VTAM 3270 intrusion detection services
z/OS® V2R3 Communications Server enables 3270 data stream intrusion detection services (IDS) that detect and act on violations of the 3270 data stream protocol.
The 3270 IDS function monitors 3270 data streams for primary logical units (PLUs) that are connected to the z/OS VTAM® instance. Specific types of 3270 sessions can be exempted from IDS monitoring at the VTAM or application major node level if IDS monitoring is not needed for those sessions.
The 3270 IDS function monitors 3270 data streams for any attempt to write past the end of input fields or to modify protected fields. When these types of events are detected, appropriate actions are taken according to the VTAM configuration. The possible actions include logging the event, tracing the relevant inbound and outbound PIUs for later analysis, notifying the PLU of the event with a sense code, and even terminating the SNA session.
The 3270 IDS function writes GTF type F90 records and SMF type 119 (subtype 81) records for each incident.
Using VTAM 3270 IDS
VTAM 3270 IDS is disabled by default. To enable this function, perform the appropriate tasks in Table 1.
| Task/Procedure | Reference |
|---|---|
| Assess your need to use the 3270 data stream monitoring function | 3270 IDS considerations and assessment in z/OS Communications Server: SNA Network Implementation Guide |
| Enable 3270 data stream monitoring at the VTAM level by using the DSMONITR VTAM start option. | DSMONITR VTAM start option in z/OS Communications Server: SNA Resource Definition Reference |
| Optionally enable or disable 3270 data stream monitoring at the application major node level by using the DSMONITR operand of the APPL or GROUP statement. | DSMONITR operand of the APPL and GROUP statements in z/OS Communications Server: SNA Resource Definition Reference |
| Optionally specify the actions to be taken at the VTAM level when a 3270 data stream protocol violation is detected by using the DSACTION VTAM start option. | DSACTION VTAM start option in z/OS Communications Server: SNA Resource Definition Reference |
| Optionally specify the actions to be taken at the application major node level when a 3270 data stream protocol violation is detected by using the DSACTION operand of the APPL or GROUP statement. | DSACTION operand of the APPL and GROUP statements in z/OS Communications Server: SNA Resource Definition Reference |
|
Optionally exempt specific types of 3270 traffic from monitoring at the VTAM level by using the DSTRUST VTAM start option. |
DSTRUST VTAM start option in z/OS Communications Server: SNA Resource Definition Reference |
| Optionally exempt specific types of 3270 traffic from monitoring at the application major node level using the DSTRUST operand of the APPL or GROUP statement. | DSTRUST operand of the APPL and GROUP statements in z/OS Communications Server: SNA Resource Definition Reference |
| Display 3270 IDS configuration settings at the VTAM level. | DISPLAY VTAMOPTS,FUNCTION=SECURITY command in z/OS Communications Server: SNA Operation |
| Display 3270 IDS configuration settings and statistics at the application level. | DISPLAY ID command in z/OS Communications Server: SNA Operation |
| Display 3270 IDS statistics at the VTAM level | DISPLAY STATS command in z/OS Communications Server: SNA Operation |
| Display 3270 IDS statistics for a specific session | DISPLAY SESSION,SID= command in z/OS Communications Server: SNA Operation |
| Modify the 3270 IDS configuration settings at the VTAM level | MODIFY VTAMOPTS command in z/OS Communications Server: SNA Operation |
| Enable capture of relevant SNA PIUs to the Generalized Trace Facility (GTF) | |
| Display the 3270 IDS data areas from a dump | VTAMMAP SES or VTAMMAP VTAM command in z/OS Communications Server: SNA Diagnosis Vol 1, Techniques and Procedures |
| Analyze potential 3270 protocol violations | |
| Update the SMFPRMxx member of SYS1.PARMLIB to write SMF type 119 subtype 81 records. | z/OS MVS Initialization and Tuning Reference |
| Read the SMF type 119 subtype 81 records. | Type 119 SMF records in z/OS Communications Server: IP Programmer's Guide and Reference |
To find all related topics about VTAM 3270 IDS, see Table 2.