186 lines
11 KiB
HTML
186 lines
11 KiB
HTML
|
<?xml version="1.0" encoding="UTF-8"?>
|
||
|
<!DOCTYPE html
|
||
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
||
|
<html lang="en-us" xml:lang="en-us">
|
||
|
<head>
|
||
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
||
|
<meta name="security" content="public" />
|
||
|
<meta name="Robots" content="index,follow" />
|
||
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
||
|
<meta name="DC.Type" content="reference" />
|
||
|
<meta name="DC.Title" content="Analyze the auditing data" />
|
||
|
<meta name="abstract" content="Learn how to analyze the auditing data for intrusion detection activities, and obtain reference information about the fields in the IM audit record." />
|
||
|
<meta name="description" content="Learn how to analyze the auditing data for intrusion detection activities, and obtain reference information about the fields in the IM audit record." />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzaubkickoff.htm" />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzaubeventscan.htm" />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzaubeventattack.htm" />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzaubaudit.htm" />
|
||
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
|
||
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
|
||
|
<meta name="DC.Format" content="XHTML" />
|
||
|
<meta name="DC.Identifier" content="rzaubanalyze" />
|
||
|
<meta name="DC.Language" content="en-us" />
|
||
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
||
|
<!-- US Government Users Restricted Rights -->
|
||
|
<!-- Use, duplication or disclosure restricted by -->
|
||
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
||
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
||
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
||
|
<title>Analyze the auditing data</title>
|
||
|
</head>
|
||
|
<body id="rzaubanalyze"><a name="rzaubanalyze"><!-- --></a>
|
||
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
||
|
<h1 class="topictitle1">Analyze the auditing data</h1>
|
||
|
<div><p>Learn how to analyze the auditing data for intrusion
|
||
|
detection activities, and obtain reference information about the fields in
|
||
|
the IM audit record. </p>
|
||
|
<div class="example">The following example shows an IM audit record entry with information
|
||
|
about an intrusion event.<pre class="screen"> <strong>Display Journal Entry</strong>
|
||
|
|
||
|
Object . . . . . . .: Library . . . . . .:
|
||
|
Member . . . . . . .:
|
||
|
Incomplete data . .: No Minimized entry data: *NONE
|
||
|
Sequence . . . . . .: 5
|
||
|
Code . . . . . . . .: T - Audit trail entry
|
||
|
Type . . . . . . . .: IM - Intrusion detection monitor
|
||
|
|
||
|
<strong>Entry specific data</strong>
|
||
|
Column *...+....1....+....2....+....3....+4....+....5.
|
||
|
00001 'P2005-06-06-15.01.32.6482729999 000009.10.11.0 '
|
||
|
00051 ' 000009.10.11.255'
|
||
|
00101 ' , ATTACK RESTP'
|
||
|
00151 'ROT</pre>
|
||
|
</div>
|
||
|
<div class="section"><div class="p">The following table shows the layout of the IM audit record.
|
||
|
<div class="tablenoborder"><a name="rzaubanalyze__imlay"><!-- --></a><table cellpadding="4" cellspacing="0" summary="" id="rzaubanalyze__imlay" width="100%" frame="border" border="1" rules="all"><caption>Table 1. Layout of the IM audit record</caption><thead align="left"><tr valign="bottom"><th valign="bottom" width="19.954648526077097%" id="d0e38">Field Type</th>
|
||
|
<th valign="bottom" width="12.925170068027212%" id="d0e40">Format</th>
|
||
|
<th valign="bottom" width="42.40362811791383%" id="d0e42">Description</th>
|
||
|
<th valign="bottom" width="24.71655328798186%" id="d0e44">Sample Entry</th>
|
||
|
</tr>
|
||
|
</thead>
|
||
|
<tbody><tr><td valign="top" width="19.954648526077097%" headers="d0e38 ">Entry type</td>
|
||
|
<td valign="top" width="12.925170068027212%" headers="d0e40 ">Char(1)</td>
|
||
|
<td valign="top" width="42.40362811791383%" headers="d0e42 ">Potential intrusion event detected. </td>
|
||
|
<td valign="top" width="24.71655328798186%" headers="d0e44 "><tt class="sysout">P</tt></td>
|
||
|
</tr>
|
||
|
<tr><td valign="top" width="19.954648526077097%" headers="d0e38 ">Time of event</td>
|
||
|
<td valign="top" width="12.925170068027212%" headers="d0e40 ">TIMESTAMP</td>
|
||
|
<td valign="top" width="42.40362811791383%" headers="d0e42 ">Timestamp of when the event was detected.</td>
|
||
|
<td valign="top" width="24.71655328798186%" headers="d0e44 "><tt class="sysout">2005-06-06-15.01.32.648272</tt></td>
|
||
|
</tr>
|
||
|
<tr><td valign="top" width="19.954648526077097%" headers="d0e38 ">Detection point identifier</td>
|
||
|
<td valign="top" width="12.925170068027212%" headers="d0e40 ">Char(4)</td>
|
||
|
<td valign="top" width="42.40362811791383%" headers="d0e42 ">Unique identifier for the processing location that detected
|
||
|
the intrusion event. This field is for use by service personnel.</td>
|
||
|
<td valign="top" width="24.71655328798186%" headers="d0e44 "><tt class="sysout">9999</tt></td>
|
||
|
</tr>
|
||
|
<tr><td valign="top" width="19.954648526077097%" headers="d0e38 ">Local address family</td>
|
||
|
<td valign="top" width="12.925170068027212%" headers="d0e40 ">Char(1)</td>
|
||
|
<td valign="top" width="42.40362811791383%" headers="d0e42 ">Local IP address family associated with the detected
|
||
|
event. </td>
|
||
|
<td valign="top" width="24.71655328798186%" headers="d0e44 ">This field is hidden and appears blank. Press F11
|
||
|
to display the information.</td>
|
||
|
</tr>
|
||
|
<tr><td valign="top" width="19.954648526077097%" headers="d0e38 ">Local port number</td>
|
||
|
<td valign="top" width="12.925170068027212%" headers="d0e40 ">Zoned(5,0)</td>
|
||
|
<td valign="top" width="42.40362811791383%" headers="d0e42 ">Local port number associated with the detected event. <span>(A value of <tt class="sysout">00000</tt> represents an
|
||
|
intrusion on any port because there is no port 0.) </span></td>
|
||
|
<td valign="top" width="24.71655328798186%" headers="d0e44 "><tt class="sysout">00000</tt></td>
|
||
|
</tr>
|
||
|
<tr><td valign="top" width="19.954648526077097%" headers="d0e38 ">Local IP address</td>
|
||
|
<td valign="top" width="12.925170068027212%" headers="d0e40 ">Char(46)</td>
|
||
|
<td valign="top" width="42.40362811791383%" headers="d0e42 ">Local IP address associated with the detected event.</td>
|
||
|
<td valign="top" width="24.71655328798186%" headers="d0e44 "><tt class="sysout">9.10.11.0</tt></td>
|
||
|
</tr>
|
||
|
<tr><td valign="top" width="19.954648526077097%" headers="d0e38 ">Remote address family</td>
|
||
|
<td valign="top" width="12.925170068027212%" headers="d0e40 ">Char(1)</td>
|
||
|
<td valign="top" width="42.40362811791383%" headers="d0e42 ">Remote address family associated with the detected event.</td>
|
||
|
<td valign="top" width="24.71655328798186%" headers="d0e44 ">This field is hidden and appears blank. Press F11
|
||
|
to display the information.</td>
|
||
|
</tr>
|
||
|
<tr><td valign="top" width="19.954648526077097%" headers="d0e38 ">Remote port number</td>
|
||
|
<td valign="top" width="12.925170068027212%" headers="d0e40 ">Zoned(5,0)</td>
|
||
|
<td valign="top" width="42.40362811791383%" headers="d0e42 ">Remote port number associated with the detected event.</td>
|
||
|
<td valign="top" width="24.71655328798186%" headers="d0e44 "><tt class="sysout">00000</tt></td>
|
||
|
</tr>
|
||
|
<tr><td valign="top" width="19.954648526077097%" headers="d0e38 ">Remote IP address</td>
|
||
|
<td valign="top" width="12.925170068027212%" headers="d0e40 ">Char(46)</td>
|
||
|
<td valign="top" width="42.40362811791383%" headers="d0e42 ">Remote IP address associated with the detected event.</td>
|
||
|
<td valign="top" width="24.71655328798186%" headers="d0e44 "><tt class="sysout">9.10.11.255</tt></td>
|
||
|
</tr>
|
||
|
<tr><td valign="top" width="19.954648526077097%" headers="d0e38 ">Probe type identifier</td>
|
||
|
<td valign="top" width="12.925170068027212%" headers="d0e40 ">Char(6)</td>
|
||
|
<td valign="top" width="42.40362811791383%" headers="d0e42 ">Identifies the type of probe used to detect the potential
|
||
|
intrusion. Possible values include:<dl><dt class="dlterm">ATTACK</dt>
|
||
|
<dd>Attack action event</dd>
|
||
|
<dt class="dlterm">TR</dt>
|
||
|
<dd>Traffic regulation trace action event</dd>
|
||
|
<dt class="dlterm">SCANG</dt>
|
||
|
<dd>Scan global action event</dd>
|
||
|
<dt class="dlterm">SCANE</dt>
|
||
|
<dd>Scan event action event</dd>
|
||
|
</dl>
|
||
|
</td>
|
||
|
<td valign="top" width="24.71655328798186%" headers="d0e44 "><tt class="sysout">ATTACK</tt></td>
|
||
|
</tr>
|
||
|
<tr><td valign="top" width="19.954648526077097%" headers="d0e38 ">Event correlator</td>
|
||
|
<td valign="top" width="12.925170068027212%" headers="d0e40 ">Char(4)</td>
|
||
|
<td valign="top" width="42.40362811791383%" headers="d0e42 ">Unique identifier for this specific intrusion event.
|
||
|
You can use this identifier to correlate this audit record with other intrusion
|
||
|
detection information.</td>
|
||
|
<td valign="top" width="24.71655328798186%" headers="d0e44 ">This field is hidden and appears blank. Press F11
|
||
|
to display the information.</td>
|
||
|
</tr>
|
||
|
<tr><td valign="top" width="19.954648526077097%" headers="d0e38 ">Event type</td>
|
||
|
<td valign="top" width="12.925170068027212%" headers="d0e40 ">Char(8)</td>
|
||
|
<td valign="top" width="42.40362811791383%" headers="d0e42 ">Identifies the type of potential intrusion that was
|
||
|
detected. The possible values include:<dl><dt class="dlterm">MALFPKT</dt>
|
||
|
<dd>Malformed packet</dd>
|
||
|
<dt class="dlterm">FLOOD</dt>
|
||
|
<dd>Flood event</dd>
|
||
|
<dt class="dlterm">ICMPRED</dt>
|
||
|
<dd>Internet Control Message Protocol (ICMP) redirect</dd>
|
||
|
<dt class="dlterm">PERPECH</dt>
|
||
|
<dd>Perpetual echo</dd>
|
||
|
<dt class="dlterm">IPFRAG</dt>
|
||
|
<dd>IP fragment</dd>
|
||
|
<dt class="dlterm">RESTPROT</dt>
|
||
|
<dd>Restricted IP protocol (RESTP)</dd>
|
||
|
</dl>
|
||
|
</td>
|
||
|
<td valign="top" width="24.71655328798186%" headers="d0e44 "><tt class="sysout">RESTP</tt></td>
|
||
|
</tr>
|
||
|
<tr><td valign="top" width="19.954648526077097%" headers="d0e38 ">Suspected packet</td>
|
||
|
<td valign="top" width="12.925170068027212%" headers="d0e40 ">Char(1002)</td>
|
||
|
<td valign="top" width="42.40362811791383%" headers="d0e42 ">This variable-length, binary field might contain up
|
||
|
to the first 1000 bytes of the IP packet that is associated with the detected
|
||
|
event. The first two bytes of this field contain the length of the suspected
|
||
|
packet information.</td>
|
||
|
<td valign="top" width="24.71655328798186%" headers="d0e44 ">This field is hidden and appears blank. Press F11
|
||
|
to display the information.</td>
|
||
|
</tr>
|
||
|
</tbody>
|
||
|
</table>
|
||
|
</div>
|
||
|
</div>
|
||
|
</div>
|
||
|
</div>
|
||
|
<div>
|
||
|
<ul class="ullinks">
|
||
|
<li class="ulchildlink"><strong><a href="rzaubeventscan.htm">Scan events</a></strong><br />
|
||
|
The intrusion detection system detects scans to individual ports.</li>
|
||
|
<li class="ulchildlink"><strong><a href="rzaubeventattack.htm">Attack events</a></strong><br />
|
||
|
<span>The intrusion detection system detects different
|
||
|
types of attack events and writes an IM audit record in the QAUDJRN audit
|
||
|
journal.</span></li>
|
||
|
</ul>
|
||
|
|
||
|
<div class="familylinks">
|
||
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzaubkickoff.htm" title="Intrusion detection involves gathering information about unauthorized access attempts and attacks coming in over the TCP/IP network. Security administrators can analyze the auditing records that intrusion detection provides to secure the iSeries network from these types of attacks.">Intrusion detection</a></div>
|
||
|
</div>
|
||
|
<div class="reltasks"><strong>Related tasks</strong><br />
|
||
|
<div><a href="rzaubaudit.htm" title="Learn how to audit intrusion detection activities. If the intrusion detection system (IDS) flags a suspicious event, it writes an IM audit record.">Audit intrusion detection activities</a></div>
|
||
|
</div>
|
||
|
</div>
|
||
|
</body>
|
||
|
</html>
|