V7.1 intrusion detection setup

I am configuring Intrusion Detection on V7.1 for the first time. I created all the default IBM policies and I am making copies of them to change a few settings. One policy that keeps getting triggered is the SCAN policy. The default one kept reporting the iSeries as scanning itself (we have 4 IPs assigned to two NICs and one of the IPs was reporting that is was being scanned by one of the other 4 IPs) so I changed that one to ignore any event from the 4 known IPs assigned to the system. The ones that remain are coming from some local PCs running Client Access that trigger the SCAN policy on port 992 (secure telnet). These are PCs that run a 5250 based time clock system and are set to auto-reconnect so I suspect that when we take the system down at night for about 30 minutes they keep trying and that is what it sees as the SCAN.

I can't tell from the emails that get sent if it is the slow scan or fast scan that is being triggered. I thought about having two SCAN policies and have one do slow and on fast, but I don't see any way to change the email being sent to indicate what policy was triggered or to change the text. I can see the policy that triggered the email if I look at the details from Navigator.

Is there a hidden way to modify the emails? This is a sample of one...


Subject: A possible intrusion, suspicious inbound activity, was detected on AS400ADM.



Cause . . . . . : Do not reply, this is a system generated message.



The following information was gathered about the event:



Time of Event: 12/30/14 03:11:24

Intrusion Type: SCANE

Attack Type:

Local IP Address: xxx.xxx.xxx.xxx

Local Port: 443

Remote IP Address: xxx.xxx.xxx.xxx

Remote Port: 49415

Protocol: 6


Thanks for any advice

Mike Cunningham
VP of Information Technology Services/CIO
Pennsylvania College of Technology