VTAM 3270 Intrusion Detection Services event record (subtype 81)
The VTAM® 3270 Intrusion Detection Services (IDS) function monitors 3270 data streams for primary logical units (PLUs) that are connected to the z/OS® VTAM instance. Specific types of 3270 sessions can be exempted from IDS monitoring at the VTAM or application major node level if IDS monitoring is not needed for those sessions.
The 3270 IDS function monitors 3270 data streams for any attempt to write past the end of input fields or to modify protected fields. When these types of events are detected, VTAM writes a type 119 subtype 81 SMF record. This record contains information about the two end point LUs of the connection and the specific data streams that created the event.
See 3270 Intrusion Detection Services in z/OS Communications Server: SNA Network Implementation Guide for more information about the 3270 IDS function.
C structures for mapping the SMF type 119 subtype 81 records can be found in ezasmf.h in the SEZANMAC MVS™ data set and in the /usr/include file system directory. Assembler mappings for the structures can be found in ISTSMF77 in SYS1.MACLIB.
- SMF119TI_Stack
- The name of the VTAM address space that issued this record
- SMF119TI_ReleaseID
- The VTAM release level found in the first eight bytes of the ATCVT
- SMF119TI_Comp
- IDS3270
- SMF119TI_ASName
- The address space name for which this record was written
- SMF119TI_UserID
- User ID of security context under which this SMF record is written
- SMF119TI_ASID
- The address space identifier for which this record was written
- SMF119TI_Reason
-
- X'48'
- The event record is incomplete
- X'08'
- The event record is complete
- SMF119TI_RecordID
- The last eight bits of the incident token (IST119DS_IncTk). This value might be used correlate records.
Continuing the SMF record
A set of SMF records are written for a VTAM IDS event. One SMF record is written for each saved outbound PIU. The number of saved oubound PIUs is defined by the DSCOUNT parameter. Each buffer has the SMF119TI_Reason field set to X'48' until the last or only buffer. This buffer has the input RU that causes the SMF records to be written. The SMF119TI_Reason field is set to X'08' in the last record.
| Offset | Name | Length | Format | Description |
|---|---|---|---|---|
| 0(X'0') | Standard SMF Header | 24 | EBCDIC | Standard SMF Header; subtype is 81(X'51') |
| Self-defining section | ||||
| 24(X'18') | SMF119SD_TRN | 2 | Binary | Number of triplets in this record (4) |
| 26(X'1A') | 2 | Binary | Reserved | |
| 28(X'1C') | SMF119IDOff | 4 | Binary | Offset to TCP/IP identification section |
| 32(X'20') | SMF119IDLen | 2 | Binary | Length of TCP/IP identification section |
| 34(X'22') | SMF119IDNum | 2 | Binary | Number of TCP/IP identification sections |
| 36(X'24') | SMF119S1Off | 4 | Binary | Offset to 3270 IDS common section |
| 40(X'28') | SMF119S1Len | 2 | Binary | Length of 3270 IDS common section |
| 42(X'2A') | SMF119S1Num | 2 | Binary | Number of 3270 IDS common sections |
| 44(X'2C') | SMF119S2Off | 4 | Binary | Offset to outbound buffer section |
| 48(X'30') | SMF119S2Len | 2 | Binary | Length of outbound buffer section |
| 50(X'32') | SMF119S2Num | 2 | Binary | Number of outbound buffer sections |
| 52(X'34') | SMF119S3Off | 4 | Binary | Offset to inbound buffer section |
| 56(X'38') | SMF119S3Len | 2 | Binary | Length of inbound buffer section |
| 58(X'3A') | SMF119S3Num | 2 | Binary | Number of inbound buffer sections |
| Offset | Name | Length | Format | Description |
|---|---|---|---|---|
| 0(X'0') | IST119DS_Time | 8 | Binary | STCK time of the incident (UTC) |
| 8(X'8') | IST119DS_PLUName | 17 | EBCDIC | PLU NetId.name |
| 25(X'19') | IST119DS_SLUName | 17 | EBCIDC | SLU NetId.name |
| 42(X'2A') | 10 | Reserved | ||
| 52(X'34') | IST119DS_SID | 8 | Binary | Session Id |
| 60(X'3C') | IST119DS_IncTk | 4 | Binary | Event token |
| 64(X'40') | IST119DS_ECode | 1 | EBCDIC | Event error code |
| 65(X'41') | IST119DS_DSCOUNT | 1 | Binary | DSCOUNT parameter |
| 66(X'42') | IST119DS_ACTION | 1 | Binary | DSACTION parameter |
| DSACTION Report Level | ||||
|
x'08' IST119DS_DSACT_SYS: Syslog |
||||
|
x'0C' IST119DS_DSACT_CON: Console |
||||
| DSACTION Intervention | ||||
|
x'01 ' IST119DS_DSACT_None: None |
||||
|
x'02' IST119DS_DSACT_Sense: Sense |
||||
|
x'03' IST119DS_DSACT_Term: Term |
||||
| 67(X'43') | 1 | Reserved | ||
| 68(X'44') | IST119DS_RIPV6 | 16 | Binary | Remote IP address (TN3270 sessions only) |
| 84(X'54') | IST119DS_RPort | 2 | Binary | Remote port number (TN3270 sessions only) |
| 86(X'56') | IST119DS_Row | 1 | Binary | 3270 display row |
| 87(X'57') | IST119DS_Column | 1 | Binary | 3270 display column |
| 88(X'58') | IST119DS_Offset | 2 | Binary | Offset into 3270 Buffer |
| 90(X'5A') | IST119DS_OBufO | 2 | Binary | Outbound buffer offset |
| 92(X'5C') | IST119DS_IBufO | 2 | Binary | Inbound buffer offset |
| 94(X'5E') | IST119DS_OBufL | 2 | Binary | Outbound buffer length |
| 96(X'60') | IST119DS_IBufL | 2 | Binary | Inbound buffer length |
| 98(X'62') | IST119DS_OSEQ | 2 | Binary | Outbound PIU sequence number |
| 100(X'64') | IST119DS_ISEQ | 2 | Binary | Inbound PIU sequence number |
| 102(X'66') | IST119DS_OFLD | 32 | Binary | 32 bytes of outbound 3270 data stream |
| 134(X'86') | IST119DS_IFLD | 32 | Binary | 32 bytes of inbound PIU field 3270 data stream |
| Offset | Name | Length | Format | Description |
|---|---|---|---|---|
| 0(X'00') | IST119DS_DOTime | 8 | Binary | STCK time of the buffer (UTC) |
| 8(X'08') | IST119DS_DOFSNF | 2 | Binary | First sequence number |
| 10(X'0A') | IST119DS_DOLSNF | 2 | Binary | Last sequence number |
| 12(X'0C') | IST119DS_DOOFF | 2 | Binary | Offset of data in DS_DORU |
| 14(X'0E') | IST119DS_DOLen | 2 | Binary | Length of data in DS_DORU |
| 16(X'10') | IST119DS_DODSBn | 1 | Binary | DSCOUNT buffer number |
| 17(X'11') | IST119DS_DOFlags | 2 | Binary | Flags |
|
x'8000' IST119DS_DOCData: Confidential data |
||||
| 18(X'13') | IST119DS_DOTH | 26 | Binary | SNA Transmission header |
| 45(X'2D') | IST119DS_DORH | 3 | Binary | SNA Request header |
| 48(x'30') | IST119DS_DORU | 4096 | Binary | Outbound RU data |
| Offset | Name | Length | Format | Description |
|---|---|---|---|---|
| 0(X'00') | IST119DS_DITime | 8 | Binary | STCK time of the buffer (UTC) |
| 8(X'08') | IST119DS_DIFSNF | 2 | Binary | First sequence number |
| 10(X'0A') | IST119DS_DILSNF | 2 | Binary | Last sequence number |
| 12(X'0C') | IST119DS_DIOFF | 2 | Binary | Offset of data in DS_DIRU |
| 14(X'0E') | IST119DS_DILen | 2 | Binary | Length of data in DS_DIRU |
| 16(X'10') | 1 | Binary | Reserved | |
| 17(X'11') | IST119DS_DIFlag | 2 | Binary | Flags |
|
x'8000' IST119DS_DICData: Confidential data |
||||
| 18(X'13') | IST119DS_DITH | 26 | Binary | SNA Transmission header |
| 45(X'2D') | IST119DS_DIRH | 3 | Binary | SNA Request header |
| 48(x'30') | IST119DS_DIRU | 4096 | Binary | Inbound RU data |