EZZ8649I

Explanation
 An attack event of the indicated type was detected
while a packet was being processed. The packet was not discarded because
Intrusion Detection Services (IDS) policy for the attack type specified
that packets must not be discarded.
 date is
the date when the attack event was detected.
 time is
the time when the attack event was detected.
 sipaddr is
the source IP address in the packet.
 dipaddr is
the destination IP address in the packet.
 sport is
the source port in the packet. A value of zero indicates that the
packet did not contain a source port value or that the source port
was not known at the point that the attack was detected.
 dport is
the destination port in the packet. A value of zero indicates that
the packet did not contain a destination port value or that the destination
port was not known at the point that the attack was detected.
 type is
the attack event type.  It will have one of  the following values:
 Malformed
Malformed packet
OutboundRaw
Outbound RAW restriction
IPFragment
Inbound fragment
ICMP
ICMP redirect
IPOPT
IP option restriction
IPPROTO
IP protocol restriction
PerpEcho
UDP perpetual echo
OutboundRaw6
IPv6 outbound RAW restriction
IPv6NextHeader
IPv6 next header restriction
IPv6HopOptions
IPv6 hop-by-hop option restriction
IPv6DestOptions
IPv6 destination option restriction
DataHiding
Data hiding
EELDLCCheck
EE packet received on wrong port
EEPortCheck
EE source port incorrect
EEMalformed
EE malformed packet

 These correspond to the AttackType values specified
in IDS policy. See the z/OS Communications Server: IP Configuration
Guide for a description of the attack types.
 proto is
the IP protocol type. For an IPv4 packet, this is the IP protocol value from the IP
header.
For an IPv6 packet, this is the upper layer protocol value (such
as TCP or UDP). A value of zero indicates that the protocol value
was not known at the point that the attack was detected. The IPv6
header does not contain a protocol field. To obtain the protocol value
for an IPv6 packet, any extension headers must be processed. For some
attack types, such as Malformed, the extension headers might not have
been processed yet when the attack is detected. In that case, the
value is 0. Tip: If this value is 0 and you have IDS event
trace enabled in your policy, you can use the correlator value to
find the corresponding trace entry. The IDS trace formatter will format
the packet, including the protocol header and any extension headers.

 option is the IP option that was detected
in the packet and was restricted by the IDS policy. option is
only applicable when the type is IPOPT. For other
attack types, the value is 0.
 fragoff is
the offset, from the beginning of the original datagram, to where
the data in this fragment differs from the data received in previous
fragments. fragoff is only applicable when type is
IPFragment and probeid is either 04030002 or 04030011.
Otherwise, the value is 0.
 correlator is
the IDS trace correlator for the attack event.
 probeid is
the unique identifier of the probe detection point. See the z/OS Communications Server: IP and SNA Codes for a description of the Intrusion Detection
Services probe IDs.
 sensorhostname is the
fully qualified host name of the IDS sensor.
 restrictval is
the value that was detected in the packet and was restricted by the
IDS policy. restrictval is only applicable when type is
OutboundRaw, IPOPT, IPPROTO, OutboundRaw6, IPv6NextHeader, IPv6HopOptions,
or IPv6DestOptions. For other attack types, the value is 0.

System action
 Processing continues.

Operator response
 None.

System programmer response
 None.

Module
 EZATRMD

Example
  EZZ8649I TRMD ATTACK packet would have been discarded:07/16/2010 
20:19:43.52,sipaddr=9.67.120.4,dipaddr=9.67.120.3,sport=0,dport=0,
type=IPPROTO,proto=89,option=0,fragsize=0,correlator=2905,
probeid=04060001,sensorhostname=MVS123.tcp.company.com,restrictval=89

Procedure name
  WriteLogEntries