IM (Intrusion Monitor) journal entries

This table provides the format of the IM (Intrusion Monitor) journal entries.

Start of changeInformation from this audit journal entry can be queried with the SYSTOOLS.AUDIT_JOURNAL_IM table function: AUDIT_JOURNAL_IMEnd of change

Table 1. IM (Intrusion Monitor) journal entries. QASYIMJE/J4/J5 Field Description File
Offset Field Format Description
JE J4 J5
    1     Heading fields common to all entry types.
    610 Entry Type Char(1) The type of entry.
P
Potential intrusion event detected
    611 Time of Event TIMESTAMP The time that the event was detected, in SAA timestamp format.
    637 Detection Point Identifier Char(4) A unique identifier for the processing location that detected the intrusion event. This field is intended for use by service personnel.
    641 Local Address Family Char(1) Local IP address family associated with the detected event.
    642 Local Port Number Zone(5, 0) Local port number associated with the detected event.
    647 Local IP Address Char(46) Local IP address associated with the detected event.
    693 Remote Address Family Char(1) Remote address family associated with the detected event.
    694 Remote Port Number Zoned(5, 0) Remote port number associated with the detected event.
    699 Remote IP Address Char(46) Remote IP address associated with the detected event.
    745 Probe Type Identifier Char(6) Identifies the type of probe used to detect the potential intrusion. Possible values are as follows:
ATTACK
Attack action detected event
TR-TCP
Traffic Regulation action detected event over TCP
TR-SSL
Traffic Regulation action detected System TLS failed handshake event
TR-UDP
Traffic Regulation action detected event over UDP
SCANE
Scan event action detected event
SCANG
Scan global action detected event
XATTAC
Possible extrusion attack
XTRTCP
Outbound Traffic Regulation detected event (TCP)
XTRUDP
Outbound Traffic Regulation detected event (UDP)
XSCAN
Outbound scan event detected
    751 Event Correlator Char(4) Unique identifier for this specific intrusion event. This identifier can be used to correlate this audit record with other intrusion detection information.
    755 Event type Char(8) Identifies the type of potential intrusion that was detected. The possible values are as follows:
ACKSTORM
TCP ACK storm
ADRPOISN
Address poisoning
FLOOD
Flood event
FRAGGLE
Fraggle attack
ICMPRED
ICMP (Internet Control Message Protocol) redirect
IPFRAG
IP fragment
MALFPKT
Malformed packet
OUTRAW
Outbound Raw
PERPECH
Perpetual echo
PNGDEATH
Ping of death
RESTOPT
Restricted IP options
RESTPROT
Restricted IP protocol
SMURF
Smurf attack
    763 Protocol Char(3) Protocol number
    766 Condition Char(4) Condition number from IDS policy file
    770 Throttling Char(1)
  • 0 = not active
  • 1 = active
    771 Discarded Packets Zoned(5,0) Number of discarded packets when throttled
    776 Target TCP/IP Stack Char(1)
P
Production Stack
S
Service Stack
    777 Reserved Char(6) Reserved for future use
    783 Suspected Packet Char(1002)1

A variable length field which can contain up to the first 1000 bytes of the IP packet associated with the detected event. This field contains binary data and should be treated as if it has a CCSID of 65535.

When Probe Type Identifier (offset 745) is 'TR-SSL', this field contains a blank padded character string that indicates error information for the failing handshake. The first 2 bytes of this field contain the length of the error information. Following the length is a 6-byte character string that represents the processing location that detected the failed handshake. Following the 6-byte string is a 40-byte character string that indicates the error code that is returned on the failing handshake.

1
This is a variable length field. The first 2 bytes contain the length of the suspected packet information.