IDS scan policy example

The goal of scan policy is to detect all scanners with potentially malicious intent while avoiding large numbers of false positives. You can make this process more efficient by reserving all unused low ports in the TCPIP profile. This will allow you to use the low sensitivity setting on scans for these ports. As you investigate the scans detected, you will initially find your own network management tools. These can be explicitly excluded. If you include UDP ephemeral ports in a high sensitivity policy, you will discover that your DNS servers show up as scanners. You can explicitly exclude these as well. To activate scan policy, a scan global rule and at least one scan event rule must be defined.

The following scan rules are defined:

Scan Global
Defines a global set of parameters for detecting scans, and also defines reporting parameters for scan events.
- A Fast Scan is defined as 5 unique events in 2 minutes from a single source IP address.
- A Slow Scan is defined as 10 unique events in 480 minutes (8 hours).
- The first 200 bytes of the packet associated with each countable event will be traced.
- When a scan is detected an event will be written to syslog warning level, along with a detailed list of all the unique events included in the scan.
- No message will be written to the console.
Scan Event Low
Defines a set of traffic for which low sensitivity scan detection will be performed. Inbound traffic to all TCP and UDP ports between 1 and 1023 will be monitored. It is recommended that unused low ports be RESERVED in the TCPIP Profile.
Scan Event Medium
Defines a set of traffic for which medium sensitivity scan detection will be performed. ICMP and ICMPv6 inbound traffic will be monitored.

The following example is an IDS configuration file:

########################################################################
########################################################################
# Scan Policies
########################################################################

#-----------------------------------------------------------------------
# Scan - IDSRule
#-----------------------------------------------------------------------
IDSRule                    ScanEventLowTcp-rule
{
  ConditionType            ScanEvent
  Priority                 2
  IDSScanEventConditionRef ScanTcpLowCondition
  IDSActionRef             ScanEventLow-action
}
IDSRule                    ScanEventLowUdp-rule
{
  ConditionType ScanEvent
  Priority                 2
  IDSScanEventConditionRef ScanUdpLowCondition
  IDSActionRef             ScanEventLow-action
}
IDSRule                    ScanEventMedium-rule
{
  ConditionType            ScanEvent
  Priority                 2
  IDSScanEventCondition
  {
    Protocol               Icmp
  }
  IDSActionRef             ScanEventMedium-action
}
IDSRule                    ScanEventMedium-rule-v6
{
  ConditionType            ScanEvent
  Priority                 2
  IDSScanEventCondition
  {
    Protocol               Icmpv6
  }
  IDSActionRef             ScanEventMedium-action
}
IDSRule                    ScanGlobal-rule
{  
  ConditionType            ScanGlobal
  Priority                 2
  IDSActionRef             ScanGlobal-action
  IDSScanGlobalCondition                   # inline condition
  {
    FSinterval             2
    SSInterval             480
  }
}

#-----------------------------------------------------------------------
# Scan - IDSScanEventCondition
#-----------------------------------------------------------------------
IDSScanEventCondition      ScanTcpLowCondition
{
  Sensitivity              Low
  Protocol                 Tcp
  LocalPortRange           1 1023
}
IDSScanEventCondition      ScanUdpLowCondition
{
  Sensitivity              Low
  Protocol                 17               # Udp
  LocalPortRange           1 1023
}

#-----------------------------------------------------------------------
# Scan - IDSAction
#-----------------------------------------------------------------------
IDSAction                  ScanEventLow-action
{
  ActionType               ScanEvent count
}
IDSAction                  ScanEventMedium-action
{
  ActionType               ScanEvent count
}
IDSAction                  ScanGlobal-action
{
  ActionType               ScanGlobal
  IDSReportSet             ScanGlobalReportSet
  {
    TypeActions            Log
    LogDetail              Yes
    TraceData              RecordSize
    TraceRecordSize        200
  }
}

If you are using LDAP to define policy, see IDS scan policy example.

Restrictions: LDAP policy cannot be used to:

Define that ICMPv6 traffic should be monitored for scan events
Exclude IPv6 addresses in the scan exclusion list