ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzaub_5.4.0.1/rzaubanalyze.htm

186 lines
11 KiB
HTML
Raw Normal View History

2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="reference" />
<meta name="DC.Title" content="Analyze the auditing data" />
<meta name="abstract" content="Learn how to analyze the auditing data for intrusion detection activities, and obtain reference information about the fields in the IM audit record." />
<meta name="description" content="Learn how to analyze the auditing data for intrusion detection activities, and obtain reference information about the fields in the IM audit record." />
<meta name="DC.Relation" scheme="URI" content="rzaubkickoff.htm" />
<meta name="DC.Relation" scheme="URI" content="rzaubeventscan.htm" />
<meta name="DC.Relation" scheme="URI" content="rzaubeventattack.htm" />
<meta name="DC.Relation" scheme="URI" content="rzaubaudit.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzaubanalyze" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Analyze the auditing data</title>
</head>
<body id="rzaubanalyze"><a name="rzaubanalyze"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Analyze the auditing data</h1>
<div><p>Learn how to analyze the auditing data for intrusion
detection activities, and obtain reference information about the fields in
the IM audit record. </p>
<div class="example">The following example shows an IM audit record entry with information
about an intrusion event.<pre class="screen"> <strong>Display Journal Entry</strong>
Object . . . . . . .: Library . . . . . .:
Member . . . . . . .:
Incomplete data . .: No Minimized entry data: *NONE
Sequence . . . . . .: 5
Code . . . . . . . .: T - Audit trail entry
Type . . . . . . . .: IM - Intrusion detection monitor
<strong>Entry specific data</strong>
Column *...+....1....+....2....+....3....+4....+....5.
00001 'P2005-06-06-15.01.32.6482729999 000009.10.11.0 '
00051 ' 000009.10.11.255'
00101 ' , ATTACK RESTP'
00151 'ROT</pre>
</div>
<div class="section"><div class="p">The following table shows the layout of the IM audit record.
<div class="tablenoborder"><a name="rzaubanalyze__imlay"><!-- --></a><table cellpadding="4" cellspacing="0" summary="" id="rzaubanalyze__imlay" width="100%" frame="border" border="1" rules="all"><caption>Table 1. Layout of the IM audit record</caption><thead align="left"><tr valign="bottom"><th valign="bottom" width="19.954648526077097%" id="d0e38">Field Type</th>
<th valign="bottom" width="12.925170068027212%" id="d0e40">Format</th>
<th valign="bottom" width="42.40362811791383%" id="d0e42">Description</th>
<th valign="bottom" width="24.71655328798186%" id="d0e44">Sample Entry</th>
</tr>
</thead>
<tbody><tr><td valign="top" width="19.954648526077097%" headers="d0e38 ">Entry type</td>
<td valign="top" width="12.925170068027212%" headers="d0e40 ">Char(1)</td>
<td valign="top" width="42.40362811791383%" headers="d0e42 ">Potential intrusion event detected. </td>
<td valign="top" width="24.71655328798186%" headers="d0e44 "><tt class="sysout">P</tt></td>
</tr>
<tr><td valign="top" width="19.954648526077097%" headers="d0e38 ">Time of event</td>
<td valign="top" width="12.925170068027212%" headers="d0e40 ">TIMESTAMP</td>
<td valign="top" width="42.40362811791383%" headers="d0e42 ">Timestamp of when the event was detected.</td>
<td valign="top" width="24.71655328798186%" headers="d0e44 "><tt class="sysout">2005-06-06-15.01.32.648272</tt></td>
</tr>
<tr><td valign="top" width="19.954648526077097%" headers="d0e38 ">Detection point identifier</td>
<td valign="top" width="12.925170068027212%" headers="d0e40 ">Char(4)</td>
<td valign="top" width="42.40362811791383%" headers="d0e42 ">Unique identifier for the processing location that detected
the intrusion event. This field is for use by service personnel.</td>
<td valign="top" width="24.71655328798186%" headers="d0e44 "><tt class="sysout">9999</tt></td>
</tr>
<tr><td valign="top" width="19.954648526077097%" headers="d0e38 ">Local address family</td>
<td valign="top" width="12.925170068027212%" headers="d0e40 ">Char(1)</td>
<td valign="top" width="42.40362811791383%" headers="d0e42 ">Local IP address family associated with the detected
event. </td>
<td valign="top" width="24.71655328798186%" headers="d0e44 ">This field is hidden and appears blank. Press F11
to display the information.</td>
</tr>
<tr><td valign="top" width="19.954648526077097%" headers="d0e38 ">Local port number</td>
<td valign="top" width="12.925170068027212%" headers="d0e40 ">Zoned(5,0)</td>
<td valign="top" width="42.40362811791383%" headers="d0e42 ">Local port number associated with the detected event. <span>(A value of <tt class="sysout">00000</tt> represents an
intrusion on any port because there is no port 0.) </span></td>
<td valign="top" width="24.71655328798186%" headers="d0e44 "><tt class="sysout">00000</tt></td>
</tr>
<tr><td valign="top" width="19.954648526077097%" headers="d0e38 ">Local IP address</td>
<td valign="top" width="12.925170068027212%" headers="d0e40 ">Char(46)</td>
<td valign="top" width="42.40362811791383%" headers="d0e42 ">Local IP address associated with the detected event.</td>
<td valign="top" width="24.71655328798186%" headers="d0e44 "><tt class="sysout">9.10.11.0</tt></td>
</tr>
<tr><td valign="top" width="19.954648526077097%" headers="d0e38 ">Remote address family</td>
<td valign="top" width="12.925170068027212%" headers="d0e40 ">Char(1)</td>
<td valign="top" width="42.40362811791383%" headers="d0e42 ">Remote address family associated with the detected event.</td>
<td valign="top" width="24.71655328798186%" headers="d0e44 ">This field is hidden and appears blank. Press F11
to display the information.</td>
</tr>
<tr><td valign="top" width="19.954648526077097%" headers="d0e38 ">Remote port number</td>
<td valign="top" width="12.925170068027212%" headers="d0e40 ">Zoned(5,0)</td>
<td valign="top" width="42.40362811791383%" headers="d0e42 ">Remote port number associated with the detected event.</td>
<td valign="top" width="24.71655328798186%" headers="d0e44 "><tt class="sysout">00000</tt></td>
</tr>
<tr><td valign="top" width="19.954648526077097%" headers="d0e38 ">Remote IP address</td>
<td valign="top" width="12.925170068027212%" headers="d0e40 ">Char(46)</td>
<td valign="top" width="42.40362811791383%" headers="d0e42 ">Remote IP address associated with the detected event.</td>
<td valign="top" width="24.71655328798186%" headers="d0e44 "><tt class="sysout">9.10.11.255</tt></td>
</tr>
<tr><td valign="top" width="19.954648526077097%" headers="d0e38 ">Probe type identifier</td>
<td valign="top" width="12.925170068027212%" headers="d0e40 ">Char(6)</td>
<td valign="top" width="42.40362811791383%" headers="d0e42 ">Identifies the type of probe used to detect the potential
intrusion. Possible values include:<dl><dt class="dlterm">ATTACK</dt>
<dd>Attack action event</dd>
<dt class="dlterm">TR</dt>
<dd>Traffic regulation trace action event</dd>
<dt class="dlterm">SCANG</dt>
<dd>Scan global action event</dd>
<dt class="dlterm">SCANE</dt>
<dd>Scan event action event</dd>
</dl>
</td>
<td valign="top" width="24.71655328798186%" headers="d0e44 "><tt class="sysout">ATTACK</tt></td>
</tr>
<tr><td valign="top" width="19.954648526077097%" headers="d0e38 ">Event correlator</td>
<td valign="top" width="12.925170068027212%" headers="d0e40 ">Char(4)</td>
<td valign="top" width="42.40362811791383%" headers="d0e42 ">Unique identifier for this specific intrusion event.
You can use this identifier to correlate this audit record with other intrusion
detection information.</td>
<td valign="top" width="24.71655328798186%" headers="d0e44 ">This field is hidden and appears blank. Press F11
to display the information.</td>
</tr>
<tr><td valign="top" width="19.954648526077097%" headers="d0e38 ">Event type</td>
<td valign="top" width="12.925170068027212%" headers="d0e40 ">Char(8)</td>
<td valign="top" width="42.40362811791383%" headers="d0e42 ">Identifies the type of potential intrusion that was
detected. The possible values include:<dl><dt class="dlterm">MALFPKT</dt>
<dd>Malformed packet</dd>
<dt class="dlterm">FLOOD</dt>
<dd>Flood event</dd>
<dt class="dlterm">ICMPRED</dt>
<dd>Internet Control Message Protocol (ICMP) redirect</dd>
<dt class="dlterm">PERPECH</dt>
<dd>Perpetual echo</dd>
<dt class="dlterm">IPFRAG</dt>
<dd>IP fragment</dd>
<dt class="dlterm">RESTPROT</dt>
<dd>Restricted IP protocol (RESTP)</dd>
</dl>
</td>
<td valign="top" width="24.71655328798186%" headers="d0e44 "><tt class="sysout">RESTP</tt></td>
</tr>
<tr><td valign="top" width="19.954648526077097%" headers="d0e38 ">Suspected packet</td>
<td valign="top" width="12.925170068027212%" headers="d0e40 ">Char(1002)</td>
<td valign="top" width="42.40362811791383%" headers="d0e42 ">This variable-length, binary field might contain up
to the first 1000 bytes of the IP packet that is associated with the detected
event. The first two bytes of this field contain the length of the suspected
packet information.</td>
<td valign="top" width="24.71655328798186%" headers="d0e44 ">This field is hidden and appears blank. Press F11
to display the information.</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
</div>
<div>
<ul class="ullinks">
<li class="ulchildlink"><strong><a href="rzaubeventscan.htm">Scan events</a></strong><br />
The intrusion detection system detects scans to individual ports.</li>
<li class="ulchildlink"><strong><a href="rzaubeventattack.htm">Attack events</a></strong><br />
<span>The intrusion detection system detects different
types of attack events and writes an IM audit record in the QAUDJRN audit
journal.</span></li>
</ul>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzaubkickoff.htm" title="Intrusion detection involves gathering information about unauthorized access attempts and attacks coming in over the TCP/IP network. Security administrators can analyze the auditing records that intrusion detection provides to secure the iSeries network from these types of attacks.">Intrusion detection</a></div>
</div>
<div class="reltasks"><strong>Related tasks</strong><br />
<div><a href="rzaubaudit.htm" title="Learn how to audit intrusion detection activities. If the intrusion detection system (IDS) flags a suspicious event, it writes an IM audit record.">Audit intrusion detection activities</a></div>
</div>
</div>
</body>
</html>