z/OS Communications Server: IP Messages Volume 4 (EZZ, SNM)
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


EZZ9327I

z/OS Communications Server: IP Messages Volume 4 (EZZ, SNM)
SC27-3657-01

EZZ9327I
TRMD Attack log records suppressed:date time,attack type=attacktype,count=count,probeid=probeid,sensorhostname=sensorhostname

Explanation

Intrusion Detection Services (IDS) event recording was suppressed for an attack type specified in the active policy. IDS suppresses logging of attack events of a particular attack type after 100 events have been logged in a 5-minute interval. This is done to prevent syslog flooding. Logging resumes after the 5-minute interval ends.

date is the date of the beginning of the 5-minute interval in which log records were suppressed.

time is the time of the beginning of the 5-minute interval in which log records were suppressed.

attacktype is the attack event type. attacktype will be one of the following:
Malformed
Malformed packet
OutboundRaw
Outbound RAW restriction
IPFragment
Inbound fragment
ICMP
ICMP redirect
IPOPT
IP option restriction
IPPROTO
IP protocol restriction
Flood
Flood event
PerpEcho
UDP perpetual echo
DataHiding
Data hiding
TCPQueueSize
TCP queue size event
GlobalTCPStall
Global TCP stall event
OutboundRaw6
IPv6 outbound RAW restriction
IPv6NextHeader
IPv6 next header restriction
IPv6HopOptions
IPv6 hop-by-hop option restriction
IPv6DestOptions
IPv6 destination option restriction
EELDLDCheck
EE packet received on wrong port
EEMalformed
EE malformed packet
EEPortCheck
EE source port incorrect
EEXIDFlood
EE XID flood detection
These correspond to the AttackType values specified in IDS policy. See the z/OS Communications Server: IP Configuration Guide for a description of attack event types.

count is the number of log entries suppressed.

probeid is the unique identifier of the probe detection point. See z/OS Communications Server: IP and SNA Codes for a description of the Intrusion Detection Services probe IDs.

sensorhostname is the fully qualified host name of the IDS sensor.

System action

Processing continues.

Operator response

None.

System programmer response

Examine relevant syslog messages to determine the source of the log entries and take appropriate action: adjust the active policy to be less restrictive or investigate the logged intrusions.

Module

EZATRMD

Example

EZZ9327I TRMD Attack log records suppressed:07/16/2010 20:19:43.52,attack 
type=IPFragment,count=57,probeid=0403FFF0,sensorhostname=MVS123.tcp.company.com

Procedure name

WriteLogEntries

Parent topic: EZZ9xxxx messages

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014