Scan storage constrained
The following is an example of a console message issued if scan detection attempted to obtain storage in order to track a potential scan event and could not obtain the required amount of storage.
EZZ8761I IDS EVENT DETECTED
EZZ8730I STACK TCPCS
EZZ8762I EVENT TYPE: SCAN STORAGE CONSTRAINED
EZZ8763I CORRELATOR 0 - PROBEID 0300FFF3
EZZ8766I IDS RULE N/A
EZZ8767I IDS ACTION N/AProcessing continues without adding the tracking information for this packet or for subsequent packets in the current internal interval (an internal interval is either 30 or 60 seconds). This could result in missing potential scan events.
The installation should attempt to determine the cause
of the storage shortage. Scan detection itself can potentially consume
large amounts of storage and should be looked at as part of the problem
determination. The following are two ways to determine whether scan
is consuming large amounts of storage.
- Console message EZZ8768I (EZZ8768I IDS SCAN STORAGE EXCEEDED nbrmeg MB, TRACKING nbrsip SOURCE IP ADDRESSES) is issued after scan detection acquires more than a megabyte of storage. This message is reissued at each power of 2 MB increments (for example, 1 MB, 2 MB , 4 MB, 8 MB, and so on).
- The Netstat IDS command displays high-level scan information.
For example:
The SRCIPSTRKD field indicates the number of source IPs being tracked and the STRGLEV field indicates the number of megabytes of storage that scan is holding.SCAN DETECTION: GLOBRULENAME: IDS-RULE4 ICMPRULENAME: IDS-RULE8 TOTDETECTED: 1 DETCURRPLC: 1 DETCURRINT: 0 INTERVAL: 30 SRCIPSTRKD: 125 STRGLEV: 00000M
When scan starts to successfully obtain storage again, a SCAN STORAGE UNCONSTRAINED message is issued.