I am configuring Intrusion Detection on V7.1 for the first time. I created all the default IBM policies and I am making copies of them to change a few settings. One policy that keeps getting triggered is the SCAN policy. The default one kept reporting the iSeries as scanning itself (we have 4 IPs assigned to two NICs and one of the IPs was reporting that is was being scanned by one of the other 4 IPs) so I changed that one to ignore any event from the 4 known IPs assigned to the system. The ones that remain are coming from some local PCs running Client Access that trigger the SCAN policy on port 992 (secure telnet). These are PCs that run a 5250 based time clock system and are set to auto-reconnect so I suspect that when we take the system down at night for about 30 minutes they keep trying and that is what it sees as the SCAN.
I can't tell from the emails that get sent if it is the slow scan or fast scan that is being triggered. I thought about having two SCAN policies and have one do slow and on fast, but I don't see any way to change the email being sent to indicate what policy was triggered or to change the text. I can see the policy that triggered the email if I look at the details from Navigator.
Is there a hidden way to modify the emails? This is a sample of one...
Subject: A possible intrusion, suspicious inbound activity, was detected on AS400ADM.
Cause . . . . . : Do not reply, this is a system generated message.
The following information was gathered about the event:
Time of Event: 12/30/14 03:11:24
Intrusion Type: SCANE
Local IP Address: xxx.xxx.xxx.xxx
Local Port: 443
Remote IP Address: xxx.xxx.xxx.xxx
Remote Port: 49415
Thanks for any advice
VP of Information Technology Services/CIO
Pennsylvania College of Technology
This mailing list archive is Copyright 1997-2019 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact