the intrusion detection service (ids) policy management ... · pdf file1 the intrusion...

1

www.newera.com

The Intrusion Detection Service (IDS) Policy Management Project

A NewEra Software, Inc. White Paper

July-August, 2012

Table of Contents:

Project Introduction: ..........................................................................................................................2

IDS Configuration .................................................................................................................................4

Penetration Testing .............................................................................................................................6

Extended Analytics ..............................................................................................................................8

Appendices .............................................................................................................................................9 PAGENT configuration file contents ....................................................................................................... 9 Policy configuration file contents ........................................................................................................... 9 SYSLOGD entries ......................................................................................................................................... 25 Extended Analytics Reports .................................................................................................................... 26

http://www.newera.com/

2

Project Introduction:

Policy-based networking is documented in Chapter 16 Policy-based

networking of z/OS Communications Server IP Configuration Guide Version

1 Release 13 Document Number SC31-8775-19 and in Chapter 22 Policy Agent

and policy applications of z/OS Communications Server IP Configuration

Reference Version 1 Release 13 Document Number SC31-8776-20

Describes the mechanism for defining business objectives in a collection

of network behavior policy metrics which control network operation and

the capture of network events.

A detailed description of IDS features and operation is found in Chapter

18 of the Guide.

A detailed stepwise procedure for creating and installing a sample IDS

policy can be found in Chapter 13 of the IBM z/OS V1R13 Communications

Server TCP/IP Implementation: Volume 4 Security and Policy-Based

Networking Redbook.

The purpose of this presentation is to demonstrate how NewEra Event

Detection services can be used in conjunction with an active IDS policy

to capture and report on IDS events in a Netview-like fashion, but

without the necessity of an installed Netview infrastructure.

NewEra’s Event Detector captures the output from the

D TCPIP,,NETSTAT,IDS operator command. Issuance of this command prior

to commencing configuration activities confirmed a nonexistent policy:

EZZ2500I NETSTAT CS V1R13 TCPIP 735

INTRUSION DETECTION SERVICES SUMMARY:

SCAN DETECTION:

GLOBRULENAME: *NONE*

ICMPRULENAME: *NONE*

TOTDETECTED: 0 DETCURRPLC: 0

DETCURRINT: 0 INTERVAL: 0

SRCIPSTRKD: 0 STRGLEV: 00000

ATTACK DETECTION:

MALFORMED PACKETS

PLCRULENAME: *NONE*



OUTBOUND RAW RESTRICTIONS

PLCRULENAME: *NONE*



RESTRICTED PROTOCOLS

PLCRULENAME: *NONE*



RESTRICTED IP OPTIONS

PLCRULENAME: *NONE*



http://www.redbooks.ibm.com/redpieces/pdfs/sg247999.pdf



3

ICMP REDIRECT RESTRICTIONS

PLCRULENAME: *NONE*



IP FRAGMENT RESTRICTIONS

PLCRULENAME: *NONE*



UDP PERPETUAL ECHO

PLCRULENAME: *NONE*



FLOODS

PLCRULENAME: *NONE*



DATA HIDING

PLCRULENAME: *NONE*



TCP QUEUE SIZE

PLCRULENAME: *NONE*



GLOBAL TCP STALL

PLCRULENAME: *NONE*



EE LDLC CHECK

PLCRULENAME: *NONE*



EE MALFORMED PACKETS

PLCRULENAME: *NONE*



EE PORT CHECK

PLCRULENAME: *NONE*



EE XID FLOOD

PLCRULENAME: *NONE*



TRAFFIC REGULATION:

TCP

CONNREJECTED: 0 PLCACTIVE: N

UDP

PCKDISCARDED: 0 PLCACTIVE: N

ACTIVE GLOBAL CONDITIONS:

SERVERSINCONNFLOOD: 0

4

TCPSTALLEDCONNS: 0 TCPSTALLEDCONNSPCT: 0

IDS Configuration

The initial step involves the creation of an IDS policy configuration

file using either z/OSMF Configuration Assistant, or the PC-based V1R13

IBM Configuration Assistant for z/OS Communications Server tool (herein

dubbed PCCA).

PCCA was selected for this exercise, downloaded via the link above, and

installed.

The detailed procedure in Chapter 13 of the Redbook referenced above

should be followed to create the policy configuration file.

The Redbook procedure uses z/OSMF, but the process is effectively

identical for PCCA.

At the conclusion of the procedure, PCCA had created an IDS policy

configuration file, with sample default specifications.

PCCA provides an FTP service, which was invoked to upload the file to

the target z/OS host at default location

/etc/cfgasst/v1r13/imagename/stackname/idsPol

The next step involved the creation of a policy agent (PAGENT)

configuration file (PACF) pointing to the idsPol file above.

PACF file /etc/cfgasst/v1r13/imagename/stackname/policyConfig

was created with OEDIT, containing the following line:

IDSConfig /etc/cfgasst/v1r13/imagename/stackname/idsPol FLUSH

Additional entries were added to the PACF file for desired components,

e.g. TRMD and IKED, as shown in Appendix A.

Started task PAGENT was configured on the host using the sample supplied

in TCPIP.SEZAINST(EZAPAGSP).

The STDENV DD file in PAGENT was populated according to Redbook

recommendations.

The following line was added to the STDENV DD file:

PAGENT_CONFIG_FILE=/etc/cfgasst/v1r13/imagename/stackname/policyConfig

PAGENT was started via S PAGENT. The following messages were issued:

EZZ8431I PAGENT STARTING

EZZ8432I PAGENT INITIALIZATION COMPLETE

EZZ8771I PAGENT CONFIG POLICY PROCESSING COMPLETE FOR TCPIP : IDS

EZD1586I PAGENT HAS INSTALLED ALL LOCAL POLICIES FOR TCPIP

D TCPIP,,NETSTAT,IDS now displayed:



SCAN DETECTION:

https://www-947.ibm.com/support/entry/myportal/Downloads/Software/Other_Software/z~OS_Communications_Server

https://www-947.ibm.com/support/entry/myportal/Downloads/Software/Other_Software/z~OS_Communications_Server

5

GLOBRULENAME: SCANGLOBAL

ICMPRULENAME: ICMP 1



SRCIPSTRKD: 0 STRGLEV: 00000

ATTACK DETECTION:

MALFORMED PACKETS

PLCRULENAME: MALFORMEDPACKET




PLCRULENAME: IPV4OUTBOUNDRAW




PLCRULENAME: IPV4PROTOCOL




PLCRULENAME: IPV4OPTION




PLCRULENAME: ICMPREDIRECT




PLCRULENAME: IPV4FRAGMENTATION



UDP PERPETUAL ECHO

PLCRULENAME: ECHO



FLOODS

PLCRULENAME: FLOOD



DATA HIDING

PLCRULENAME: DATAHIDING



TCP QUEUE SIZE

PLCRULENAME: TCPQUEUESIZE



GLOBAL TCP STALL

PLCRULENAME: GLOBALTCPSTALL



EE LDLC CHECK

6

PLCRULENAME: EELDLCCHECK




PLCRULENAME: EEMALFORMEDPACKET



EE PORT CHECK

PLCRULENAME: EEPORTCHECK



EE XID FLOOD

PLCRULENAME: EEXIDFLOOD



TRAFFIC REGULATION:

TCP

CONNREJECTED: 0 PLCACTIVE: Y

UDP





Penetration Testing

Policy efficacy validation using a PC-based network penetration testing

tool (Advanced Port Scanner V1.3) against the z/OS ports triggered the

following messages:

EZZ8761I IDS EVENT DETECTED 638

EZZ8730I STACK TCPIP

EZZ8762I EVENT TYPE: FAST SCAN DETECTED

EZZ8766I IDS RULE ScanGlobal

EZZ8767I IDS ACTION ScanGlobalAction

D TCPIP,,NETSTAT,IDS now displayed (with updates highlighted):



SCAN DETECTION:

GLOBRULENAME: SCANGLOBAL

ICMPRULENAME: ICMP 1



SRCIPSTRKD: 0 STRGLEV: 00000M

ATTACK DETECTION:

MALFORMED PACKETS

PLCRULENAME: MALFORMEDPACKET



7


PLCRULENAME: IPV4OUTBOUNDRAW




PLCRULENAME: IPV4PROTOCOL




PLCRULENAME: IPV4OPTION




PLCRULENAME: ICMPREDIRECT




PLCRULENAME: IPV4FRAGMENTATION



UDP PERPETUAL ECHO

PLCRULENAME: ECHO



FLOODS

PLCRULENAME: FLOOD



DATA HIDING

PLCRULENAME: DATAHIDING



TCP QUEUE SIZE

PLCRULENAME: TCPQUEUESIZE



GLOBAL TCP STALL

PLCRULENAME: GLOBALTCPSTALL



EE LDLC CHECK

PLCRULENAME: EELDLCCHECK




PLCRULENAME: EEMALFORMEDPACKET



EE PORT CHECK

PLCRULENAME: EEPORTCHECK


8


EE XID FLOOD

PLCRULENAME: EEXIDFLOOD



TRAFFIC REGULATION:

TCP

CONNREJECTED: 0 PLCACTIVE: Y

UDP





ACTIVE INTERFACE FLOODS:

INTFNAME: OSDL

DISCARDCNT: 1000 DISCARDRATE: 99 DURATION: 57

The configuration described above is applicable across multiple IP

stacks deployed on the underlying LPAR. PAGENT also supports individual

customizations for such stacks. In this scenario, the PAGENT

configuration file described above would contain multiple TcpImage

statements identifying each stack, pointing to multiple individual

policy configuration files, each customized for its associated stack,

e.g.

TcpImage TCPIPA /etc/pagent.sc32.tcpipa.conf

TcpImage TCPIPB /etc/pagent.sc32.tcpipb.conf

A detailed description appears in Chapter 4 of the Redbook.

Extended Analytics

In the PCCA “Scans” section of the “Requirement Map” definition, “Default

Report Settings for Scans” provides the option to log to SYSLOGD. When

this is enabled, IDS logging is directed to TRMD directories and files

specified in /etc/syslog.conf, which is the SYSLOGD configuration file.

SYSLOGD details can be found in Chapter 1 of z/OS V1R13 Communications

Server TCP/IP Implementation: Volume 2 Standard Applications. Examples of

the additional syslog.conf entries are found in Appendix C of this

document. Subsequently, the EZACMD TRMDSTAT command can be issued from

the console to produce detailed analytical reports which are displayed

upon the console, and thus capturable by New Era Detector interfaces.

Examples of the EZACMD TRMDSTAT commands and outputs are found in Appendix

D of this document. Depending upon the RACF authorization and privilege

levels of the userIDs and environments from which EZACMD is to be issued,

it may be necessary to explicitly define additional security resources.

The requisite procedures are described in section 2.6.5 “EZACMD console

command security” of the Redbook.

9

Appendices

PAGENT configuration file contents

IDSConfig /etc/cfgasst/v1r13/ESSD6/ESSD6/idsPol PURGE

AutoMonitorParms

{

MonitorInterval 10

RetryLimitCount 5

RetryLimitPeriod 600

}

AutoMonitorApps

{

AppName TRMD

{

TcpImageName TCPIP

{

Procname POLPROC

Jobname TRMD

}

}

AppName IKED

{

Procname POLPROC

Jobname IKED

}

}

Policy configuration file contents

##

## IDS Policy Agent Configuration file for:

## Image: ESSD6

## Stack: ESSD6

##

## Created by the IBM Configuration Assistant for z/OS Communications

Server

## Version 1 Release 13

## Backing Store = C:\IBM\zCSConfigAssist\V1R13\saveData

## FTP History:

## 2012-03-23 19:39:52 : essjgr1 to 192.168.50.56

## 2012-03-23 18:37:43 : essjgr1 to 192.168.50.56

## 2012-03-21 19:17:02 : essjgr1 to 192.168.50.56

##

## End of Configuration Assistant information

IDSRule DataHiding

{

ConditionType Attack

10

IDSAttackCondition

{

AttackType DATA_HIDING

OptionPadChk Enable

IcmpEmbedPktChk Enable

}

IDSActionRef DataHiding

}

IDSRule IPv6OutboundRaw

{


IDSAttackCondition

{

AttackType OUTBOUND_RAW_IPv6

ProtocolGroupRef IpProtGroup~1

}

IDSActionRef IPv6OutboundRaw

}

IDSRule IPv6DestinationOptions

{


IDSAttackCondition

{

AttackType RESTRICTED_IPV6_DST_OPTIONS

RestrictedIpv6OptionGroupRef IpOptGroup~1

}

IDSActionRef IPv6DestinationOptions

}

IDSRule IPv6HopByHop

{


IDSAttackCondition

{

AttackType RESTRICTED_IPV6_HOP_OPTIONS

RestrictedIpv6OptionGroupRef IpOptGroup~2

}

IDSActionRef IPv6HopByHop

}

IDSRule IPv6NextHeader

{


IDSAttackCondition

{

AttackType RESTRICTED_IPV6_NEXT_HDR

IPv6NextHdrGroupRef IPv6NextHdrGroup~1

}

IDSActionRef IPv6NextHeader

11

}

IDSRule TcpQueueSize

{


IDSAttackCondition

{

AttackType TCP_QUEUE_SIZE

TcpQueueSize Short

}

IDSActionRef TcpQueueSize

}

IDSRule GlobalTCPStall

{


IDSAttackCondition

{

AttackType GLOBAL_TCP_STALL

}

IDSActionRef GlobalTCPStall

}

IDSRule Flood

{


IDSAttackCondition

{

AttackType FLOOD

IfcFloodMinDiscard 1000

IfcFloodPercentage 10

}

IDSActionRef Flood

}

IDSRule Echo

{


IDSAttackCondition

{

AttackType PERPETUAL_ECHO

LocalPortGroupRef LocalEchoPortGroup~1

RemotePortGroupRef RemoteEchoPortGroup~1

}

IDSActionRef Echo

}

IDSRule IPv4Protocol

{


IDSAttackCondition

12

{

AttackType RESTRICTED_IP_PROTOCOL


}

IDSActionRef IPv4Protocol

}

IDSRule IPv4Option

{


IDSAttackCondition

{

AttackType RESTRICTED_IP_OPTIONS

RestrictedIpOptionGroupRef IpOptGroup~3

}

IDSActionRef IPv4Option

}

IDSRule ICMPRedirect

{


IDSAttackCondition

{

AttackType ICMP_REDIRECT

}

IDSActionRef ICMPRedirect

}

IDSRule MalformedPacket

{


IDSAttackCondition

{

AttackType MALFORMED_PACKET

}

IDSActionRef MalformedPacket

}

IDSRule IPv4OutboundRaw

{


IDSAttackCondition

{

AttackType OUTBOUND_RAW


}

IDSActionRef IPv4OutboundRaw

}

IDSRule IPv4Fragmentation

{

13


IDSAttackCondition

{

AttackType IP_FRAGMENT

}

IDSActionRef IPv4Fragmentation

}

IDSRule EEMalformedPacket

{


IDSAttackCondition

{

AttackType EE_MALFORMED_PACKET

}

IDSActionRef EEMalformedPacket

}

IDSRule EELDLCCheck

{


IDSAttackCondition

{

AttackType EE_LDLC_CHECK

}

IDSActionRef EELDLCCheck

}

IDSRule EEPortCheck

{


IDSAttackCondition

{

AttackType EE_PORT_CHECK

}

IDSActionRef EEPortCheck

}

IDSRule EEXIDFlood

{


IDSAttackCondition

{

AttackType EE_XID_FLOOD

EEXIDTimeOut 100

}

IDSActionRef EEXIDFlood

}

IDSAction DataHiding

{

14

ActionType Attack nodiscard

IDSReportSet

{

TypeActions LOG

LoggingLevel 4

TypeActions STATISTICS

StatType Normal

StatInterval 60

}

}

IDSAction IPv6OutboundRaw

{


IDSReportSet

{

TypeActions LOG

LoggingLevel 4


StatType Normal

StatInterval 60

}

}

IDSAction IPv6DestinationOptions

{


IDSReportSet

{

TypeActions LOG

LoggingLevel 4


StatType Normal

StatInterval 60

}

}

IDSAction IPv6HopByHop

{


IDSReportSet

{

TypeActions LOG

LoggingLevel 4


StatType Normal

StatInterval 60

}

}

IDSAction IPv6NextHeader

15

{


IDSReportSet

{

TypeActions LOG

LoggingLevel 4


StatType Normal

StatInterval 60

}

}

IDSAction TcpQueueSize

{

ActionType Attack noresetconn

IDSReportSet

{

TypeActions LOG

LoggingLevel 4


StatType Normal

StatInterval 60

}

}

IDSAction GlobalTCPStall

{

ActionType Attack noresetconn

IDSReportSet

{

TypeActions LOG

LoggingLevel 4


StatType Normal

StatInterval 60

}

}

IDSAction Flood

{

ActionType Attack discard

IDSReportSet

{

TypeActions LOG

LoggingLevel 4


StatType Normal

StatInterval 60

}

}

16

IDSAction Echo

{


IDSReportSet

{

TypeActions LOG

LoggingLevel 4


StatType Normal

StatInterval 60

}

}

IDSAction IPv4Protocol

{


IDSReportSet

{

TypeActions LOG

LoggingLevel 4


StatType Normal

StatInterval 60

}

}

IDSAction IPv4Option

{


IDSReportSet

{

TypeActions LOG

LoggingLevel 4


StatType Normal

StatInterval 60

}

}

IDSAction ICMPRedirect

{


IDSReportSet

{

TypeActions LOG

LoggingLevel 4


StatType Normal

StatInterval 60

}

}

17

IDSAction MalformedPacket

{

ActionType Attack discard

IDSReportSet

{

TypeActions LOG

LoggingLevel 4


StatType Normal

StatInterval 60

}

}

IDSAction IPv4OutboundRaw

{


IDSReportSet

{

TypeActions LOG

LoggingLevel 4


StatType Normal

StatInterval 60

}

}

IDSAction IPv4Fragmentation

{


IDSReportSet

{

TypeActions LOG

LoggingLevel 4


StatType Normal

StatInterval 60

}

}

IDSAction EEMalformedPacket

{


IDSReportSet

{

TypeActions LOG

LoggingLevel 4


StatType Normal

StatInterval 60

}

18

}

IDSAction EELDLCCheck

{


IDSReportSet

{

TypeActions LOG

LoggingLevel 4


StatType Normal

StatInterval 60

}

}

IDSAction EEPortCheck

{


IDSReportSet

{

TypeActions LOG

LoggingLevel 4


StatType Normal

StatInterval 60

}

}

IDSAction EEXIDFlood

{


IDSReportSet

{

TypeActions LOG

LoggingLevel 4


StatType Normal

StatInterval 60

}

}

IpProtocolGroup IpProtGroup~1

{

IpProtocolRangeRef IpProtRange~1




}


{



19








}


{





}

IpProtocolRange IpProtRange~1

{

IpProtocol 0 16

}


{

IpProtocol 18 57

}


{

IpProtocol 59 88

}


{

IpProtocol 90 255

}


{

IpProtocol 0 0

}


{

IpProtocol 3 3

}


{

IpProtocol 5 5

}


{

IpProtocol 7 16

}


{

IpProtocol 18 45

}

20


{

IpProtocol 48 49

}


{

IpProtocol 52 88

}


{

IpProtocol 90 93

}


{

IpProtocol 95 255

}


{

IpProtocol 0 0

}


{

IpProtocol 2 16

}


{

IpProtocol 18 88

}


{

IpProtocol 90 255

}

IpOptionGroup IpOptGroup~1

{

IpOptionRangeRef IpOptRange~1





}


{






}


{


21





}

IpOptionRange IpOptRange~1

{

IpOption 2 3

}


{

IpOption 8 137

}


{

IpOption 139 193

}


{

IpOption 195 200

}


{

IpOption 202 255

}


{

IpOption 2 3

}


{

IpOption 8 137

}


{

IpOption 139 193

}


{

IpOption 195 200

}


{

IpOption 202 255

}


{

IpOption 2 6

}


{

22

IpOption 8 67

}


{

IpOption 69 81

}


{

IpOption 83 147

}


{

IpOption 149 255

}

IPv6NextHdrGroup IPv6NextHdrGroup~1

{

IPv6NextHdrRangeRef IPv6NextHdrRange~1









}

IPv6NextHdrRange IPv6NextHdrRange~1

{

IPv6NextHdr 1 5

}


{

IPv6NextHdr 7 16

}


{

IPv6NextHdr 18 40

}


{

IPv6NextHdr 42 42

}


{

IPv6NextHdr 45 49

}


{

IPv6NextHdr 52 57

}


23

{

IPv6NextHdr 61 88

}


{

IPv6NextHdr 90 134

}


{

IPv6NextHdr 136 255

}

PortGroup LocalEchoPortGroup~1

{

PortRange

{

Port 7

}

PortRange

{

Port 13

}

PortRange

{

Port 17

}

PortRange

{

Port 19

}

}

PortGroup RemoteEchoPortGroup~1

{

PortRange

{

Port 7

}

PortRange

{

Port 13

}

PortRange

{

Port 17

}

PortRange

{

Port 19

}

}

IDSRule All_Well-Known_TCP~1

24

{

Priority 65000

ConditionType ScanEvent

IDSScanEventCondition

{

Sensitivity MEDIUM

Protocol TCP

LocalPortRange 1-1023

}

IDSActionRef ScanAction

}

IDSRule All_Well-Known_UDP~1

{

Priority 64990



{

Sensitivity MEDIUM

Protocol UDP


}


}

IDSRule ICMP~1

{

Priority 64980



{

Sensitivity HIGH

Protocol ICMP

}


}

IDSRule ScanGlobal

{

ConditionType ScanGlobal

IDSScanGlobalCondition

{

FSInterval 1

FSThreshold 5

SSInterval 120

SSThreshold 10

}

IDSActionRef ScanGlobalAction

}

IDSAction ScanAction

25

{

Actiontype ScanEvent count

}

IDSAction ScanGlobalAction

{

ActionType ScanGlobal

IDSReportSet

{

TypeActions CONSOLE

}

}

IDSRule All_Well-Known_TCP1~1

{

Priority 65000

ConditionType TR

IDSTRCondition

{


Protocol TCP

TRtcpTotalConnections 65535

TRtcpPercentage 100

TRtcpLimitScope PORT_INSTANCE

}

IDSActionRef All_Well-Known_TCP1

}

IDSAction All_Well-Known_TCP1

{

ActionType TR limit

IDSReportSet

{

TypeActions LOG

LogDetail No

LoggingLevel 4


StatType Normal

StatInterval 60

}

}

SYSLOGD entries

*.TRMD*.*.* /var/syslog/%Y/%m/%d/trmd.log -F 640 -D 770

*.PAGENT*.*.* /var/syslog/%Y/%m/%d/pagent.log -F 640 -D 770

*.IKE*.*.* /var/syslog/%Y/%m/%d/inetd.log -F 640 -D 770

*.SYSLOGD*.*.* /var/syslog/%Y/%m/%d/syslogd.log -F 640 -D 770

26

Extended Analytics Reports

F AXR,EZACMD TRMDSTAT -I '/var/syslog/2012/03/28/trmd.log'

System REXX EZACMD: trmdstat command - start - userID=ESSJGR1

System REXX EZACMD: trmdstat -I /var/syslog/2012/03/28/trmd.log

trmdstat for z/OS CS V1R13 Wed Mar 28 19:11:46 2012

Command Entered : trmdstat -I /var/syslog/2012/03/28/trmd.log

Log Time Interval : Mar 28 19:07:55 - Mar 28 19:08:55

Stack Time Interval : Mar 28 19:07:52 - Mar 28 19:08:53

TRM Records Scanned : 12

TCP - Traffic Regulation

------------------------------------------------

Connections would have been refused : 0

Connections refused : 0

Constrained entry logged : 0

Constrained exit logged : 0

Constrained entry : 0

Constrained exit : 0

QOS exceptions logged : 0

QOS exceptions made : 0

UDP - Traffic Regulation

------------------------------------------------

Constrained entry logged : 0

Constrained exit logged : 0



SCAN Detection

------------------------------------------------

Threshold exceeded : 2

Detection delayed : 0

Storage constrained entry : 0

Storage constrained exit : 0

ATTACK Detection

------------------------------------------------

Packet would have been discarded : 0

Packet discarded : 0

FLOOD Detection

------------------------------------------------

Accept queue expanded : 0

SYN flood start : 0

SYN flood end : 0

Interface flood start : 2

Interface flood end : 2

27

EE XID flood start : 0

EE XID flood end : 0

Global TCP Stall Detection

------------------------------------------------

Global TCP stall entry : 0

Global TCP stall exit : 0

Connections would have been reset : 0

Connections reset : 0

TCP Queue Size Detection

------------------------------------------------

Send queue




Receive queue




Out-of-order queue




System REXX EZACMD: trmdstat command - end - RC=0

F AXR,EZACMD TRMDSTAT -ND '/var/syslog/2012/03/28/trmd.log'


System REXX EZACMD: trmdstat -ND /var/syslog/2012/03/28/trmd.log


Command Entered : trmdstat -ND /var/syslog/2012/03/28/trmd.log




SCAN Events

Date and Time Source IP Address

Suspicion Level Type Correlator

Very Possibly Normal

---------------------- ---------------------------------------------

---------- ---------- ---------- ---- ----------

03/28/2012 19:08:06.26 192.168.50.31

0 9 1 F 12

03/28/2012 19:08:06.26 192.168.50.31

0 9 1 F 12

28


F AXR,EZACMD TRMDSTAT -FD '/var/syslog/2012/03/28/trmd.log'


System REXX EZACMD: trmdstat -FD /var/syslog/2012/03/28/trmd.log


Command Entered : trmdstat -FD /var/syslog/2012/03/28/trmd.log




SYN FLOOD Events

No records to display

Interface FLOOD Events

Date and Time/ Interface Type Duration Discard

Correlator/ ----------------Most Frequent--------------

Last Last Source IP/ Count/

ProbeID -----Overall----- -------Source MAC Data-

Count Dest Address Percent

Proto/ Category/ SrcMAC/ Proto/ Cat

Percent Percent Percent Percent Per

03/28/2012 19:07:52.38 OSDL E 1000

13

192.168.50.31 99

04070010

192.168.50.56

03/28/2012 19:07:52.38 OSDL E 1000

13

192.168.50.31 99

04070010

192.168.50.56

03/28/2012 19:08:53.25 OSDL X 57 1993

13 6 Dest 1C6F6572D9A4 6

17 192.168.50.75 97

04070014 48 49 48 100

192.168.50.56

03/28/2012 19:08:53.25 OSDL X 57 1993

13 6 Dest 1C6F6572D9A4 6

17 192.168.50.75 97

04070014 48 49 48 100

192.168.50.56

XID FLOOD Events

No records to display


the intrusion detection service (ids) policy management ... · pdf file1 the intrusion...

Documents