IST2424I 3270 DATA STREAM ERROR – netid.pluname netid.sluname
Explanation
This is the first of a group of messages that VTAM® issues when a 3270 data stream error is found by the 3270 Intrusion Detection Services. A complete description of the message group follows.
IST2424I 3270 DATA STREAM ERROR – netid.pluname netid.sluname
IST2425I {PLU|SLU} SUBAREA = X'saHex' INDEX = X'indHex' ELEMENT = X'elHex'
IST2441I JOBNAME = jobname SID = session_id
[IST2426I IPADDR = ipaddress..port]
IST2427I DATE = date TIME = time ID = id
IST2428I ROW = row COLUMN = col
IST2429I OUTBOUND – SEQ = X'seq_num' OFF = offset LEN = len
IST2431I hex_data1 hex_data2 hex_data3 hex_data4 *EBCDIC_data*
IST2430I INBOUND - SEQ = X'seq_num' OFF = offset LEN = len
IST2431I hex_data1 hex_data2 hex_data3 hex_data4 *EBCDIC_data*
IST314I END
- pluname
- The network-qualified primary session partner name.
- sluname
- The network-qualified secondary session partner name.
- netid
- The ID of the network that contains the session partner.
IST2425I
IST2425I will be displayed once for the PLU resource and once for the SLU resource.
- saHex
- The subarea of the primary or secondary logical unit in hexdecimal.
- indHex
- The element index number of the primary or secondary logical unit in hexdecimal.
- elHex
- The element address of the primary or secondary logical unit in hexdecimal.
- ipaddress
- The IP address associated with the SLU.
- port
- The port number associated with the SLU.
- date and time
- Specify when the last outbound data was sent.
- id
- The incident token associated with this event.
- row
- The row number of the 3270 presentation space where the field modification was detected.
- col
- The column number of the 3270 presentation space where the field modification was detected.
- seq_num
- The sequence number of the last outbound PIU that set the field in question in hexadecimal.
- offset
- The offset in the outbound PIU of the field that was overlaid.
- len
- The length of the outbound field that was overlaid.
- seq_num
- The sequence number of the inbound PIU in hexadecimal.
- offset
- The offset in the inbound PIU of the field that was overlaid.
- len
- The length of the inbound field that was overlaid.
- hexdata_1, hex_data2, hex_data3 and hex_data4
- Show up to 16 bytes of outbound or inbound data around the area of the detected violation (in hex).
- EBCDIC_data
- Show up to 16 bytes of outbound or inbound data around the area of the detected violation (in EBCDIC).
- jobname
- The 1 to 8 character job name of the VTAM application that was active when the incident occurred. If jobname is not available, VTAM issues ***NA***.
- session_id
- The session ID that provides a unique identifier for the session. If the session ID is unknown, VTAM displays ***NA***.
System action
Depending on the value of the DSACTION defined on the APPL statement, the connection will be continued or will be terminated. The outbound and inbound PIUs have been written to the Generalized Trace Facility (GTF), if available.
Operator response
Notify the security administrator that a possible intrusion has been detected.
System programmer response
None.
User response
None.
Problem determination
Start the Generalized Trace Facility (GTF) to collect trace records of event type 'F90'x. These trace records can be formatted with Interactive Problem Control System (IPCS).
Source
z/OS® Communications Server SNA
Module
Use the modifiable VTAM start option MSGMOD=YES (f procname,vtamopts,msgmod=yes or f procname,msgmod=yes) to display the issuing module when a message is issued. See z/OS Communications Server: SNA Operation and z/OS Communications Server: SNA Resource Definition Reference for more information about start options.
Routing code
8, 9
Descriptor code
4
Automation
- When you use DSACTION=SYSLOG, a single IST2424I message is written to the console and the entire message group for IST2424I is written to SYSLOG. This message is displayed twice for the same incident during automation.
- When the application is TSO, the jobname in IST2441I is the TSO user ID.
Example
IST2424I 3270 DATA STREAM ERROR - NETA.TSO10001 NETA.L7201A 056
IST2425I PLU SUBAREA = X'0001' INDEX = X'0001' ELEMENT = X'0076'
IST2425I SLU SUBAREA = X'0001' INDEX = X'0000' ELEMENT = X'003A'
IST2441I JOBNAME = USER1 SID = EAABEEC33D18556F
IST2426I IPADDR = 10.10.101.4..50208
IST2427I DATE = 2016/04/01 TIME = 14:07:04 ID = 1
IST2428I ROW = 4 COLUMN = 14
IST2429I OUTBOUND - SEQ = X'000A' OFF = 350 LEN = 66
IST2431I 00000000 00000000 00000000 00000000 *................*
IST2430I INBOUND - SEQ = X'0006' OFF = 6 LEN = 66
IST2431I 92939293 91A28400 00000000 00000000 *KLKLJSD.........*
IST314I END