IST2424I 3270 DATA STREAM ERROR – netid.pluname netid.sluname

Explanation
This is the first of a group of messages that VTAM® issues when a 3270 data stream error is found by the 3270 Intrusion Detection Services. A complete description of the message group follows.

 IST2424I 3270 DATA STREAM ERROR – netid.pluname netid.sluname
 IST2425I {PLU|SLU} SUBAREA = X'saHex' INDEX = X'indHex' ELEMENT =  X'elHex' 
 IST2441I JOBNAME = jobname  SID = session_id
[IST2426I IPADDR = ipaddress..port]
 IST2427I DATE = date TIME = time ID = id
 IST2428I ROW = row COLUMN = col   
 IST2429I OUTBOUND – SEQ = X'seq_num' OFF = offset LEN = len 
 IST2431I hex_data1 hex_data2 hex_data3 hex_data4 *EBCDIC_data*
 IST2430I INBOUND  - SEQ = X'seq_num' OFF = offset LEN = len 
 IST2431I hex_data1 hex_data2 hex_data3 hex_data4 *EBCDIC_data*
 IST314I END
IST2424I

pluname

The network-qualified primary session partner name.

sluname

The network-qualified secondary session partner name.

netid

The ID of the network that contains the session partner.

IST2425I

IST2425I will be displayed once for the PLU resource and once for the SLU resource.

saHex

The subarea of the primary or secondary logical unit in hexdecimal.

indHex

The element index number of the primary or secondary logical unit in hexdecimal.

elHex

The element address of the primary or secondary logical unit in hexdecimal.

IST2426I

ipaddress

The IP address associated with the SLU.

port

The port number associated with the SLU.

This message is issued when the control vector CV64 has been provided.

IST2427I

date and time

Specify when the last outbound data was sent.

id

The incident token associated with this event.

IST2428I

row

The row number of the 3270 presentation space where the field modification was detected.

col

The column number of the 3270 presentation space where the field modification was detected.

IST2429I

seq_num

The sequence number of the last outbound PIU that set the field in question in hexadecimal.

offset

The offset in the outbound PIU of the field that was overlaid.

len

The length of the outbound field that was overlaid.

IST2430I

seq_num

The sequence number of the inbound PIU in hexadecimal.

offset

The offset in the inbound PIU of the field that was overlaid.

len

The length of the inbound field that was overlaid.

IST2431I

hexdata_1, hex_data2, hex_data3 and hex_data4

Show up to 16 bytes of outbound or inbound data around the area of the detected violation (in
hex).

EBCDIC_data

Show up to 16 bytes of outbound or inbound data around the area of the detected violation (in
EBCDIC).

IST2441I

jobname

The 1 to 8 character job name of the VTAM application that was active when the incident occurred. If jobname is not available, VTAM issues ***NA***.

session_id

The session ID that provides a unique identifier for the session. If the session ID is unknown, VTAM displays ***NA***.

System action
Depending on the value of the DSACTION defined on the APPL statement, the connection will be
continued or will be terminated. The outbound and inbound PIUs have been written to the Generalized
Trace Facility (GTF), if available.

Operator response
Notify the security administrator that a possible intrusion has been detected.

System programmer response
None.

User response
None.

Problem determination
Start the Generalized Trace Facility (GTF) to collect trace records of event type 'F90'x. These
trace records can be formatted with Interactive Problem Control System (IPCS).

Source
z/OS® Communications Server SNA

Module
Use the modifiable VTAM start option MSGMOD=YES
(f procname,vtamopts,msgmod=yes or f procname,msgmod=yes) to
display the issuing module when a message is issued. See
z/OS Communications Server: SNA Operation and
z/OS Communications Server: SNA Resource Definition Reference for more information about start options.

Routing code
8, 9

Descriptor code
4

Automation
An automation tool can start GTF and buffer trace for the SLU when it detects the message
IST2424I.Tips: 

When you use DSACTION=SYSLOG, a single IST2424I message is written to the console and the entire
message group for IST2424I is written to SYSLOG. This message is displayed twice for the same
incident during automation.

When the application is TSO, the jobname in IST2441I is the TSO user ID.

Example

IST2424I 3270 DATA STREAM ERROR - NETA.TSO10001 NETA.L7201A 056 
IST2425I PLU SUBAREA = X'0001' INDEX = X'0001' ELEMENT = X'0076'
IST2425I SLU SUBAREA = X'0001' INDEX = X'0000' ELEMENT = X'003A'
IST2441I JOBNAME = USER1 SID = EAABEEC33D18556F                 
IST2426I IPADDR = 10.10.101.4..50208
IST2427I DATE = 2016/04/01 TIME = 14:07:04 ID = 1               
IST2428I ROW = 4 COLUMN = 14                                    
IST2429I OUTBOUND - SEQ = X'000A' OFF = 350 LEN = 66            
IST2431I 00000000 00000000 00000000 00000000  *................*
IST2430I INBOUND - SEQ = X'0006' OFF = 6 LEN = 66               
IST2431I 92939293 91A28400 00000000 00000000  *KLKLJSD.........*
IST314I END