Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
EZZ8761I z/OS Communications Server: IP Messages Volume 4 (EZZ, SNM) SC27-3657-01 |
|
EZZ8761I IDS EVENT DETECTED ExplanationThis is the first message of a message group.
A complete description of the message group follows:
EZZ8761I The policy-based intrusion detection system (IDS) detected an event that specified that the console operator was to be alerted. The occurrence of this message can indicate that the TCP/IP stack or a particular application is under stress. The stress might be caused by a peak in workload or might be caused by malicious activity such as packet flooding, port scanning or malformed packets. EZZ8730I This message provides the name of the TCP/IP stack that detected the specified event. stack_name is the name of the TCP/IP stack. EZZ8762I This message provides the event type of the IDS event. event_type can
be one of the following:
EZZ8763I This message provides the IDS trace correlator and probe ID for the IDS event. correlator is the IDS trace correlator associated with the event. probe_id is the probe ID associated with the event. See the intrusion detection services probeids in z/OS Communications Server: IP and SNA Codes for a description of the probe IDs. EZZ8764I This message provides the source IP address and source port from the IP packet associated with the IDS event. This message is issued only when the source IP address is relevant to the event. source is the source IP address of the packet associated with the event. port is the source IP port associated with the packet. The source port is only relevant for TCP or UDP protocols and will be zero for any other protocol. port will be zero if the source IP port is not known at the time of the attack. port will always be zero if event_type in message EZZ8762I is FAST SCAN DETECTED or SLOW SCAN DETECTED. EZZ8765I This message provides the destination IP address and destination port from the IP packet associated with the IDS event. This message is issued only when the destination IP address is relevant to the event. dest is the destination IP address of the packet associated with the event. port is the destination IP port associated wth the packet. The destination port is only relevant for TCP or UDP protocols and will be zero for any other protocol. port will be zero if the destination port is not known at the point that an attack event is detected. EZZ8770I This message provides the interface or link name associated with the IDS event. This message is issued only when the interface name is relevant to the event. intf_name is the interface or link name associated with the event EZZ8766I This message provides the IDS policy rule name that is associated with the other messages in the group. rule_name is the short name of the IDS rule that is associated with the messages in this group. Results:
EZZ8767I This message provides the IDS policy action name that is associated with the other messages in the group. action_name is the short name of the IDS action that is associated with the messages in this group. Results:
System actionProcessing Continues. Operator responseSave the system console log, IDS syslog file, and IDS packet trace for the person responsible for IDS policy definition. IDS policy definition determines if IDS events are written to syslog, the IDS packet trace, both or neither. System programmer responseYou can use the trmdstat OE shell command to analyze the IDS syslog file. You can use the IPCS trace formatters to format the IDS packet trace if one was collected for this event. If IDS policy is not maintained by the system programmer, then provide the log and trace information to the person responsible for IDS policy. You can use the IDS action name and IDS rule name to locate the IDS policy that is responsible for the messages. If message EZZ8762I has an event_type of SCAN INTERVAL OVERRUN, scan processing is not able to complete an evaluation of the source ip addresses it is tracking in its normal internal interval (30 or 60 seconds). This might indicate that a large number of source ip addresses are being monitored. If the policy is using High scan sensitivity, consider lowering the scan sensitivity level for high usage ports. If message EZZ8762I has an event_type of SCAN STORAGE CONSTRAINED, determine the cause of the storage shortage. See the z/OS Communications Server: IP Diagnosis Guide for information about storage shortages. Problem determinationSee the system programmer response. ModuleEZBIDIDM Routing code2, 8 Descriptor code8, 9 Example
Procedure nameEZBIDLOG |
Copyright IBM Corporation 1990, 2014
|