Analyze the auditing data

Learn how to analyze the auditing data for intrusion detection activities, and obtain reference information about the fields in the IM audit record.

The following example shows an IM audit record entry with information about an intrusion event.
             Display Journal Entry

Object . . . . . . .:           Library  . . . . . .:
Member . . . . . . .:
Incomplete data  . .:   No      Minimized entry data: *NONE
Sequence . . . . . .:   5
Code . . . . . . . .:   T  - Audit trail entry
Type . . . . . . . .:   IM - Intrusion detection monitor

            Entry specific data
Column    *...+....1....+....2....+....3....+4....+....5.
00001    'P2005-06-06-15.01.32.6482729999 000009.10.11.0    '
00051    '                                  000009.10.11.255'
00101    '                         ,         ATTACK    RESTP'
00151    'ROT
The following table shows the layout of the IM audit record.
Table 1. Layout of the IM audit record
Field Type Format Description Sample Entry
Entry type Char(1) Potential intrusion event detected. P
Time of event TIMESTAMP Timestamp of when the event was detected. 2005-06-06-15.01.32.648272
Detection point identifier Char(4) Unique identifier for the processing location that detected the intrusion event. This field is for use by service personnel. 9999
Local address family Char(1) Local IP address family associated with the detected event. This field is hidden and appears blank. Press F11 to display the information.
Local port number Zoned(5,0) Local port number associated with the detected event. (A value of 00000 represents an intrusion on any port because there is no port 0.) 00000
Local IP address Char(46) Local IP address associated with the detected event. 9.10.11.0
Remote address family Char(1) Remote address family associated with the detected event. This field is hidden and appears blank. Press F11 to display the information.
Remote port number Zoned(5,0) Remote port number associated with the detected event. 00000
Remote IP address Char(46) Remote IP address associated with the detected event. 9.10.11.255
Probe type identifier Char(6) Identifies the type of probe used to detect the potential intrusion. Possible values include:
ATTACK
Attack action event
TR
Traffic regulation trace action event
SCANG
Scan global action event
SCANE
Scan event action event
 ATTACK
Event correlator Char(4) Unique identifier for this specific intrusion event. You can use this identifier to correlate this audit record with other intrusion detection information. This field is hidden and appears blank. Press F11 to display the information.
Event type Char(8) Identifies the type of potential intrusion that was detected. The possible values include:
MALFPKT
Malformed packet
FLOOD
Flood event
ICMPRED
Internet Control Message Protocol (ICMP) redirect
PERPECH
Perpetual echo
IPFRAG
IP fragment
RESTPROT
Restricted IP protocol (RESTP)
 RESTP
Suspected packet Char(1002) This variable-length, binary field might contain up to the first 1000 bytes of the IP packet that is associated with the detected event. The first two bytes of this field contain the length of the suspected packet information. This field is hidden and appears blank. Press F11 to display the information.
Parent topic: Intrusion detection
Related tasks
Audit intrusion detection activities