the intrusion detection service (ids) policy management ... · pdf file1 the intrusion...
TRANSCRIPT
1
www.newera.com
The Intrusion Detection Service (IDS) Policy Management Project
A NewEra Software, Inc. White Paper
July-August, 2012
Table of Contents:
Project Introduction: ..........................................................................................................................2
IDS Configuration .................................................................................................................................4
Penetration Testing .............................................................................................................................6
Extended Analytics ..............................................................................................................................8
Appendices .............................................................................................................................................9 PAGENT configuration file contents ....................................................................................................... 9 Policy configuration file contents ........................................................................................................... 9 SYSLOGD entries ......................................................................................................................................... 25 Extended Analytics Reports .................................................................................................................... 26
2
Project Introduction:
Policy-based networking is documented in Chapter 16 Policy-based
networking of z/OS Communications Server IP Configuration Guide Version
1 Release 13 Document Number SC31-8775-19 and in Chapter 22 Policy Agent
and policy applications of z/OS Communications Server IP Configuration
Reference Version 1 Release 13 Document Number SC31-8776-20
Describes the mechanism for defining business objectives in a collection
of network behavior policy metrics which control network operation and
the capture of network events.
A detailed description of IDS features and operation is found in Chapter
18 of the Guide.
A detailed stepwise procedure for creating and installing a sample IDS
policy can be found in Chapter 13 of the IBM z/OS V1R13 Communications
Server TCP/IP Implementation: Volume 4 Security and Policy-Based
Networking Redbook.
The purpose of this presentation is to demonstrate how NewEra Event
Detection services can be used in conjunction with an active IDS policy
to capture and report on IDS events in a Netview-like fashion, but
without the necessity of an installed Netview infrastructure.
NewEra’s Event Detector captures the output from the
D TCPIP,,NETSTAT,IDS operator command. Issuance of this command prior
to commencing configuration activities confirmed a nonexistent policy:
EZZ2500I NETSTAT CS V1R13 TCPIP 735
INTRUSION DETECTION SERVICES SUMMARY:
SCAN DETECTION:
GLOBRULENAME: *NONE*
ICMPRULENAME: *NONE*
TOTDETECTED: 0 DETCURRPLC: 0
DETCURRINT: 0 INTERVAL: 0
SRCIPSTRKD: 0 STRGLEV: 00000
ATTACK DETECTION:
MALFORMED PACKETS
PLCRULENAME: *NONE*
TOTDETECTED: 0 DETCURRPLC: 0
DETCURRINT: 0 INTERVAL: 0
OUTBOUND RAW RESTRICTIONS
PLCRULENAME: *NONE*
TOTDETECTED: 0 DETCURRPLC: 0
DETCURRINT: 0 INTERVAL: 0
RESTRICTED PROTOCOLS
PLCRULENAME: *NONE*
TOTDETECTED: 0 DETCURRPLC: 0
DETCURRINT: 0 INTERVAL: 0
RESTRICTED IP OPTIONS
PLCRULENAME: *NONE*
TOTDETECTED: 0 DETCURRPLC: 0
DETCURRINT: 0 INTERVAL: 0
3
ICMP REDIRECT RESTRICTIONS
PLCRULENAME: *NONE*
TOTDETECTED: 0 DETCURRPLC: 0
DETCURRINT: 0 INTERVAL: 0
IP FRAGMENT RESTRICTIONS
PLCRULENAME: *NONE*
TOTDETECTED: 0 DETCURRPLC: 0
DETCURRINT: 0 INTERVAL: 0
UDP PERPETUAL ECHO
PLCRULENAME: *NONE*
TOTDETECTED: 0 DETCURRPLC: 0
DETCURRINT: 0 INTERVAL: 0
FLOODS
PLCRULENAME: *NONE*
TOTDETECTED: 0 DETCURRPLC: 0
DETCURRINT: 0 INTERVAL: 0
DATA HIDING
PLCRULENAME: *NONE*
TOTDETECTED: 0 DETCURRPLC: 0
DETCURRINT: 0 INTERVAL: 0
TCP QUEUE SIZE
PLCRULENAME: *NONE*
TOTDETECTED: 0 DETCURRPLC: 0
DETCURRINT: 0 INTERVAL: 0
GLOBAL TCP STALL
PLCRULENAME: *NONE*
TOTDETECTED: 0 DETCURRPLC: 0
DETCURRINT: 0 INTERVAL: 0
EE LDLC CHECK
PLCRULENAME: *NONE*
TOTDETECTED: 0 DETCURRPLC: 0
DETCURRINT: 0 INTERVAL: 0
EE MALFORMED PACKETS
PLCRULENAME: *NONE*
TOTDETECTED: 0 DETCURRPLC: 0
DETCURRINT: 0 INTERVAL: 0
EE PORT CHECK
PLCRULENAME: *NONE*
TOTDETECTED: 0 DETCURRPLC: 0
DETCURRINT: 0 INTERVAL: 0
EE XID FLOOD
PLCRULENAME: *NONE*
TOTDETECTED: 0 DETCURRPLC: 0
DETCURRINT: 0 INTERVAL: 0
TRAFFIC REGULATION:
TCP
CONNREJECTED: 0 PLCACTIVE: N
UDP
PCKDISCARDED: 0 PLCACTIVE: N
ACTIVE GLOBAL CONDITIONS:
SERVERSINCONNFLOOD: 0
4
TCPSTALLEDCONNS: 0 TCPSTALLEDCONNSPCT: 0
IDS Configuration
The initial step involves the creation of an IDS policy configuration
file using either z/OSMF Configuration Assistant, or the PC-based V1R13
IBM Configuration Assistant for z/OS Communications Server tool (herein
dubbed PCCA).
PCCA was selected for this exercise, downloaded via the link above, and
installed.
The detailed procedure in Chapter 13 of the Redbook referenced above
should be followed to create the policy configuration file.
The Redbook procedure uses z/OSMF, but the process is effectively
identical for PCCA.
At the conclusion of the procedure, PCCA had created an IDS policy
configuration file, with sample default specifications.
PCCA provides an FTP service, which was invoked to upload the file to
the target z/OS host at default location
/etc/cfgasst/v1r13/imagename/stackname/idsPol
The next step involved the creation of a policy agent (PAGENT)
configuration file (PACF) pointing to the idsPol file above.
PACF file /etc/cfgasst/v1r13/imagename/stackname/policyConfig
was created with OEDIT, containing the following line:
IDSConfig /etc/cfgasst/v1r13/imagename/stackname/idsPol FLUSH
Additional entries were added to the PACF file for desired components,
e.g. TRMD and IKED, as shown in Appendix A.
Started task PAGENT was configured on the host using the sample supplied
in TCPIP.SEZAINST(EZAPAGSP).
The STDENV DD file in PAGENT was populated according to Redbook
recommendations.
The following line was added to the STDENV DD file:
PAGENT_CONFIG_FILE=/etc/cfgasst/v1r13/imagename/stackname/policyConfig
PAGENT was started via S PAGENT. The following messages were issued:
EZZ8431I PAGENT STARTING
EZZ8432I PAGENT INITIALIZATION COMPLETE
EZZ8771I PAGENT CONFIG POLICY PROCESSING COMPLETE FOR TCPIP : IDS
EZD1586I PAGENT HAS INSTALLED ALL LOCAL POLICIES FOR TCPIP
D TCPIP,,NETSTAT,IDS now displayed:
EZZ2500I NETSTAT CS V1R13 TCPIP 535
INTRUSION DETECTION SERVICES SUMMARY:
SCAN DETECTION:
5
GLOBRULENAME: SCANGLOBAL
ICMPRULENAME: ICMP 1
TOTDETECTED: 0 DETCURRPLC: 0
DETCURRINT: 0 INTERVAL: 30
SRCIPSTRKD: 0 STRGLEV: 00000
ATTACK DETECTION:
MALFORMED PACKETS
PLCRULENAME: MALFORMEDPACKET
TOTDETECTED: 0 DETCURRPLC: 0
DETCURRINT: 0 INTERVAL: 60
OUTBOUND RAW RESTRICTIONS
PLCRULENAME: IPV4OUTBOUNDRAW
TOTDETECTED: 0 DETCURRPLC: 0
DETCURRINT: 0 INTERVAL: 60
RESTRICTED PROTOCOLS
PLCRULENAME: IPV4PROTOCOL
TOTDETECTED: 0 DETCURRPLC: 0
DETCURRINT: 0 INTERVAL: 60
RESTRICTED IP OPTIONS
PLCRULENAME: IPV4OPTION
TOTDETECTED: 0 DETCURRPLC: 0
DETCURRINT: 0 INTERVAL: 60
ICMP REDIRECT RESTRICTIONS
PLCRULENAME: ICMPREDIRECT
TOTDETECTED: 0 DETCURRPLC: 0
DETCURRINT: 0 INTERVAL: 60
IP FRAGMENT RESTRICTIONS
PLCRULENAME: IPV4FRAGMENTATION
TOTDETECTED: 0 DETCURRPLC: 0
DETCURRINT: 0 INTERVAL: 60
UDP PERPETUAL ECHO
PLCRULENAME: ECHO
TOTDETECTED: 0 DETCURRPLC: 0
DETCURRINT: 0 INTERVAL: 60
FLOODS
PLCRULENAME: FLOOD
TOTDETECTED: 0 DETCURRPLC: 0
DETCURRINT: 0 INTERVAL: 60
DATA HIDING
PLCRULENAME: DATAHIDING
TOTDETECTED: 0 DETCURRPLC: 0
DETCURRINT: 0 INTERVAL: 60
TCP QUEUE SIZE
PLCRULENAME: TCPQUEUESIZE
TOTDETECTED: 0 DETCURRPLC: 0
DETCURRINT: 0 INTERVAL: 60
GLOBAL TCP STALL
PLCRULENAME: GLOBALTCPSTALL
TOTDETECTED: 0 DETCURRPLC: 0
DETCURRINT: 0 INTERVAL: 60
EE LDLC CHECK
6
PLCRULENAME: EELDLCCHECK
TOTDETECTED: 0 DETCURRPLC: 0
DETCURRINT: 0 INTERVAL: 60
EE MALFORMED PACKETS
PLCRULENAME: EEMALFORMEDPACKET
TOTDETECTED: 0 DETCURRPLC: 0
DETCURRINT: 0 INTERVAL: 60
EE PORT CHECK
PLCRULENAME: EEPORTCHECK
TOTDETECTED: 0 DETCURRPLC: 0
DETCURRINT: 0 INTERVAL: 60
EE XID FLOOD
PLCRULENAME: EEXIDFLOOD
TOTDETECTED: 0 DETCURRPLC: 0
DETCURRINT: 0 INTERVAL: 60
TRAFFIC REGULATION:
TCP
CONNREJECTED: 0 PLCACTIVE: Y
UDP
PCKDISCARDED: 0 PLCACTIVE: N
ACTIVE GLOBAL CONDITIONS:
SERVERSINCONNFLOOD: 0
TCPSTALLEDCONNS: 0 TCPSTALLEDCONNSPCT: 0
Penetration Testing
Policy efficacy validation using a PC-based network penetration testing
tool (Advanced Port Scanner V1.3) against the z/OS ports triggered the
following messages:
EZZ8761I IDS EVENT DETECTED 638
EZZ8730I STACK TCPIP
EZZ8762I EVENT TYPE: FAST SCAN DETECTED
EZZ8766I IDS RULE ScanGlobal
EZZ8767I IDS ACTION ScanGlobalAction
D TCPIP,,NETSTAT,IDS now displayed (with updates highlighted):
EZZ2500I NETSTAT CS V1R13 TCPIP 640
INTRUSION DETECTION SERVICES SUMMARY:
SCAN DETECTION:
GLOBRULENAME: SCANGLOBAL
ICMPRULENAME: ICMP 1
TOTDETECTED: 1 DETCURRPLC: 1
DETCURRINT: 0 INTERVAL: 30
SRCIPSTRKD: 0 STRGLEV: 00000M
ATTACK DETECTION:
MALFORMED PACKETS
PLCRULENAME: MALFORMEDPACKET
TOTDETECTED: 0 DETCURRPLC: 0
DETCURRINT: 0 INTERVAL: 60
7
OUTBOUND RAW RESTRICTIONS
PLCRULENAME: IPV4OUTBOUNDRAW
TOTDETECTED: 0 DETCURRPLC: 0
DETCURRINT: 0 INTERVAL: 60
RESTRICTED PROTOCOLS
PLCRULENAME: IPV4PROTOCOL
TOTDETECTED: 0 DETCURRPLC: 0
DETCURRINT: 0 INTERVAL: 60
RESTRICTED IP OPTIONS
PLCRULENAME: IPV4OPTION
TOTDETECTED: 0 DETCURRPLC: 0
DETCURRINT: 0 INTERVAL: 60
ICMP REDIRECT RESTRICTIONS
PLCRULENAME: ICMPREDIRECT
TOTDETECTED: 0 DETCURRPLC: 0
DETCURRINT: 0 INTERVAL: 60
IP FRAGMENT RESTRICTIONS
PLCRULENAME: IPV4FRAGMENTATION
TOTDETECTED: 0 DETCURRPLC: 0
DETCURRINT: 0 INTERVAL: 60
UDP PERPETUAL ECHO
PLCRULENAME: ECHO
TOTDETECTED: 0 DETCURRPLC: 0
DETCURRINT: 0 INTERVAL: 60
FLOODS
PLCRULENAME: FLOOD
TOTDETECTED: 1 DETCURRPLC: 1
DETCURRINT: 1 INTERVAL: 60
DATA HIDING
PLCRULENAME: DATAHIDING
TOTDETECTED: 0 DETCURRPLC: 0
DETCURRINT: 0 INTERVAL: 60
TCP QUEUE SIZE
PLCRULENAME: TCPQUEUESIZE
TOTDETECTED: 0 DETCURRPLC: 0
DETCURRINT: 0 INTERVAL: 60
GLOBAL TCP STALL
PLCRULENAME: GLOBALTCPSTALL
TOTDETECTED: 0 DETCURRPLC: 0
DETCURRINT: 0 INTERVAL: 60
EE LDLC CHECK
PLCRULENAME: EELDLCCHECK
TOTDETECTED: 0 DETCURRPLC: 0
DETCURRINT: 0 INTERVAL: 60
EE MALFORMED PACKETS
PLCRULENAME: EEMALFORMEDPACKET
TOTDETECTED: 0 DETCURRPLC: 0
DETCURRINT: 0 INTERVAL: 60
EE PORT CHECK
PLCRULENAME: EEPORTCHECK
TOTDETECTED: 0 DETCURRPLC: 0
8
DETCURRINT: 0 INTERVAL: 60
EE XID FLOOD
PLCRULENAME: EEXIDFLOOD
TOTDETECTED: 0 DETCURRPLC: 0
DETCURRINT: 0 INTERVAL: 60
TRAFFIC REGULATION:
TCP
CONNREJECTED: 0 PLCACTIVE: Y
UDP
PCKDISCARDED: 0 PLCACTIVE: N
ACTIVE GLOBAL CONDITIONS:
SERVERSINCONNFLOOD: 0
TCPSTALLEDCONNS: 0 TCPSTALLEDCONNSPCT: 0
ACTIVE INTERFACE FLOODS:
INTFNAME: OSDL
DISCARDCNT: 1000 DISCARDRATE: 99 DURATION: 57
The configuration described above is applicable across multiple IP
stacks deployed on the underlying LPAR. PAGENT also supports individual
customizations for such stacks. In this scenario, the PAGENT
configuration file described above would contain multiple TcpImage
statements identifying each stack, pointing to multiple individual
policy configuration files, each customized for its associated stack,
e.g.
TcpImage TCPIPA /etc/pagent.sc32.tcpipa.conf
TcpImage TCPIPB /etc/pagent.sc32.tcpipb.conf
A detailed description appears in Chapter 4 of the Redbook.
Extended Analytics
In the PCCA “Scans” section of the “Requirement Map” definition, “Default
Report Settings for Scans” provides the option to log to SYSLOGD. When
this is enabled, IDS logging is directed to TRMD directories and files
specified in /etc/syslog.conf, which is the SYSLOGD configuration file.
SYSLOGD details can be found in Chapter 1 of z/OS V1R13 Communications
Server TCP/IP Implementation: Volume 2 Standard Applications. Examples of
the additional syslog.conf entries are found in Appendix C of this
document. Subsequently, the EZACMD TRMDSTAT command can be issued from
the console to produce detailed analytical reports which are displayed
upon the console, and thus capturable by New Era Detector interfaces.
Examples of the EZACMD TRMDSTAT commands and outputs are found in Appendix
D of this document. Depending upon the RACF authorization and privilege
levels of the userIDs and environments from which EZACMD is to be issued,
it may be necessary to explicitly define additional security resources.
The requisite procedures are described in section 2.6.5 “EZACMD console
command security” of the Redbook.
9
Appendices
PAGENT configuration file contents
IDSConfig /etc/cfgasst/v1r13/ESSD6/ESSD6/idsPol PURGE
AutoMonitorParms
{
MonitorInterval 10
RetryLimitCount 5
RetryLimitPeriod 600
}
AutoMonitorApps
{
AppName TRMD
{
TcpImageName TCPIP
{
Procname POLPROC
Jobname TRMD
}
}
AppName IKED
{
Procname POLPROC
Jobname IKED
}
}
Policy configuration file contents
##
## IDS Policy Agent Configuration file for:
## Image: ESSD6
## Stack: ESSD6
##
## Created by the IBM Configuration Assistant for z/OS Communications
Server
## Version 1 Release 13
## Backing Store = C:\IBM\zCSConfigAssist\V1R13\saveData
## FTP History:
## 2012-03-23 19:39:52 : essjgr1 to 192.168.50.56
## 2012-03-23 18:37:43 : essjgr1 to 192.168.50.56
## 2012-03-21 19:17:02 : essjgr1 to 192.168.50.56
##
## End of Configuration Assistant information
IDSRule DataHiding
{
ConditionType Attack
10
IDSAttackCondition
{
AttackType DATA_HIDING
OptionPadChk Enable
IcmpEmbedPktChk Enable
}
IDSActionRef DataHiding
}
IDSRule IPv6OutboundRaw
{
ConditionType Attack
IDSAttackCondition
{
AttackType OUTBOUND_RAW_IPv6
ProtocolGroupRef IpProtGroup~1
}
IDSActionRef IPv6OutboundRaw
}
IDSRule IPv6DestinationOptions
{
ConditionType Attack
IDSAttackCondition
{
AttackType RESTRICTED_IPV6_DST_OPTIONS
RestrictedIpv6OptionGroupRef IpOptGroup~1
}
IDSActionRef IPv6DestinationOptions
}
IDSRule IPv6HopByHop
{
ConditionType Attack
IDSAttackCondition
{
AttackType RESTRICTED_IPV6_HOP_OPTIONS
RestrictedIpv6OptionGroupRef IpOptGroup~2
}
IDSActionRef IPv6HopByHop
}
IDSRule IPv6NextHeader
{
ConditionType Attack
IDSAttackCondition
{
AttackType RESTRICTED_IPV6_NEXT_HDR
IPv6NextHdrGroupRef IPv6NextHdrGroup~1
}
IDSActionRef IPv6NextHeader
11
}
IDSRule TcpQueueSize
{
ConditionType Attack
IDSAttackCondition
{
AttackType TCP_QUEUE_SIZE
TcpQueueSize Short
}
IDSActionRef TcpQueueSize
}
IDSRule GlobalTCPStall
{
ConditionType Attack
IDSAttackCondition
{
AttackType GLOBAL_TCP_STALL
}
IDSActionRef GlobalTCPStall
}
IDSRule Flood
{
ConditionType Attack
IDSAttackCondition
{
AttackType FLOOD
IfcFloodMinDiscard 1000
IfcFloodPercentage 10
}
IDSActionRef Flood
}
IDSRule Echo
{
ConditionType Attack
IDSAttackCondition
{
AttackType PERPETUAL_ECHO
LocalPortGroupRef LocalEchoPortGroup~1
RemotePortGroupRef RemoteEchoPortGroup~1
}
IDSActionRef Echo
}
IDSRule IPv4Protocol
{
ConditionType Attack
IDSAttackCondition
12
{
AttackType RESTRICTED_IP_PROTOCOL
ProtocolGroupRef IpProtGroup~2
}
IDSActionRef IPv4Protocol
}
IDSRule IPv4Option
{
ConditionType Attack
IDSAttackCondition
{
AttackType RESTRICTED_IP_OPTIONS
RestrictedIpOptionGroupRef IpOptGroup~3
}
IDSActionRef IPv4Option
}
IDSRule ICMPRedirect
{
ConditionType Attack
IDSAttackCondition
{
AttackType ICMP_REDIRECT
}
IDSActionRef ICMPRedirect
}
IDSRule MalformedPacket
{
ConditionType Attack
IDSAttackCondition
{
AttackType MALFORMED_PACKET
}
IDSActionRef MalformedPacket
}
IDSRule IPv4OutboundRaw
{
ConditionType Attack
IDSAttackCondition
{
AttackType OUTBOUND_RAW
ProtocolGroupRef IpProtGroup~3
}
IDSActionRef IPv4OutboundRaw
}
IDSRule IPv4Fragmentation
{
13
ConditionType Attack
IDSAttackCondition
{
AttackType IP_FRAGMENT
}
IDSActionRef IPv4Fragmentation
}
IDSRule EEMalformedPacket
{
ConditionType Attack
IDSAttackCondition
{
AttackType EE_MALFORMED_PACKET
}
IDSActionRef EEMalformedPacket
}
IDSRule EELDLCCheck
{
ConditionType Attack
IDSAttackCondition
{
AttackType EE_LDLC_CHECK
}
IDSActionRef EELDLCCheck
}
IDSRule EEPortCheck
{
ConditionType Attack
IDSAttackCondition
{
AttackType EE_PORT_CHECK
}
IDSActionRef EEPortCheck
}
IDSRule EEXIDFlood
{
ConditionType Attack
IDSAttackCondition
{
AttackType EE_XID_FLOOD
EEXIDTimeOut 100
}
IDSActionRef EEXIDFlood
}
IDSAction DataHiding
{
14
ActionType Attack nodiscard
IDSReportSet
{
TypeActions LOG
LoggingLevel 4
TypeActions STATISTICS
StatType Normal
StatInterval 60
}
}
IDSAction IPv6OutboundRaw
{
ActionType Attack nodiscard
IDSReportSet
{
TypeActions LOG
LoggingLevel 4
TypeActions STATISTICS
StatType Normal
StatInterval 60
}
}
IDSAction IPv6DestinationOptions
{
ActionType Attack nodiscard
IDSReportSet
{
TypeActions LOG
LoggingLevel 4
TypeActions STATISTICS
StatType Normal
StatInterval 60
}
}
IDSAction IPv6HopByHop
{
ActionType Attack nodiscard
IDSReportSet
{
TypeActions LOG
LoggingLevel 4
TypeActions STATISTICS
StatType Normal
StatInterval 60
}
}
IDSAction IPv6NextHeader
15
{
ActionType Attack nodiscard
IDSReportSet
{
TypeActions LOG
LoggingLevel 4
TypeActions STATISTICS
StatType Normal
StatInterval 60
}
}
IDSAction TcpQueueSize
{
ActionType Attack noresetconn
IDSReportSet
{
TypeActions LOG
LoggingLevel 4
TypeActions STATISTICS
StatType Normal
StatInterval 60
}
}
IDSAction GlobalTCPStall
{
ActionType Attack noresetconn
IDSReportSet
{
TypeActions LOG
LoggingLevel 4
TypeActions STATISTICS
StatType Normal
StatInterval 60
}
}
IDSAction Flood
{
ActionType Attack discard
IDSReportSet
{
TypeActions LOG
LoggingLevel 4
TypeActions STATISTICS
StatType Normal
StatInterval 60
}
}
16
IDSAction Echo
{
ActionType Attack nodiscard
IDSReportSet
{
TypeActions LOG
LoggingLevel 4
TypeActions STATISTICS
StatType Normal
StatInterval 60
}
}
IDSAction IPv4Protocol
{
ActionType Attack nodiscard
IDSReportSet
{
TypeActions LOG
LoggingLevel 4
TypeActions STATISTICS
StatType Normal
StatInterval 60
}
}
IDSAction IPv4Option
{
ActionType Attack nodiscard
IDSReportSet
{
TypeActions LOG
LoggingLevel 4
TypeActions STATISTICS
StatType Normal
StatInterval 60
}
}
IDSAction ICMPRedirect
{
ActionType Attack nodiscard
IDSReportSet
{
TypeActions LOG
LoggingLevel 4
TypeActions STATISTICS
StatType Normal
StatInterval 60
}
}
17
IDSAction MalformedPacket
{
ActionType Attack discard
IDSReportSet
{
TypeActions LOG
LoggingLevel 4
TypeActions STATISTICS
StatType Normal
StatInterval 60
}
}
IDSAction IPv4OutboundRaw
{
ActionType Attack nodiscard
IDSReportSet
{
TypeActions LOG
LoggingLevel 4
TypeActions STATISTICS
StatType Normal
StatInterval 60
}
}
IDSAction IPv4Fragmentation
{
ActionType Attack nodiscard
IDSReportSet
{
TypeActions LOG
LoggingLevel 4
TypeActions STATISTICS
StatType Normal
StatInterval 60
}
}
IDSAction EEMalformedPacket
{
ActionType Attack nodiscard
IDSReportSet
{
TypeActions LOG
LoggingLevel 4
TypeActions STATISTICS
StatType Normal
StatInterval 60
}
18
}
IDSAction EELDLCCheck
{
ActionType Attack nodiscard
IDSReportSet
{
TypeActions LOG
LoggingLevel 4
TypeActions STATISTICS
StatType Normal
StatInterval 60
}
}
IDSAction EEPortCheck
{
ActionType Attack nodiscard
IDSReportSet
{
TypeActions LOG
LoggingLevel 4
TypeActions STATISTICS
StatType Normal
StatInterval 60
}
}
IDSAction EEXIDFlood
{
ActionType Attack nodiscard
IDSReportSet
{
TypeActions LOG
LoggingLevel 4
TypeActions STATISTICS
StatType Normal
StatInterval 60
}
}
IpProtocolGroup IpProtGroup~1
{
IpProtocolRangeRef IpProtRange~1
IpProtocolRangeRef IpProtRange~2
IpProtocolRangeRef IpProtRange~3
IpProtocolRangeRef IpProtRange~4
}
IpProtocolGroup IpProtGroup~2
{
IpProtocolRangeRef IpProtRange~5
IpProtocolRangeRef IpProtRange~6
19
IpProtocolRangeRef IpProtRange~7
IpProtocolRangeRef IpProtRange~8
IpProtocolRangeRef IpProtRange~9
IpProtocolRangeRef IpProtRange~10
IpProtocolRangeRef IpProtRange~11
IpProtocolRangeRef IpProtRange~12
IpProtocolRangeRef IpProtRange~13
}
IpProtocolGroup IpProtGroup~3
{
IpProtocolRangeRef IpProtRange~14
IpProtocolRangeRef IpProtRange~15
IpProtocolRangeRef IpProtRange~16
IpProtocolRangeRef IpProtRange~17
}
IpProtocolRange IpProtRange~1
{
IpProtocol 0 16
}
IpProtocolRange IpProtRange~2
{
IpProtocol 18 57
}
IpProtocolRange IpProtRange~3
{
IpProtocol 59 88
}
IpProtocolRange IpProtRange~4
{
IpProtocol 90 255
}
IpProtocolRange IpProtRange~5
{
IpProtocol 0 0
}
IpProtocolRange IpProtRange~6
{
IpProtocol 3 3
}
IpProtocolRange IpProtRange~7
{
IpProtocol 5 5
}
IpProtocolRange IpProtRange~8
{
IpProtocol 7 16
}
IpProtocolRange IpProtRange~9
{
IpProtocol 18 45
}
20
IpProtocolRange IpProtRange~10
{
IpProtocol 48 49
}
IpProtocolRange IpProtRange~11
{
IpProtocol 52 88
}
IpProtocolRange IpProtRange~12
{
IpProtocol 90 93
}
IpProtocolRange IpProtRange~13
{
IpProtocol 95 255
}
IpProtocolRange IpProtRange~14
{
IpProtocol 0 0
}
IpProtocolRange IpProtRange~15
{
IpProtocol 2 16
}
IpProtocolRange IpProtRange~16
{
IpProtocol 18 88
}
IpProtocolRange IpProtRange~17
{
IpProtocol 90 255
}
IpOptionGroup IpOptGroup~1
{
IpOptionRangeRef IpOptRange~1
IpOptionRangeRef IpOptRange~2
IpOptionRangeRef IpOptRange~3
IpOptionRangeRef IpOptRange~4
IpOptionRangeRef IpOptRange~5
}
IpOptionGroup IpOptGroup~2
{
IpOptionRangeRef IpOptRange~6
IpOptionRangeRef IpOptRange~7
IpOptionRangeRef IpOptRange~8
IpOptionRangeRef IpOptRange~9
IpOptionRangeRef IpOptRange~10
}
IpOptionGroup IpOptGroup~3
{
IpOptionRangeRef IpOptRange~11
21
IpOptionRangeRef IpOptRange~12
IpOptionRangeRef IpOptRange~13
IpOptionRangeRef IpOptRange~14
IpOptionRangeRef IpOptRange~15
}
IpOptionRange IpOptRange~1
{
IpOption 2 3
}
IpOptionRange IpOptRange~2
{
IpOption 8 137
}
IpOptionRange IpOptRange~3
{
IpOption 139 193
}
IpOptionRange IpOptRange~4
{
IpOption 195 200
}
IpOptionRange IpOptRange~5
{
IpOption 202 255
}
IpOptionRange IpOptRange~6
{
IpOption 2 3
}
IpOptionRange IpOptRange~7
{
IpOption 8 137
}
IpOptionRange IpOptRange~8
{
IpOption 139 193
}
IpOptionRange IpOptRange~9
{
IpOption 195 200
}
IpOptionRange IpOptRange~10
{
IpOption 202 255
}
IpOptionRange IpOptRange~11
{
IpOption 2 6
}
IpOptionRange IpOptRange~12
{
22
IpOption 8 67
}
IpOptionRange IpOptRange~13
{
IpOption 69 81
}
IpOptionRange IpOptRange~14
{
IpOption 83 147
}
IpOptionRange IpOptRange~15
{
IpOption 149 255
}
IPv6NextHdrGroup IPv6NextHdrGroup~1
{
IPv6NextHdrRangeRef IPv6NextHdrRange~1
IPv6NextHdrRangeRef IPv6NextHdrRange~2
IPv6NextHdrRangeRef IPv6NextHdrRange~3
IPv6NextHdrRangeRef IPv6NextHdrRange~4
IPv6NextHdrRangeRef IPv6NextHdrRange~5
IPv6NextHdrRangeRef IPv6NextHdrRange~6
IPv6NextHdrRangeRef IPv6NextHdrRange~7
IPv6NextHdrRangeRef IPv6NextHdrRange~8
IPv6NextHdrRangeRef IPv6NextHdrRange~9
}
IPv6NextHdrRange IPv6NextHdrRange~1
{
IPv6NextHdr 1 5
}
IPv6NextHdrRange IPv6NextHdrRange~2
{
IPv6NextHdr 7 16
}
IPv6NextHdrRange IPv6NextHdrRange~3
{
IPv6NextHdr 18 40
}
IPv6NextHdrRange IPv6NextHdrRange~4
{
IPv6NextHdr 42 42
}
IPv6NextHdrRange IPv6NextHdrRange~5
{
IPv6NextHdr 45 49
}
IPv6NextHdrRange IPv6NextHdrRange~6
{
IPv6NextHdr 52 57
}
IPv6NextHdrRange IPv6NextHdrRange~7
23
{
IPv6NextHdr 61 88
}
IPv6NextHdrRange IPv6NextHdrRange~8
{
IPv6NextHdr 90 134
}
IPv6NextHdrRange IPv6NextHdrRange~9
{
IPv6NextHdr 136 255
}
PortGroup LocalEchoPortGroup~1
{
PortRange
{
Port 7
}
PortRange
{
Port 13
}
PortRange
{
Port 17
}
PortRange
{
Port 19
}
}
PortGroup RemoteEchoPortGroup~1
{
PortRange
{
Port 7
}
PortRange
{
Port 13
}
PortRange
{
Port 17
}
PortRange
{
Port 19
}
}
IDSRule All_Well-Known_TCP~1
24
{
Priority 65000
ConditionType ScanEvent
IDSScanEventCondition
{
Sensitivity MEDIUM
Protocol TCP
LocalPortRange 1-1023
}
IDSActionRef ScanAction
}
IDSRule All_Well-Known_UDP~1
{
Priority 64990
ConditionType ScanEvent
IDSScanEventCondition
{
Sensitivity MEDIUM
Protocol UDP
LocalPortRange 1-1023
}
IDSActionRef ScanAction
}
IDSRule ICMP~1
{
Priority 64980
ConditionType ScanEvent
IDSScanEventCondition
{
Sensitivity HIGH
Protocol ICMP
}
IDSActionRef ScanAction
}
IDSRule ScanGlobal
{
ConditionType ScanGlobal
IDSScanGlobalCondition
{
FSInterval 1
FSThreshold 5
SSInterval 120
SSThreshold 10
}
IDSActionRef ScanGlobalAction
}
IDSAction ScanAction
25
{
Actiontype ScanEvent count
}
IDSAction ScanGlobalAction
{
ActionType ScanGlobal
IDSReportSet
{
TypeActions CONSOLE
}
}
IDSRule All_Well-Known_TCP1~1
{
Priority 65000
ConditionType TR
IDSTRCondition
{
LocalPortRange 1-1023
Protocol TCP
TRtcpTotalConnections 65535
TRtcpPercentage 100
TRtcpLimitScope PORT_INSTANCE
}
IDSActionRef All_Well-Known_TCP1
}
IDSAction All_Well-Known_TCP1
{
ActionType TR limit
IDSReportSet
{
TypeActions LOG
LogDetail No
LoggingLevel 4
TypeActions STATISTICS
StatType Normal
StatInterval 60
}
}
SYSLOGD entries
*.TRMD*.*.* /var/syslog/%Y/%m/%d/trmd.log -F 640 -D 770
*.PAGENT*.*.* /var/syslog/%Y/%m/%d/pagent.log -F 640 -D 770
*.IKE*.*.* /var/syslog/%Y/%m/%d/inetd.log -F 640 -D 770
*.SYSLOGD*.*.* /var/syslog/%Y/%m/%d/syslogd.log -F 640 -D 770
26
Extended Analytics Reports
F AXR,EZACMD TRMDSTAT -I '/var/syslog/2012/03/28/trmd.log'
System REXX EZACMD: trmdstat command - start - userID=ESSJGR1
System REXX EZACMD: trmdstat -I /var/syslog/2012/03/28/trmd.log
trmdstat for z/OS CS V1R13 Wed Mar 28 19:11:46 2012
Command Entered : trmdstat -I /var/syslog/2012/03/28/trmd.log
Log Time Interval : Mar 28 19:07:55 - Mar 28 19:08:55
Stack Time Interval : Mar 28 19:07:52 - Mar 28 19:08:53
TRM Records Scanned : 12
TCP - Traffic Regulation
------------------------------------------------
Connections would have been refused : 0
Connections refused : 0
Constrained entry logged : 0
Constrained exit logged : 0
Constrained entry : 0
Constrained exit : 0
QOS exceptions logged : 0
QOS exceptions made : 0
UDP - Traffic Regulation
------------------------------------------------
Constrained entry logged : 0
Constrained exit logged : 0
Constrained entry : 0
Constrained exit : 0
SCAN Detection
------------------------------------------------
Threshold exceeded : 2
Detection delayed : 0
Storage constrained entry : 0
Storage constrained exit : 0
ATTACK Detection
------------------------------------------------
Packet would have been discarded : 0
Packet discarded : 0
FLOOD Detection
------------------------------------------------
Accept queue expanded : 0
SYN flood start : 0
SYN flood end : 0
Interface flood start : 2
Interface flood end : 2
27
EE XID flood start : 0
EE XID flood end : 0
Global TCP Stall Detection
------------------------------------------------
Global TCP stall entry : 0
Global TCP stall exit : 0
Connections would have been reset : 0
Connections reset : 0
TCP Queue Size Detection
------------------------------------------------
Send queue
Constrained entry : 0
Constrained exit : 0
Connections reset : 0
Receive queue
Constrained entry : 0
Constrained exit : 0
Connections reset : 0
Out-of-order queue
Constrained entry : 0
Constrained exit : 0
Connections reset : 0
System REXX EZACMD: trmdstat command - end - RC=0
F AXR,EZACMD TRMDSTAT -ND '/var/syslog/2012/03/28/trmd.log'
System REXX EZACMD: trmdstat command - start - userID=ESSJGR1
System REXX EZACMD: trmdstat -ND /var/syslog/2012/03/28/trmd.log
trmdstat for z/OS CS V1R13 Wed Mar 28 19:16:01 2012
Command Entered : trmdstat -ND /var/syslog/2012/03/28/trmd.log
Log Time Interval : Mar 28 19:08:25 - Mar 28 19:08:25
Stack Time Interval : Mar 28 19:08:06 - Mar 28 19:08:06
TRM Records Scanned : 22
SCAN Events
Date and Time Source IP Address
Suspicion Level Type Correlator
Very Possibly Normal
---------------------- ---------------------------------------------
---------- ---------- ---------- ---- ----------
03/28/2012 19:08:06.26 192.168.50.31
0 9 1 F 12
03/28/2012 19:08:06.26 192.168.50.31
0 9 1 F 12
28
System REXX EZACMD: trmdstat command - end - RC=0
F AXR,EZACMD TRMDSTAT -FD '/var/syslog/2012/03/28/trmd.log'
System REXX EZACMD: trmdstat command - start - userID=ESSJGR1
System REXX EZACMD: trmdstat -FD /var/syslog/2012/03/28/trmd.log
trmdstat for z/OS CS V1R13 Wed Mar 28 19:18:02 2012
Command Entered : trmdstat -FD /var/syslog/2012/03/28/trmd.log
Log Time Interval : Mar 28 19:07:55 - Mar 28 19:08:55
Stack Time Interval : Mar 28 19:07:52 - Mar 28 19:08:53
TRM Records Scanned : 22
SYN FLOOD Events
No records to display
Interface FLOOD Events
Date and Time/ Interface Type Duration Discard
Correlator/ ----------------Most Frequent--------------
Last Last Source IP/ Count/
ProbeID -----Overall----- -------Source MAC Data-
Count Dest Address Percent
Proto/ Category/ SrcMAC/ Proto/ Cat
Percent Percent Percent Percent Per
03/28/2012 19:07:52.38 OSDL E 1000
13
192.168.50.31 99
04070010
192.168.50.56
03/28/2012 19:07:52.38 OSDL E 1000
13
192.168.50.31 99
04070010
192.168.50.56
03/28/2012 19:08:53.25 OSDL X 57 1993
13 6 Dest 1C6F6572D9A4 6
17 192.168.50.75 97
04070014 48 49 48 100
192.168.50.56
03/28/2012 19:08:53.25 OSDL X 57 1993
13 6 Dest 1C6F6572D9A4 6
17 192.168.50.75 97
04070014 48 49 48 100
192.168.50.56
XID FLOOD Events
No records to display
System REXX EZACMD: trmdstat command - end - RC=0