Start of change

AUDIT_JOURNAL_IM table function

The AUDIT_JOURNAL_IM table function returns rows from the audit journal that contain information from the IM (Intrusion Monitor) journal entries.

Every audit journal table function shares a common authorization requirement and a common set of parameters. These are described in AUDIT JOURNAL table function common information.

The result of the function is a table containing rows with the format shown in the following table. All the columns are nullable.

Table 1. AUDIT_JOURNAL_IM table function
Column Name Data Type Description
The first columns returned by this table function are from the common audit journal entry header. See Common columns returned from the audit journal entry header for the column definitions. After the common columns are the following columns that describe the entry specific data for the IM audit journal entry.
ENTRY_TYPE CHAR(1) The type of entry.
P
Potential intrusion event detected
ENTRY_TYPE_DETAIL VARCHAR(200) Descriptive text that corresponds to the entry type.
EVENT_TIMESTAMP TIMESTAMP The date and time that the event was detected.
EVENT_LOCAL_ADDRESS_FAMILY CHAR(4) The type of local address associated with the detected event.
IPV4
The address is in IPv4 format.
IPV6
The address is in IPv6 format.

Contains the null value when a value is not available.

EVENT_LOCAL_ADDRESS VARCHAR(45) Local IP address associated with the detected event.

Contains the null value when a value is not available.

EVENT_LOCAL_PORT INTEGER Local port number associated with the detected event.

Contains the null value when a value is not available.

EVENT_REMOTE_ADDRESS_FAMILY CHAR(4) The type of remote address associated with the detected event.
IPV4
The address is in IPv4 format.
IPV6
The address is in IPv6 format.

Contains the null value when a value is not available.

EVENT_REMOTE_ADDRESS VARCHAR(45) Remote IP address associated with the detected event.

Contains the null value when a value is not available.

EVENT_REMOTE_PORT INTEGER Remote port number associated with the detected event.

Contains the null value when a value is not available.

PROBE_TYPE VARCHAR(6) The type of probe used to detect the potential intrusion.
ATTACK
Attack event
OPEN
Intrusion Detection System (IDS) state change
SCANE
Scan event
SCANG
Scan global event
TR-SSL
Traffic regulation event (System TLS)
TR-TCP
Traffic regulation event (TCP)
TR-UDP
Traffic regulation event (UDP)
XATTAC
Possible extrusion attack
XSCAN
Outbound scan
XTRTCP
Outbound traffic regulation event (TCP)
XTRUDP
Outbound traffic regulation event (UDP)
PROBE_TYPE_DETAIL VARCHAR(200) Descriptive text for the probe type.
EVENT_CORRELATOR VARCHAR(4) Identifier for this specific intrusion event. This identifier can be used to correlate this audit record with other intrusion detection information.
EVENT_ATTACK_TYPE VARCHAR(8) The type of potential intrusion that was detected.
ACKSTORM
TCP ACK Storm
ADRPOISN
Address Poisoning
FLOOD
Flood
FRAGGLE
Fraggle
ICMPRED
ICMP Redirect
IPFRAG
IP Fragment
MALFPKT
Malformed Packet
OUTRAW
Outbound Raw
PERPECH
Perpetual Echo
PNGDEATH
Ping of Death
RESTOPT
Restricted IP Options
RESTPROT
Restricted IP Protocol
SMURF
Smurf

Contains the null value when PROBE_TYPE is not ATTACK or XATTAC.

EVENT_ATTACK_TYPE_DETAIL VARCHAR(200) Descriptive text for the type of potential intrusion.

Contains the null value when PROBE_TYPE is not ATTACK or XATTAC.

PROTOCOL VARCHAR(6) Protocol. Recognized protocol values and their protocol numbers are:
ICMP
1
ICMPV6
58
IGMP
2
OSPF
89
TCP
6
UDP
17
If the protocol is not one of these well-known values, the integer representation of the protocol is returned.

Contains the null value when a value is not available.

CONDITION_NUMBER INTEGER Condition number from IDS policy file.

Contains the null value when a value is not available.

THROTTLING_ACTIVE VARCHAR(3) Throttling status at the time the event was flagged.
NO
Throttling is not active.
YES
Throttling is active.
DISCARDED_PACKETS INTEGER Number of discarded packets when throttled.

Contains the null value when THROTTLING_ACTIVE is NO.

TARGET_TCPIP_STACK VARCHAR(10) The type of TCP/IP stack that was targeted.
PRODUCTION
Production Stack
SERVICE
Service Stack
SUSPECTED_PACKET VARBINARY(1000) The first 1000 bytes of the IP packet associated with the detected event.

Contains the null value when PROBE_TYPE is TR-SSL or when a value is not available.

FAILING_HANDSHAKE_LOCATION VARCHAR(6) The processing location that detected the failed handshake.

Contains the null value when PROBE_TYPE is not TR-SSL or when a value is not available.

FAILING_HANDSHAKE_ERROR VARCHAR(40) The error returned on the failing handshake.

Contains the null value when PROBE_TYPE is not TR-SSL or when a value is not available.

DETECTION_POINT_ID VARCHAR(4) A unique identifier for the processing location that detected the intrusion event. This value is intended for use by service personnel.

Example

  • List all intrusion events for this week.
    SELECT * FROM TABLE(
      SYSTOOLS.AUDIT_JOURNAL_IM(  
          STARTING_TIMESTAMP => CURRENT TIMESTAMP - 7 DAYS
      )
    );
     
End of change