Attack detail (-A -D) report
This report is displayed when both the -A and -D options are specified on the trmdstat command. It displays the contents of attack event records. The information presented in this report is derived from EZZ8648I and EZZ8649I types of syslog messages. Information is grouped by destination IP address - source IP address pair. It is sorted by destination IP address.
>trmdstat -AD /tmp/tstlog.log
trmdstat for z/OS CS V2R4 Fri Nov 25 09:13:17 2011
Command Entered : trmdstat -AD /tmp/tstlog.log
Log Time Interval : Nov 12 04:36:51 - Nov 29 19:55:50
Stack Time Interval : Nov 12 04:36:47 - Nov 29 19:55:46
TRM Records Scanned : 227
ATTACK Events
Packets Discarded
Destination IP Address/ DestPort/
Attack Date and Time Source IP Address SrcPort Correlator ProbeID
-------- ---------------------- --------------------------------------------- --------- ---------- --------
EEPortCk 11/12/2011 04:36:47.22 192.168.105.53 12000 4 04120001
192.168.105.50 8000
EEMalfmd 11/12/2011 04:38:54.39 192.168.105.53 12000 5 04110001
192.168.105.50 12000
EEMalfmd 11/12/2011 04:39:19.41 192.168.105.53 12000 6 04110001
192.168.105.50 12000
EEMalfmd 11/12/2011 04:39:41.59 192.168.105.53 11000 7 04110001
192.168.105.50 11000
Redirect 11/12/2011 18:52:43.38 2001:db8:0:3:9:42:103:132 0 10 04040001
2001:db8::20d:60ff:fe24:32ae 0
OutRaw6 11/29/2011 19:55:46.59 2001:db8:0:3:9:42:103:132 0 70 040C0001
2001:db8::20d:60ff:fe24:32ae 0
NextHdrs 11/18/2011 16:02:47.44 2001:db8:0:3:9:42:103:132 0 31 040D0001
2001:db8:0:3:20a:5eff:fe04:8f16 0
NextHdrs 11/18/2011 16:02:53.51 2001:db8:0:3:9:42:103:132 0 32 040D0001
2001:db8:0:3:20a:5eff:fe04:8f16 0
Malform 11/13/2011 15:06:51.12 2001:db8:0:3:9:42:103:132 0 12 0401003D
2001:db8:0:3:20a:5eff:fe04:8f16 0
Malform 11/13/2011 15:06:56.80 2001:db8:0:3:9:42:103:132 0 16 0401003D
2001:db8:0:3:20a:5eff:fe04:8f16 0
Packets Would Have Been Discarded
Destination IP Address/ DestPort/
Attack Date and Time Source IP Address SrcPort Correlator ProbeID
-------- ---------------------- --------------------------------------------- --------- ---------- --------
OutRaw4 11/29/2011 19:24:27.02 192.168.0.5 0 63 04020001
192.168.101.3 0
Redirect 11/12/2011 17:27:57.30 2001:db8:0:3:9:42:103:132 0 9 04040001
2001:db8::20d:60ff:fe24:32ae 0
PerpEcho 11/14/2011 15:53:16.14 2001:db8:0:3:9:42:103:132 7 24 04080003
2001:db8::20d:60ff:fe24:32ae 7
NextHdrs 11/19/2011 14:10:01.02 2001:db8:0:3:9:42:103:132 0 38 040D0001
2001:db8:0:3:20a:5eff:fe04:8f16 0
DestOpts 11/13/2011 15:06:51.11 2001:db8:0:3:9:42:103:132 0 11 040E0001
2001:db8:0:3:20a:5eff:fe04:8f16 0
DestOpts 11/13/2011 15:06:56.80 2001:db8:0:3:9:42:103:132 0 15 040E0001
2001:db8:0:3:20a:5eff:fe04:8f16 0
HopOpts 11/13/2011 15:07:14.05 2001:db8:0:3:9:42:103:132 0 17 040F0001
2001:db8:0:3:20a:5eff:fe04:8f16 0The following information describes the areas of the attack
detail report.
- Attack
- Specifies the attack type. The values that can be displayed are:
- DataHide - Data hiding
- DestOpts - Restricted IPv6 destination option
- EELDLCCk - Enterprise Extender LDLC check
- EEMalfmd - EE malformed packet
- EEPortCk - EE source port check
- Fragment - IP Fragment
- HopOpts - Restricted IPv6 hop-by-hop option
- IPOption - Restricted IPv4 option
- IPProto - Restricted IPv4 protocol
- Malform - Malformed packet
- NextHdrs - Restricted IPv6 next header
- OutRaw4 - Outbound IPv4 Raw
- OutRaw6 - Outbound IPv6 Raw
- PerpEcho - Perpetual echo
- Redirect- ICMP redirect
- Blank - The attack type is unrecognized. It might be that the version of the z/OS® Communications Server running the trmdstat command is older than the version of z/OS Communication Server that detected the attack.
- Date and Time
- Specifies the date and time.
- Destination IP Address
- Specifies the destination IP address.
- Source IP Address
- Specifies the source IP address.
- DestPort
- Specifies the destination port.
- SrcPort
- Specifes the source port.
- Correlator
- Specifies the trace correlator.
- ProbeID
- Specifies the IDS probeID that generated this event.
- Packets Discarded
- A report section header indicating packets that were discarded.
- Packets Would Have Been Discarded
- A report section header indicating packets that would have been discarded.
- messages suppressed
- The number of attack messages suppressed with attack type, date and time. This data comes from an EZZ9327I message. See in The trmdstat report general concept for a detailed description.