z/OS Communications Server: IP Messages Volume 4 (EZZ, SNM)
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


EZZ8761I

z/OS Communications Server: IP Messages Volume 4 (EZZ, SNM)
SC27-3657-01

EZZ8761I
IDS EVENT DETECTED

Explanation

This is the first message of a message group. A complete description of the message group follows: 
 EZZ8761I IDS EVENT DETECTED  
 EZZ8730I STACK stack_name
 EZZ8762I IDS EVENT TYPE event_type 
 EZZ8763I CORRELATOR  correlator - PROBEID  probe_id 
[EZZ8770I INTERFACE  intf_name] 
[EZZ8764I SOURCE IP ADDRESS source - PORT port] 
[EZZ8765I DESTINATION IP ADDRESS dest - PORT port]
 EZZ8766I IDS RULE rule_name   
 EZZ8767I IDS ACTION action_name

EZZ8761I

The policy-based intrusion detection system (IDS) detected an event that specified that the console operator was to be alerted. The occurrence of this message can indicate that the TCP/IP stack or a particular application is under stress. The stress might be caused by a peak in workload or might be caused by malicious activity such as packet flooding, port scanning or malformed packets.

EZZ8730I

This message provides the name of the TCP/IP stack that detected the specified event.

stack_name is the name of the TCP/IP stack.

EZZ8762I

This message provides the event type of the IDS event.

event_type can be one of the following:
  • TCP TOTAL CONNECTION LIMIT REACHED
  • TCP SOURCE IP CONNECTION LIMIT REACHED
  • TCP PORT CONSTRAINED
  • TCP PORT UNCONSTRAINED
  • UDP PORT QUEUE CONSTRAINED
  • UDP PORT QUEUE UNCONSTRAINED
  • FAST SCAN DETECTED
  • SLOW SCAN DETECTED
  • SCAN INTERVAL OVERRUN
  • SCAN STORAGE CONSTRAINED
  • SCAN STORAGE UNCONSTRAINED
  • SUSPICIOUS PACKET RECEIVED
  • SYN FLOOD STARTED
  • SYN FLOOD ENDED
  • INTERFACE FLOOD START
  • INTERFACE FLOOD END
  • INTERFACE FLOOD DETECTION DISABLED
  • ACCEPT QUEUE EXPANDED
  • TCP QUEUE CONSTRAINED
  • TCP QUEUE UNCONSTRAINED
  • TCP CONN RESET - QUEUE CONSTRAINED
  • GLOBAL TCP STALL ENTERED
  • GLOBAL TCP STALL EXITED
  • EE XID FLOOD STARTED
  • EE XID FLOOD ENDED

EZZ8763I

This message provides the IDS trace correlator and probe ID for the IDS event.

correlator is the IDS trace correlator associated with the event.

probe_id is the probe ID associated with the event. See the intrusion detection services probeids in z/OS Communications Server: IP and SNA Codes for a description of the probe IDs.

EZZ8764I

This message provides the source IP address and source port from the IP packet associated with the IDS event. This message is issued only when the source IP address is relevant to the event.

source is the source IP address of the packet associated with the event.

port is the source IP port associated with the packet. The source port is only relevant for TCP or UDP protocols and will be zero for any other protocol. port will be zero if the source IP port is not known at the time of the attack. port will always be zero if event_type in message EZZ8762I is FAST SCAN DETECTED or SLOW SCAN DETECTED.

EZZ8765I

This message provides the destination IP address and destination port from the IP packet associated with the IDS event. This message is issued only when the destination IP address is relevant to the event.

dest is the destination IP address of the packet associated with the event.

port is the destination IP port associated wth the packet. The destination port is only relevant for TCP or UDP protocols and will be zero for any other protocol. port will be zero if the destination port is not known at the point that an attack event is detected.

EZZ8770I

This message provides the interface or link name associated with the IDS event. This message is issued only when the interface name is relevant to the event.

intf_name is the interface or link name associated with the event

EZZ8766I

This message provides the IDS policy rule name that is associated with the other messages in the group.

rule_name is the short name of the IDS rule that is associated with the messages in this group.

Results:
  • When the event_type value in message EZZ8762I is TCP PORT UNCONSTRAINED, the rule_name value is N/A if the application is no longer listening on the port.
  • If the rule_name value contains characters that cannot be printed to the MVS™ console, such as the ~ character, a blank is substituted for the unprintable character.

EZZ8767I

This message provides the IDS policy action name that is associated with the other messages in the group.

action_name is the short name of the IDS action that is associated with the messages in this group.

Results:
  • When the event_type value in message EZZ8762I is TCP PORT UNCONSTRAINED, the action_name value is N/A if the application is no longer listening on the port.
  • If the action_name value contains characters that cannot be printed to the MVS console, such as the ~ character, a blank is substituted for the unprintable character.

System action

Processing Continues.

Operator response

Save the system console log, IDS syslog file, and IDS packet trace for the person responsible for IDS policy definition. IDS policy definition determines if IDS events are written to syslog, the IDS packet trace, both or neither.

System programmer response

You can use the trmdstat OE shell command to analyze the IDS syslog file. You can use the IPCS trace formatters to format the IDS packet trace if one was collected for this event. If IDS policy is not maintained by the system programmer, then provide the log and trace information to the person responsible for IDS policy. You can use the IDS action name and IDS rule name to locate the IDS policy that is responsible for the messages.

If message EZZ8762I has an event_type of SCAN INTERVAL OVERRUN, scan processing is not able to complete an evaluation of the source ip addresses it is tracking in its normal internal interval (30 or 60 seconds). This might indicate that a large number of source ip addresses are being monitored. If the policy is using High scan sensitivity, consider lowering the scan sensitivity level for high usage ports. If message EZZ8762I has an event_type of SCAN STORAGE CONSTRAINED, determine the cause of the storage shortage. See the z/OS Communications Server: IP Diagnosis Guide for information about storage shortages.

Problem determination

See the system programmer response.

Module

EZBIDIDM

Routing code

2, 8

Descriptor code

8, 9

Example

EZZ8761I IDS EVENT DETECTED 243
EZZ8730I STACK TCPCS3
EZZ8762I EVENT TYPE: UDP PORT QUEUE CONSTRAINED
EZZ8763I CORRELATOR 3 - PROBEID 02000001
EZZ8765I DESTINATION IP ADDRESS 3.3.3.3 - PORT 300
EZZ8766I IDS RULE All_Well-Known_UDP
EZZ8767I IDS ACTION All_Well-Known_UDP

Procedure name

EZBIDLOG

Parent topic: EZZ8xxxx messages

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014