IM (Intrusion Monitor) journal entries
This table provides the format of the IM (Intrusion Monitor) journal entries.
Information from this audit journal entry can be queried with the SYSTOOLS.AUDIT_JOURNAL_IM table function: AUDIT_JOURNAL_IM
Offset | Field | Format | Description | ||
---|---|---|---|---|---|
JE | J4 | J5 | |||
1 | Heading fields common to all entry types. | ||||
610 | Entry Type | Char(1) | The type of entry.
|
||
611 | Time of Event | TIMESTAMP | The time that the event was detected, in SAA timestamp format. | ||
637 | Detection Point Identifier | Char(4) | A unique identifier for the processing location that detected the intrusion event. This field is intended for use by service personnel. | ||
641 | Local Address Family | Char(1) | Local IP address family associated with the detected event. | ||
642 | Local Port Number | Zone(5, 0) | Local port number associated with the detected event. | ||
647 | Local IP Address | Char(46) | Local IP address associated with the detected event. | ||
693 | Remote Address Family | Char(1) | Remote address family associated with the detected event. | ||
694 | Remote Port Number | Zoned(5, 0) | Remote port number associated with the detected event. | ||
699 | Remote IP Address | Char(46) | Remote IP address associated with the detected event. | ||
745 | Probe Type Identifier | Char(6) | Identifies the type of probe used to detect
the potential intrusion. Possible values are as follows:
|
||
751 | Event Correlator | Char(4) | Unique identifier for this specific intrusion event. This identifier can be used to correlate this audit record with other intrusion detection information. | ||
755 | Event type | Char(8) | Identifies the type of potential intrusion that
was detected. The possible values are as follows:
|
||
763 | Protocol | Char(3) | Protocol number | ||
766 | Condition | Char(4) | Condition number from IDS policy file | ||
770 | Throttling | Char(1) |
|
||
771 | Discarded Packets | Zoned(5,0) | Number of discarded packets when throttled | ||
776 | Target TCP/IP Stack | Char(1) |
|
||
777 | Reserved | Char(6) | Reserved for future use | ||
783 | Suspected Packet | Char(1002)1 | A variable length field which can contain up to the first 1000 bytes of the IP packet associated with the detected event. This field contains binary data and should be treated as if it has a CCSID of 65535. When Probe Type Identifier (offset 745) is 'TR-SSL', this field contains a blank padded character string that indicates error information for the failing handshake. The first 2 bytes of this field contain the length of the error information. Following the length is a 6-byte character string that represents the processing location that detected the failed handshake. Following the 6-byte string is a 40-byte character string that indicates the error code that is returned on the failing handshake. |
||
|