IM (Intrusion Monitor) journal entries

This table provides the format of the IM (Intrusion Monitor) journal entries.

Table 1. IM (Intrusion Monitor) journal entries. QASYIMJE/J4/J5 Field Description File
Offset			Field	Format	Description
JE	J4	J5	Field	Format	Description
		1			Heading fields common to all entry types.
		610	Entry Type	Char(1)	The type of entry. P Potential intrusion event detected
		611	Time of Event	TIMESTAMP	The time that the event was detected, in SAA timestamp format.
		637	Detection Point Identifier	Char(4)	A unique identifier for the processing location that detected the intrusion event. This field is intended for use by service personnel.
		641	Local Address Family	Char(1)	Local IP address family associated with the detected event.
		642	Local Port Number	Zone(5, 0)	Local port number associated with the detected event.
		647	Local IP Address	Char(46)	Local IP address associated with the detected event.
		693	Remote Address Family	Char(1)	Remote address family associated with the detected event.
		694	Remote Port Number	Zoned(5, 0)	Remote port number associated with the detected event.
		699	Remote IP Address	Char(46)	Remote IP address associated with the detected event.
		745	Probe Type Identifier	Char(6)	Identifies the type of probe used to detect the potential intrusion. Possible values are as follows: ATTACK Attack action detected event TR-TCP Traffic Regulation action detected event over TCP TR-SSL Traffic Regulation action detected System SSL/TLS failed handshake event TR-UDP Traffic Regulation action detected event over UDP SCANE Scan event action detected event SCANG Scan global action detected event XATTAC Possible extrusion attack XTRTCP Outbound TR detected event (TCP) XTRUDP Outbound TR detected event (UDP) XSCAN Outbound scan event detected
		751	Event Correlator	Char(4)	Unique identifier for this specific intrusion event. This identifier can be used to correlate this audit record with other intrusion detection information.
		755	Event type	Char(8)	Identifies the type of potential intrusion that was detected. The possible values are as follows: ACKSTORM TCP ACK storm ADRPOISN Address poisoning FLOOD Flood event FRAGGLE Fraggle attack ICMPRED ICMP (Internet Control Message Protocol) redirect IPFRAG IP fragment MALFPKT Malformed packet OUTRAW Outbound Raw PERPECH Perpetual echo PNGDEATH Ping of death RESTOPT Restricted IP options RESTPROT Restricted IP protocol SMURF Smurf attack
		763	Protocol	Char(3)	Protocol number
		766	Condition	Char(4)	Condition number from IDS policy file
		770	Throttling	Char(1)	0 = not active 1 = active
		771	Discarded Packets	Zoned(5,0)	Number of discarded packets when throttled
		776	Target TCP/IP Stack	Char(1)	P Production Stack S Service Stack
		777	Reserved	Char(6)	Reserved for future use
		783	Suspected Packet	Char(1002)¹	A variable length field which can contain up to the first 1000 bytes of the IP packet associated with the detected event. This field contains binary data and should be treated as if it has a CCSID of 65535. When Probe Type Identifier (offset 745) is 'TR-SSL', this field contains a blank padded character string that indicates error information for the failing handshake. The first 2 bytes of this field contain the length of the error information. Following the length is a 6-byte character string that represents the processing location that detected the failed handshake. Following the 6-byte string is a 40-byte character string that indicates the error code that is returned on the failing handshake.
¹ This is a variable length field. The first 2 bytes contain the length of the suspected packet information.