Why are there spurious IDS Scan events?

Question & Answer

Question

This system has an Intrusion Detection System (IDS) Scan policy defined. On occasion, there will be some scan events reported. But upon examination of the remote system, there was no unusual activity that had occurred.

EZZ8643I TRMD SCAN threshold exceeded: ..., sipaddr=10.9.8.7, scantype=F, ..., correlator=1234, ...

EZZ8644I TRMD SCAN detail: ..., sipaddr=10.9.8.7, correlator=1234, event count=4, ..., event list:6,10.11.12.13,50001,V; 6,10.11.12.13,50002,V; 6,10.11.12.13,50004,V; 6,10.11.12.13,50005,V

Answer

An FTP session that performs multiple small file transfers can trigger a scan event, depending on how small the event thresholds are set. To avoid these events, the following changes can be made to the IDS rules:

When it is an FTP client session running on this system, the use of active transfers (the default) can cause the server's data connections to trigger this event. This can be avoided by using a passive transfer (setting FWFRIENDLY) or by adding an IDSScanExclusion to the IDSScanEventCondition policy that lists port 20 from any address (ExcludedAddrPort 0.0.0.0/0 20).
When it is a connection to the FTP server running on this system, the use of passive transfers by the client can trigger this event. This can be avoided by defining a PASSIVEDATAPORTS range in the server's configuration, then adding a LocalPortGroup to the IDSScanEventCondition policy that lists all ports except those in the defined range.

[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSSN3L","label":"z\/OS Communications Server"},"Platform":[{"code":"PF035","label":"z\/OS"}],"Component":"","Version":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]

Product Synonym

ZOSCS COMMSERVER

Was this topic helpful?

Document Information

Modified date:
14 March 2016

UID

dwa1258231

Tips