EZZ8655I

Explanation
 The interface flood for the specified interface
has ended. The data covers  the period from the start of the flood
and only includes packets received on  the specified interface.
 In
the message text: date
The date when the interface flood ended.
time
The time when the interface flood ended.
ifcname
The name of the interface experiencing the interface flood condition.
dipaddr
An IP address assigned to the interface at the start of the  interface
flood.
correlator
The Intrusion Detection Services (IDS) trace correlator.
duration
The number of seconds since the start of the interface flood was
 detected.
discardcnt
The number of packets received on the interface that were discarded
or not processed since  the interface flood was detected.
discardp
The percentage of the total packets received on the interface
that were discarded since the interface flood was detected.
mfproto
The protocol seen most frequently in the IP header of the discarded
packets since  the start of the interface flood. The protocol value
is the protocol number, or zero if the protocol value is unknown.
mfprotop
The percentage of times this protocol was seen in the packets
 discarded for the interface during the interface flood condition.
mfcat
The category of discards seen most frequently since the start
of the interface flood. Possible values are:  Storage
Storage could not be obtained to process the packet. Storage 
shortages can indicate a problem in the system other than an inbound
packet  flood.
CheckSum
Packet had checksum error.
Malform
Malformed packet.
Dest
Destination not found.  For example, the port is not active or
is  reserved, the matching socket is not available, or there are no
listeners for the RAW  protocol.
Firewall
Packet rejected by IP security.
MedHdr
Bad media header.
Forward
Packet is not for this TCP/IP stack but could not be forwarded.
 For example,  forwarding is  prevented because the header is bad
or the IPCONFIG NODATAGRAMFWD option is specified.
QOSPol
Packet dropped due to QoS policy.
IDSPol
Packet dropped due to IDS policy.
Access
Packet dropped due to NetAccess, multilevel security, or OSM access
checks.
ATTLS
Packet dropped due to AT-TLS policy.
OtherPol
Packet dropped due to other configuration policy.
Queue
Queue limit (other than those specified by IDS) prevented queueing
 the packet for processing.   Possible queues include the syn queue,
the  reassembly queue, and the UDP or RAW receive queues.
OtherSyn
Syn problems other than syn queue full.
State
State mismatch.
UnpackErr
Packet dropped due to unpacking problems.
Misc
Miscellaneous reasons not listed above. For example, the TCP packet
was outside of the TCP window, or duplicate fragments were found during
packet reassembly.

mfcatp
The percentage of times this category was seen in the packets
 discarded for the interface during the interface flood condition.
mfsrcmac
Reported for LCS and some QDIO devices. It is not applicable for
other device types. For packets discarded since the interface flood
was detected, this is the source MAC seen most frequently in the discarded
 packets. For device types that do not provide the source MAC address, N/A will
be in this field and the following fields that relate to the source
MAC will show zeros.
mfsrcmacp
The percentage of times this source MAC address was seen in the
 packets discarded for the interface during the interface flood condition.
smmfproto
Provided if the most frequent source MAC address (mfsrcmac)
is  available.  This is the protocol seen most frequently in the IP
header of the discarded packets  for that source MAC address during
the interface flood condition.  The protocol  value is the protocol
number, or zero if the protocol value is unknown.
smmfprotop
Provided if the most frequent source MAC address (mfsrcmac)
is available. This is the percentage of times the protocol reported
in smmfproto was seen in the packets discarded
for that source MAC address during the interface flood condition.
smmfcat
Provided if the most frequent source MAC address (mfsrcmac)
is available. This is the category of discards seen most frequently
for that  source MAC address during the interface flood condition.
 See the mfcat field  for the list of possible
categories.
smmfcatp
Provided if the most frequent source MAC address (mfsrcmac)
is  available. This is the percentage of times the category reported
in smmfcat was  seen in the packets discarded for
that source MAC address during the interface flood condition.
lastsip
The source IP address of the last packet discarded on this interface
 during the interface flood condition.
sipcnt
The consecutive number of discarded packets for the interface
that  have the same source IP address as the last discarded packet.
  If the  previously discarded packet's source IP address is not the
same as the last  discarded packet's source IP address, the count
will be 1.
probeid
The unique identifier of the probe that indicated the interface
 flood end.  See z/OS Communications Server: IP and SNA Codes for a  description of the Intrusion Detection
Services probe IDs.
sensorhostname
The fully qualified host name of the IDS sensor.

System action
 Processing continues.

Operator response
 None.

System programmer response
 The system programmer might want
to analyze the data provided in this message  to determine the cause
of the interface flood condition.     If the condition  was not a
true interface flood,  the system programmer should consider changing
 the  IDS ATTACK FLOOD policy actions to higher values to prevent
future false  detections.

Module
 EZATRMD

Example
  EZZ8655I TRMD ATTACK Interface flood end:07/16/2010 20:19:43.52,ifcname=OSA123,dipaddr=9.67.120.3,
correlator=57,duration=25,discardcnt=102,discardp=29,mfproto=6,mfprotop=82,mfcat=Malform,mfcatp=82,
mfsrcmac=40000C750800,mfsrcmacp=82,smmfproto=6,smmfprotop=100,smmfcat=Malform,smmfcatp=100,
lastsip=9.67.120.73,sipcnt=57,probeid=04070014,sensorhostname=MVS123.tcp.company.com

Procedure name
  WriteLogEntries