The goal of scan policy is to detect all scanners with potentially malicious intent while avoiding large numbers of false positives. You can make this process more efficient by reserving all unused low ports in the TCPIP profile. This will allow you to use the low sensitivity setting on scans for these ports. As you investigate the scans detected, you will initially find your own network management tools. These can be explicitly excluded. If you include UDP ephemeral ports in a high sensitivity policy, you will discover that your DNS servers show up as scanners. You can explicitly exclude these as well. To activate scan policy, a scan global rule and at least one scan event rule must be defined.
Defines a global set of parameters for detecting scans, and also defines reporting parameters for scan events.
Defines a set of traffic for which low sensitivity scan detection will be performed. Inbound traffic to all TCP and UDP ports between 1 and 1023 will be monitored. It is recommended that unused low ports be RESERVED in the TCPIP Profile.
Defines a set of traffic for which medium sensitivity scan detection will be performed. ICMP and ICMPv6 inbound traffic will be monitored.
The following example is an IDS configuration file:
########################################################################
########################################################################
# Scan Policies
########################################################################
#-----------------------------------------------------------------------
# Scan - IDSRule
#-----------------------------------------------------------------------
IDSRule ScanEventLowTcp-rule
{
ConditionType ScanEvent
Priority 2
IDSScanEventConditionRef ScanTcpLowCondition
IDSActionRef ScanEventLow-action
}
IDSRule ScanEventLowUdp-rule
{
ConditionType ScanEvent
Priority 2
IDSScanEventConditionRef ScanUdpLowCondition
IDSActionRef ScanEventLow-action
}
IDSRule ScanEventMedium-rule
{
ConditionType ScanEvent
Priority 2
IDSScanEventCondition
{
Protocol Icmp
}
IDSActionRef ScanEventMedium-action
}
IDSRule ScanEventMedium-rule-v6
{
ConditionType ScanEvent
Priority 2
IDSScanEventCondition
{
Protocol Icmpv6
}
IDSActionRef ScanEventMedium-action
}
IDSRule ScanGlobal-rule
{
ConditionType ScanGlobal
Priority 2
IDSActionRef ScanGlobal-action
IDSScanGlobalCondition # inline condition
{
FSinterval 2
SSInterval 480
}
}
#-----------------------------------------------------------------------
# Scan - IDSScanEventCondition
#-----------------------------------------------------------------------
IDSScanEventCondition ScanTcpLowCondition
{
Sensitivity Low
Protocol Tcp
LocalPortRange 1 1023
}
IDSScanEventCondition ScanUdpLowCondition
{
Sensitivity Low
Protocol 17 # Udp
LocalPortRange 1 1023
}
#-----------------------------------------------------------------------
# Scan - IDSAction
#-----------------------------------------------------------------------
IDSAction ScanEventLow-action
{
ActionType ScanEvent count
}
IDSAction ScanEventMedium-action
{
ActionType ScanEvent count
}
IDSAction ScanGlobal-action
{
ActionType ScanGlobal
IDSReportSet ScanGlobalReportSet
{
TypeActions Log
LogDetail Yes
TraceData RecordSize
TraceRecordSize 200
}
}
If you are using LDAP to define policy, see IDS scan policy example.