EZZ8648I TRMD ATTACK packet was discarded:date time,sipaddr=sipaddr,dipaddr=dipaddr,sport=sport,dport=dport,type=type,proto=proto,option=option, fragsize=fragoff,correlator=correlator,probeid=probeid,sensorhostname=sensorhostname,restrictval=restrictval Explanation An attack event of the indicated type was detected
while a packet was being processed. The packet was discarded because
Intrusion Detection Services (IDS) policy for the attack type specified
that packets must be discarded.
In the message text: - date
- The date when the attack event was detected.
- time
- The time when the attack event was detected.
- sipaddr
- The source IP address in the packet.
- dipaddr
- The destination IP address in the packet.
- sport
- The source port in the packet. A value of zero indicates that
the packet did not contain a source port value or that the source
port was not known at the point that the attack was detected.
- dport
- The destination port in the packet. A value of zero indicates
that the packet did not contain a destination port value or that the
destination port was not known at the point that the attack was detected.
- type
The attack event type. It will have one of the following values: - Malformed
- Malformed packet
- OutboundRaw
- Outbound RAW restriction
- IPFragment
- Inbound fragment
- ICMP
- ICMP redirect
- IPOPT
- IP option restriction
- IPPROTO
- IP protocol restriction
- PerpEcho
- UDP perpetual echo
- OutboundRaw6
- IPv6 outbound RAW restriction
- IPv6NextHeader
- IPv6 next header restriction
- IPv6HopOptions
- IPv6 hop-by-hop option restriction
- IPv6DestOptions
- IPv6 destination option restriction
- DataHiding
- Data hiding
- EELDLCCheck
- EE packet received on wrong port
- EEPortCheck
- EE source port incorrect
- EEMalformed
- EE malformed packet
These correspond to the AttackType values specified
in IDS policy. See the z/OS Communications Server: IP Configuration
Guide for a description of the attack types.
- proto
- The IP protocol type.
- For an IPv4 packet, this is the IP protocol value from the IP
header.
- For an IPv6 packet, this is the upper layer protocol value (such
as TCP or UDP). A value of zero indicates that the protocol value
was not known at the point that the attack was detected. The IPv6
header does not contain a protocol field. To obtain the protocol value
for an IPv6 packet, any extension headers must be processed. For some
attack types, such as Malformed, the extension headers might not have
been processed yet when the attack is detected. In that case, the
value is 0.
Tip: If this value is 0 and you have IDS event
trace enabled in your policy, you can use the correlator value from
this message to find the corresponding trace entry. The IDS trace
formatter will format the packet, including the protocol header and
any extension headers.
- option
- The IP option that was detected in the packet and was restricted
by the IDS policy. option is only applicable when
the type is IPOPT. For other attack types, the
value is 0.
- fragoff
- The offset, from the beginning of the original datagram, to where
the data in this fragment differs from the data received in previous
fragments. fragoff is only applicable when type is
IPFragment and probeid is either 04030002 or 04030011.
Otherwise, the value is 0.
- correlator
- The IDS trace correlator for the attack event.
- probeid
- The unique identifier of the probe detection point. See intrusion detection services probeids in z/OS Communications Server: IP and SNA Codes for a description of the IDS probe IDs.
- sensorhostname
- The fully qualified host name of the IDS sensor.
- restrictval
- The value that was detected in the packet and was restricted by
the IDS policy. restrictval is only applicable
when type is OutboundRaw, IPOPT, IPPROTO, OutboundRaw6,
IPv6NextHeader, IPv6HopOptions, or IPv6DestOptions. For other attack
types, the value is 0.
System action
Operator response
System programmer response
Module
Example EZZ8648I TRMD ATTACK packet was discarded:07/16/2010
20:19:43.52,sipaddr=9.67.120.4,dipaddr=9.67.120.3,sport=0,dport=0,
type=IPPROTO,proto=89,option=0,fragsize=0,correlator=2905,
probeid=04060001,sensorhostname=MVS123.tcp.company.com,restrictval=89
Procedure name WriteLogEntries
|