Intrusion detection and prevention system (IDS) is a built-in IBM i security feature. It is designed to detect and notify in or outbound attempts to hack, disrupt or deny service to the system. IDS is a socket-level feature that can be complicated to configure and tune. This article explores a very basic configuration to alert for intrusion events. Please note that IDS can also be configured to respond to detected events. We'll explore this further in subsequent articles.
The IDS in the IBM i OS, when configured and active, drops records into the security audit journal (QAUDJRN) when events occur. The code for the records is "IM" (Intrusion Monitor). They look like this:
These are both for scan events that were detected. The first one is from IP address 103.203.59.4 and the second one is from 145.159.188.241. The first one shows port number 35122 and the second one shows port number 4289.
Details of the IM records layout can be found here. If you are using SQL for audit journal reporting, then also see the AUDIT_JOURNAL_IM table function.
IDS can also be configured to alert to a message queue. More on that below.
From Navigator for i, hover over the security logo and open the list for Intrusion Detection:
Before you can start IDS, you first have to create at least three policies; an Attack policy, a Scan policy and a Traffic regulation policy. IDS won’t start until these basics have been established. There are loads of other policies that can be set up and the IBM documentation will guide you through what you might need.
To get started on adding policies, select “Manage Policies”. In the “Actions” box, select “New” and the following will show up:
Select the first option and hit OK to get to the next panel:
To get started, just add one policy in each of the three categories using the basic default values shown. Once all three policies were established, go back and selected “Manage Intrusion Detection” which brings this up:
When you start, it will show as stopped. You need to enter a job. You also have to specify a valid message queue and email address before it will start. Once those are set, you can select the start button and it will initiate IDS on the system. Once initiated, the documentation from IBM says that it will stay active until it is intentionally stopped, even after an IPL.
Once IDS is running and events have been recorded, you can view them by selecting the “Display Events” option in Navigator:
The record details look like this:
IDS is also configured to send alerts to a message queue. The message ID is TCP9240. It's easy to setup a message queue alert if you're using monitoring software. Here is the IDS alert configured in our iEventMonitor software:
Stay tuned for more IDS content on Kisco U!