This report is displayed when the -I option is specified
with the trmdstat command or when no report option is provided on
the trmdstat command invocation. It displays the summary of all the
IDS information present in the log. Using this report enables you
to get an idea of the overall effect of the IDS policies installed
in the system.
> trmdstat -I /tmp/tstlog.log
trmdstat for z/OS CS V2R1 Fri Nov 25 11:30:11 2011
Command Entered : trmdstat -I /tmp/tstlog.log
Log Time Interval : Jul 19 10:41:39 - Nov 23 14:52:52
Stack Time Interval : Jul 19 10:41:39 - Nov 23 14:52:31
TRM Records Scanned : 227
TCP - Traffic Regulation
------------------------------------------------
Connections would have been refused : 3
Connections refused : 19
Constrained entry logged : 1
Constrained exit logged : 1
Constrained entry : 5
Constrained exit : 5
QOS exceptions logged : 1
QOS exceptions made : 5
UDP - Traffic Regulation
------------------------------------------------
Constrained entry logged : 1
Constrained exit logged : 1
Constrained entry : 4
Constrained exit : 4
SCAN Detection
------------------------------------------------
Threshold exceeded : 11
Detection delayed : 0
Storage constrained entry : 0
Storage constrained exit : 0
ATTACK Detection
------------------------------------------------
Packet would have been discarded : 10
Packet discarded : 12
FLOOD Detection
------------------------------------------------
Accept queue expanded : 2
SYN flood start : 5
SYN flood end : 5
Interface flood start : 3
Interface flood end : 3
EE XID flood start : 2
EE XID flood end : 2
Global TCP Stall Detection
------------------------------------------------
Global TCP stall entry : 1
Global TCP stall exit : 1
Connections would have been reset : 6
Connections reset : 6
TCP Queue Size Detection
------------------------------------------------
Send queue
Constrained entry : 2
Constrained exit : 2
Connections reset : 2
Receive queue
Constrained entry : 2
Constrained exit : 2
Connections reset : 2
Out-of-order queue
Constrained entry : 2
Constrained exit : 2
Connections reset : 1
The following information describes the areas of the IDS
summary report.
- TCP - Traffic regulation
-
- Connections would have been refused
- Specifies the number of connections that would have been refused
if policy action LIMIT had been specified in the TR policy. This count
indicates the total number of EZZ9319I messages present in the log.
- Connections refused
- Indicates the number of connections refused by the system. This
count indicates the total number of EZZ9324I messages present in the
log.
- Constrained entry logged
- Specifies the number of times that a TCP listener would have entered
a constrained state if policy action LIMIT had been specified in the
TR policy. This count indicates the total number of EZZ9320I messages
present in the log.
- Constrained exit logged
- Specifies the number of times that a TCP listener would have exited
a constrained state if policy action LIMIT had been specified in the
TR policy. This count indicates the total number of EZZ9322I messages
present in the log.
- Constrained entry
- Specifies the number of times that a TCP listener entered a constrained
state. This count indicates the total number of EZZ9321I messages
present in the log.
- Constrained exit
- Specifies the number of times that a TCP listener exited a constrained
state. This count indicates the total number of EZZ9323I messages
present in the log.
- QOS exceptions logged
- Specifies the number of times a QoS exception was logged because
the QOS policy guarantees a higher number of connections to this port
than would be allowed by the TCP TR policy. This count indicates the
total number of EZZ9318I messages present in the log.
- QOS exceptions made
- Specifies the number of times a QoS exception was made because
the QOS policy guarantees a higher number of connections to this port
than would be allowed by the TCP TR policy. This count indicates the
total number of EZZ9317II messages present in the log.
- UDP - Traffic regulation
-
- Constrained entry logged
- Specifies the number of times that a UDP socket would have entered
a constrained state if policy action LIMIT had been specified in the
TR policy. This count indicates the total number of EZZ8638I messages
present in the log.
- Constrained exit logged
- Specifies the number of times that a UDP socket would have exited
a constrained state if policy action LIMIT had been specified in the
TR policy. This count indicates the total number of EZZ8640I messages
present in the log.
- Constrained entry
- Specifies the number of times that a UDP socket entered a constrained
state. This count indicates the total number of EZZ8639I messages
present in the log.
- Constrained exit
- Specifies the number of times that a UDP socket exited a constrained
state. This count indicates the total number of EZZ8641I messages
present in the log.
- Scan detection
-
- Threshold exceeded
- Specifies the number of scan events detected. This count indicates
the total number of EZZ8643I messages present in the log.
- Detection delayed
- Specifies the number of scan interval overrun events detected.
This count indicates the total number of EZZ8645I messages present
in the log.
- Storage constrained entry
- Specifies the number of times scan storage constraint entry was
detected. This count indicates the total number of EZZ8646I messages
present in the log.
- Storage constrained exit
- Specifies the number of times scan storage constraint exit was
detected. This count indicates the total number of EZZ8647I messages
present in the log.
- Attack detection
-
- Packet would have been discarded
- Specifies the total number of attack packets that would have been
discarded if policy action Discard had been specified in the attack
policy. This count indicates the total number of EZZ8649I messages
present in the log.
- Packet discarded
- Specifies the total number of attack packets discarded. This count
indicates the total number of EZZ8648I messages present in the log.
- Flood detection
-
- Accept queue expanded
- Specifies the number of accept queue expansions. This count indicates
the total number of EZZ8652I messages present in the log.
- SYN flood start
- Specifies the number of SYN flood starts detected. This count
indicates the total number of EZZ8650I messages present in the log.
- SYN flood end
- Specifies the number of SYN flood ends detected. This count indicates
the total number of EZZ8651I messages present in the log.
- Interface flood start
- Specifies the number of interface flood starts detected. This
count indicates the total number of EZZ8654I messages present in the
log.
- Interface flood end
- Specifies the number of interface flood ends detected. This count
indicates the total number of EZZ8655I messages present in the log.
- EE XID flood start
- Specifies the number of EE XID flood starts detected. This count
indicates the total number of EZZ8677I messages present in the log.
- EE XID flood end
- Specifies the number of EE XID flood ends detected. This count
indicates the total number of EZZ8678I messages present in the log.
- Global TCP stall detection
-
- Global TCP stall entered
- Specifies the number of global TCP stall enter conditions that
have been detected. This count indicates the number of EZZ8671I messages
present in the log.
- Global TCP stall exited
- Specifies the number of global TCP stall exit conditions that
have been detected. This count indicates the number of EZZ8672I messages
present in the log.
- Connections would have been reset
- Specifies the number of stalled TCP connections that contributed
to a global TCP stall condition. These stalled TCP connections were
not reset because Intrusion Detection Services (IDS) policy for the
global TCP stall attack type specified that connections should not
be reset. This count indicates the number of EZZ8674I messages present
in the log.
- Connections reset
- Specifies the number of stalled TCP connections that contributed
to a global TCP stall condition. These stalled TCP connections were
reset because Intrusion Detection Services (IDS) policy for the global
TCP stall attack type specified that connections should be reset.
This count indicates the number of EZZ8673I messages present in the
log.
- TCP Queue size detection
-
- Send queue
-
- Constrained entered
- Specifies the number of times a TCP connection's send queue entered
a constrained state. This count indicates the total number of EZZ8664I
messages present in the log.
- Constrained exited
- Specifies the number of times a TCP connection's send queue exited
a constrained state. This count indicates the total number of EZZ86651I
messages present in the log.
- Connections reset
- Specifies the number of TCP connections that were reset because
the connections' send queues were constrained. This count indicates
the number of EZZ8669I messages present in the log.
- Receive queue
-
- Constrained entered
- Specifies the number of times a TCP connection's receive queue
entered a constrained state. This count indicates the total number
of EZZ8662I messages present in the log.
- Constrained exited
- Specifies the number of times a TCP connection's receive queue
exited a constrained state. This count indicates the total number
of EZZ86631I messages present in the log.
- Connections reset
- Specifies the number of TCP connections that were reset because
the connections' receive queues were constrained. This count indicates
the number of EZZ8668I messages present in the log.
- Out-of-order queue
-
- Constrained entered
- Specifies the number of times a TCP connection's out-of-order
queue entered a constrained state. This count indicates the total
number of EZZ8666I messages present in the log.
- Constrained exited
- Specifies the number of times a TCP connection's out-of-order
exited a constrained state. This count indicates the total number
of EZZ86671I messages present in the log.
- Connections reset
- Specifies the number of TCP connections that were reset because
the connections' out-of-order queues were constrained. This count
indicates the number of EZZ8670I messages present in the log.
- messages suppressed
- Specifies the number of messages suppressed with date and time.
This data comes from an EZZ8660I, EZZ8661I, or EZZ9327I message. See
in The trmdstat report general concept for a detailed description.