TCP, a local host IP address cannot be specified in any condition
if a TR TCP limit scope value of PORT is specified.
- For UDP, a policy for a port without an action of LIMIT effectively
makes the application unlimited.
- Each LDAP IDS TR action must specify at least one ibm-idsTypeActions
attribute.