You are on page 1of 28

www.newera.

com

The Intrusion Detection Service (IDS) Policy Management Project A NewEra Software, Inc. White Paper July-August, 2012

Table of Contents:
Project Introduction: ..........................................................................................................................2 IDS Configuration .................................................................................................................................4 Penetration Testing .............................................................................................................................6 Extended Analytics ..............................................................................................................................8 Appendices .............................................................................................................................................9
PAGENT configuration file contents ....................................................................................................... 9 Policy configuration file contents ........................................................................................................... 9 SYSLOGD entries ......................................................................................................................................... 25 Extended Analytics Reports .................................................................................................................... 26

Project Introduction:
Policy-based networking is documented in Chapter 16 Policy-based networking of z/OS Communications Server IP Configuration Guide Version 1 Release 13 Document Number SC31-8775-19 and in Chapter 22 Policy Agent and policy applications of z/OS Communications Server IP Configuration Reference Version 1 Release 13 Document Number SC31-8776-20 Describes the mechanism for defining business objectives in a collection of network behavior policy metrics which control network operation and the capture of network events. A detailed description of IDS features and operation is found in Chapter 18 of the Guide. A detailed stepwise procedure for creating and installing a sample IDS policy can be found in Chapter 13 of the IBM z/OS V1R13 Communications Server TCP/IP Implementation: Volume 4 Security and Policy-Based Networking Redbook. The purpose of this presentation is to demonstrate how NewEra Event Detection services can be used in conjunction with an active IDS policy to capture and report on IDS events in a Netview-like fashion, but without the necessity of an installed Netview infrastructure. NewEras Event Detector captures the output from the D TCPIP,,NETSTAT,IDS operator command. Issuance of this command prior to commencing configuration activities confirmed a nonexistent policy: EZZ2500I NETSTAT CS V1R13 TCPIP 735 INTRUSION DETECTION SERVICES SUMMARY: SCAN DETECTION: GLOBRULENAME: *NONE* ICMPRULENAME: *NONE* TOTDETECTED: 0 DETCURRPLC: 0 DETCURRINT: 0 INTERVAL: 0 SRCIPSTRKD: 0 STRGLEV: 00000 ATTACK DETECTION: MALFORMED PACKETS PLCRULENAME: *NONE* TOTDETECTED: 0 DETCURRPLC: 0 DETCURRINT: 0 INTERVAL: 0 OUTBOUND RAW RESTRICTIONS PLCRULENAME: *NONE* TOTDETECTED: 0 DETCURRPLC: 0 DETCURRINT: 0 INTERVAL: 0 RESTRICTED PROTOCOLS PLCRULENAME: *NONE* TOTDETECTED: 0 DETCURRPLC: 0 DETCURRINT: 0 INTERVAL: 0 RESTRICTED IP OPTIONS PLCRULENAME: *NONE* TOTDETECTED: 0 DETCURRPLC: 0 DETCURRINT: 0 INTERVAL: 0 2

ICMP REDIRECT RESTRICTIONS PLCRULENAME: *NONE* TOTDETECTED: 0 DETCURRINT: 0 IP FRAGMENT RESTRICTIONS PLCRULENAME: *NONE* TOTDETECTED: 0 DETCURRINT: 0 UDP PERPETUAL ECHO PLCRULENAME: *NONE* TOTDETECTED: 0 DETCURRINT: 0 FLOODS PLCRULENAME: *NONE* TOTDETECTED: 0 DETCURRINT: 0 DATA HIDING PLCRULENAME: *NONE* TOTDETECTED: 0 DETCURRINT: 0 TCP QUEUE SIZE PLCRULENAME: *NONE* TOTDETECTED: 0 DETCURRINT: 0 GLOBAL TCP STALL PLCRULENAME: *NONE* TOTDETECTED: 0 DETCURRINT: 0 EE LDLC CHECK PLCRULENAME: *NONE* TOTDETECTED: 0 DETCURRINT: 0 EE MALFORMED PACKETS PLCRULENAME: *NONE* TOTDETECTED: 0 DETCURRINT: 0 EE PORT CHECK PLCRULENAME: *NONE* TOTDETECTED: 0 DETCURRINT: 0 EE XID FLOOD PLCRULENAME: *NONE* TOTDETECTED: 0 DETCURRINT: 0 TRAFFIC REGULATION: TCP CONNREJECTED: 0 UDP PCKDISCARDED: 0 ACTIVE GLOBAL CONDITIONS: SERVERSINCONNFLOOD: 0

DETCURRPLC: 0 INTERVAL: 0 DETCURRPLC: 0 INTERVAL: 0 DETCURRPLC: 0 INTERVAL: 0 DETCURRPLC: 0 INTERVAL: 0 DETCURRPLC: 0 INTERVAL: 0 DETCURRPLC: 0 INTERVAL: 0 DETCURRPLC: 0 INTERVAL: 0 DETCURRPLC: 0 INTERVAL: 0 DETCURRPLC: 0 INTERVAL: 0 DETCURRPLC: 0 INTERVAL: 0 DETCURRPLC: 0 INTERVAL: 0 PLCACTIVE: N PLCACTIVE: N

TCPSTALLEDCONNS: 0

TCPSTALLEDCONNSPCT: 0

IDS Configuration
The initial step involves the creation of an IDS policy configuration file using either z/OSMF Configuration Assistant, or the PC-based V1R13 IBM Configuration Assistant for z/OS Communications Server tool (herein dubbed PCCA). PCCA was selected for this exercise, downloaded via the link above, and installed. The detailed procedure in Chapter 13 of the Redbook referenced above should be followed to create the policy configuration file. The Redbook procedure uses z/OSMF, but the process is effectively identical for PCCA. At the conclusion of the procedure, PCCA had created an IDS policy configuration file, with sample default specifications. PCCA provides an FTP service, which was invoked to upload the file to the target z/OS host at default location /etc/cfgasst/v1r13/imagename/stackname/idsPol The next step involved the creation of a policy agent (PAGENT) configuration file (PACF) pointing to the idsPol file above. PACF file /etc/cfgasst/v1r13/imagename/stackname/policyConfig was created with OEDIT, containing the following line: IDSConfig /etc/cfgasst/v1r13/imagename/stackname/idsPol FLUSH Additional entries were added to the PACF file for desired components, e.g. TRMD and IKED, as shown in Appendix A. Started task PAGENT was configured on the host using the sample supplied in TCPIP.SEZAINST(EZAPAGSP). The STDENV DD file in PAGENT was populated according to Redbook recommendations. The following line was added to the STDENV DD file: PAGENT_CONFIG_FILE=/etc/cfgasst/v1r13/imagename/stackname/policyConfig PAGENT was started via S PAGENT. EZZ8431I EZZ8432I EZZ8771I EZD1586I PAGENT PAGENT PAGENT PAGENT The following messages were issued:

STARTING INITIALIZATION COMPLETE CONFIG POLICY PROCESSING COMPLETE FOR TCPIP : IDS HAS INSTALLED ALL LOCAL POLICIES FOR TCPIP

D TCPIP,,NETSTAT,IDS now displayed: EZZ2500I NETSTAT CS V1R13 TCPIP 535 INTRUSION DETECTION SERVICES SUMMARY: SCAN DETECTION: 4

GLOBRULENAME: SCANGLOBAL ICMPRULENAME: ICMP 1 TOTDETECTED: 0 DETCURRPLC: 0 DETCURRINT: 0 INTERVAL: 30 SRCIPSTRKD: 0 STRGLEV: 00000 ATTACK DETECTION: MALFORMED PACKETS PLCRULENAME: MALFORMEDPACKET TOTDETECTED: 0 DETCURRPLC: 0 DETCURRINT: 0 INTERVAL: 60 OUTBOUND RAW RESTRICTIONS PLCRULENAME: IPV4OUTBOUNDRAW TOTDETECTED: 0 DETCURRPLC: 0 DETCURRINT: 0 INTERVAL: 60 RESTRICTED PROTOCOLS PLCRULENAME: IPV4PROTOCOL TOTDETECTED: 0 DETCURRPLC: 0 DETCURRINT: 0 INTERVAL: 60 RESTRICTED IP OPTIONS PLCRULENAME: IPV4OPTION TOTDETECTED: 0 DETCURRPLC: 0 DETCURRINT: 0 INTERVAL: 60 ICMP REDIRECT RESTRICTIONS PLCRULENAME: ICMPREDIRECT TOTDETECTED: 0 DETCURRPLC: 0 DETCURRINT: 0 INTERVAL: 60 IP FRAGMENT RESTRICTIONS PLCRULENAME: IPV4FRAGMENTATION TOTDETECTED: 0 DETCURRPLC: 0 DETCURRINT: 0 INTERVAL: 60 UDP PERPETUAL ECHO PLCRULENAME: ECHO TOTDETECTED: 0 DETCURRPLC: 0 DETCURRINT: 0 INTERVAL: 60 FLOODS PLCRULENAME: FLOOD TOTDETECTED: 0 DETCURRPLC: 0 DETCURRINT: 0 INTERVAL: 60 DATA HIDING PLCRULENAME: DATAHIDING TOTDETECTED: 0 DETCURRPLC: 0 DETCURRINT: 0 INTERVAL: 60 TCP QUEUE SIZE PLCRULENAME: TCPQUEUESIZE TOTDETECTED: 0 DETCURRPLC: 0 DETCURRINT: 0 INTERVAL: 60 GLOBAL TCP STALL PLCRULENAME: GLOBALTCPSTALL TOTDETECTED: 0 DETCURRPLC: 0 DETCURRINT: 0 INTERVAL: 60 EE LDLC CHECK 5

PLCRULENAME: EELDLCCHECK TOTDETECTED: 0 DETCURRPLC: 0 DETCURRINT: 0 INTERVAL: 60 EE MALFORMED PACKETS PLCRULENAME: EEMALFORMEDPACKET TOTDETECTED: 0 DETCURRPLC: 0 DETCURRINT: 0 INTERVAL: 60 EE PORT CHECK PLCRULENAME: EEPORTCHECK TOTDETECTED: 0 DETCURRPLC: 0 DETCURRINT: 0 INTERVAL: 60 EE XID FLOOD PLCRULENAME: EEXIDFLOOD TOTDETECTED: 0 DETCURRPLC: 0 DETCURRINT: 0 INTERVAL: 60 TRAFFIC REGULATION: TCP CONNREJECTED: 0 PLCACTIVE: Y UDP PCKDISCARDED: 0 PLCACTIVE: N ACTIVE GLOBAL CONDITIONS: SERVERSINCONNFLOOD: 0 TCPSTALLEDCONNS: 0 TCPSTALLEDCONNSPCT: 0

Penetration Testing
Policy efficacy validation using a PC-based network penetration testing tool (Advanced Port Scanner V1.3) against the z/OS ports triggered the following messages: EZZ8761I EZZ8730I EZZ8762I EZZ8766I EZZ8767I IDS EVENT DETECTED 638 STACK TCPIP EVENT TYPE: FAST SCAN DETECTED IDS RULE ScanGlobal IDS ACTION ScanGlobalAction

D TCPIP,,NETSTAT,IDS now displayed (with updates highlighted): EZZ2500I NETSTAT CS V1R13 TCPIP 640 INTRUSION DETECTION SERVICES SUMMARY: SCAN DETECTION: GLOBRULENAME: SCANGLOBAL ICMPRULENAME: ICMP 1 TOTDETECTED: 1 DETCURRPLC: 1 DETCURRINT: 0 INTERVAL: 30 SRCIPSTRKD: 0 STRGLEV: 00000M ATTACK DETECTION: MALFORMED PACKETS PLCRULENAME: MALFORMEDPACKET TOTDETECTED: 0 DETCURRPLC: 0 DETCURRINT: 0 INTERVAL: 60 6

OUTBOUND RAW RESTRICTIONS PLCRULENAME: IPV4OUTBOUNDRAW TOTDETECTED: 0 DETCURRPLC: DETCURRINT: 0 INTERVAL: RESTRICTED PROTOCOLS PLCRULENAME: IPV4PROTOCOL TOTDETECTED: 0 DETCURRPLC: DETCURRINT: 0 INTERVAL: RESTRICTED IP OPTIONS PLCRULENAME: IPV4OPTION TOTDETECTED: 0 DETCURRPLC: DETCURRINT: 0 INTERVAL: ICMP REDIRECT RESTRICTIONS PLCRULENAME: ICMPREDIRECT TOTDETECTED: 0 DETCURRPLC: DETCURRINT: 0 INTERVAL: IP FRAGMENT RESTRICTIONS PLCRULENAME: IPV4FRAGMENTATION TOTDETECTED: 0 DETCURRPLC: DETCURRINT: 0 INTERVAL: UDP PERPETUAL ECHO PLCRULENAME: ECHO TOTDETECTED: 0 DETCURRPLC: DETCURRINT: 0 INTERVAL: FLOODS PLCRULENAME: FLOOD TOTDETECTED: 1 DETCURRPLC: DETCURRINT: 1 INTERVAL: DATA HIDING PLCRULENAME: DATAHIDING TOTDETECTED: 0 DETCURRPLC: DETCURRINT: 0 INTERVAL: TCP QUEUE SIZE PLCRULENAME: TCPQUEUESIZE TOTDETECTED: 0 DETCURRPLC: DETCURRINT: 0 INTERVAL: GLOBAL TCP STALL PLCRULENAME: GLOBALTCPSTALL TOTDETECTED: 0 DETCURRPLC: DETCURRINT: 0 INTERVAL: EE LDLC CHECK PLCRULENAME: EELDLCCHECK TOTDETECTED: 0 DETCURRPLC: DETCURRINT: 0 INTERVAL: EE MALFORMED PACKETS PLCRULENAME: EEMALFORMEDPACKET TOTDETECTED: 0 DETCURRPLC: DETCURRINT: 0 INTERVAL: EE PORT CHECK PLCRULENAME: EEPORTCHECK TOTDETECTED: 0 DETCURRPLC:

0 60 0 60 0 60 0 60 0 60 0 60 1 60 0 60 0 60 0 60 0 60 0 60 0 7

DETCURRINT: 0 INTERVAL: 60 EE XID FLOOD PLCRULENAME: EEXIDFLOOD TOTDETECTED: 0 DETCURRPLC: 0 DETCURRINT: 0 INTERVAL: 60 TRAFFIC REGULATION: TCP CONNREJECTED: 0 PLCACTIVE: Y UDP PCKDISCARDED: 0 PLCACTIVE: N ACTIVE GLOBAL CONDITIONS: SERVERSINCONNFLOOD: 0 TCPSTALLEDCONNS: 0 TCPSTALLEDCONNSPCT: 0 ACTIVE INTERFACE FLOODS: INTFNAME: OSDL DISCARDCNT: 1000 DISCARDRATE: 99 DURATION: 57 The configuration described above is applicable across multiple IP stacks deployed on the underlying LPAR. PAGENT also supports individual customizations for such stacks. In this scenario, the PAGENT configuration file described above would contain multiple TcpImage statements identifying each stack, pointing to multiple individual policy configuration files, each customized for its associated stack, e.g. TcpImage TCPIPA /etc/pagent.sc32.tcpipa.conf TcpImage TCPIPB /etc/pagent.sc32.tcpipb.conf A detailed description appears in Chapter 4 of the Redbook.

Extended Analytics
In the PCCA Scans section of the Requirement Map definition, Default Report Settings for Scans provides the option to log to SYSLOGD. When this is enabled, IDS logging is directed to TRMD directories and files specified in /etc/syslog.conf, which is the SYSLOGD configuration file. SYSLOGD details can be found in Chapter 1 of z/OS V1R13 Communications Server TCP/IP Implementation: Volume 2 Standard Applications. Examples of the additional syslog.conf entries are found in Appendix C of this document. Subsequently, the EZACMD TRMDSTAT command can be issued from the console to produce detailed analytical reports which are displayed upon the console, and thus capturable by New Era Detector interfaces. Examples of the EZACMD TRMDSTAT commands and outputs are found in Appendix D of this document. Depending upon the RACF authorization and privilege levels of the userIDs and environments from which EZACMD is to be issued, it may be necessary to explicitly define additional security resources. The requisite procedures are described in section 2.6.5 EZACMD console command security of the Redbook.

Appendices
PAGENT configuration file contents
IDSConfig /etc/cfgasst/v1r13/ESSD6/ESSD6/idsPol PURGE AutoMonitorParms { MonitorInterval 10 RetryLimitCount 5 RetryLimitPeriod 600 } AutoMonitorApps { AppName TRMD { TcpImageName TCPIP { Procname POLPROC Jobname TRMD } } AppName IKED { Procname POLPROC Jobname IKED } }

Policy configuration file contents


## ## IDS Policy Agent Configuration file for: ## Image: ESSD6 ## Stack: ESSD6 ## ## Created by the IBM Configuration Assistant for z/OS Communications Server ## Version 1 Release 13 ## Backing Store = C:\IBM\zCSConfigAssist\V1R13\saveData ## FTP History: ## 2012-03-23 19:39:52 : essjgr1 to 192.168.50.56 ## 2012-03-23 18:37:43 : essjgr1 to 192.168.50.56 ## 2012-03-21 19:17:02 : essjgr1 to 192.168.50.56 ## ## End of Configuration Assistant information IDSRule { ConditionType DataHiding Attack 9

IDSAttackCondition { AttackType OptionPadChk IcmpEmbedPktChk } IDSActionRef } IDSRule { ConditionType IDSAttackCondition { AttackType ProtocolGroupRef } IDSActionRef }

DATA_HIDING Enable Enable DataHiding IPv6OutboundRaw Attack OUTBOUND_RAW_IPv6 IpProtGroup~1 IPv6OutboundRaw

IDSRule IPv6DestinationOptions { ConditionType Attack IDSAttackCondition { AttackType RESTRICTED_IPV6_DST_OPTIONS RestrictedIpv6OptionGroupRef IpOptGroup~1 } IDSActionRef IPv6DestinationOptions } IDSRule IPv6HopByHop { ConditionType Attack IDSAttackCondition { AttackType RESTRICTED_IPV6_HOP_OPTIONS RestrictedIpv6OptionGroupRef IpOptGroup~2 } IDSActionRef IPv6HopByHop } IDSRule { ConditionType IDSAttackCondition { AttackType IPv6NextHdrGroupRef } IDSActionRef IPv6NextHeader Attack RESTRICTED_IPV6_NEXT_HDR IPv6NextHdrGroup~1 IPv6NextHeader 10

} IDSRule { ConditionType IDSAttackCondition { AttackType TcpQueueSize } IDSActionRef } IDSRule { ConditionType IDSAttackCondition { AttackType } IDSActionRef } IDSRule { ConditionType IDSAttackCondition { AttackType IfcFloodMinDiscard IfcFloodPercentage } IDSActionRef } IDSRule { ConditionType IDSAttackCondition { AttackType LocalPortGroupRef RemotePortGroupRef } IDSActionRef } IDSRule { ConditionType IDSAttackCondition TcpQueueSize Attack TCP_QUEUE_SIZE Short TcpQueueSize GlobalTCPStall Attack GLOBAL_TCP_STALL GlobalTCPStall Flood Attack FLOOD 1000 10 Flood Echo Attack PERPETUAL_ECHO LocalEchoPortGroup~1 RemoteEchoPortGroup~1 Echo IPv4Protocol Attack

11

{ AttackType ProtocolGroupRef } IDSActionRef } IDSRule IPv4Option { ConditionType Attack IDSAttackCondition { AttackType RESTRICTED_IP_OPTIONS RestrictedIpOptionGroupRef IpOptGroup~3 } IDSActionRef IPv4Option } IDSRule { ConditionType IDSAttackCondition { AttackType } IDSActionRef } IDSRule { ConditionType IDSAttackCondition { AttackType } IDSActionRef } IDSRule { ConditionType IDSAttackCondition { AttackType ProtocolGroupRef } IDSActionRef } IDSRule { ICMPRedirect Attack ICMP_REDIRECT ICMPRedirect MalformedPacket Attack MALFORMED_PACKET MalformedPacket IPv4OutboundRaw Attack OUTBOUND_RAW IpProtGroup~3 IPv4OutboundRaw IPv4Fragmentation RESTRICTED_IP_PROTOCOL IpProtGroup~2 IPv4Protocol

12

ConditionType IDSAttackCondition { AttackType } IDSActionRef } IDSRule { ConditionType IDSAttackCondition { AttackType } IDSActionRef } IDSRule { ConditionType IDSAttackCondition { AttackType } IDSActionRef } IDSRule { ConditionType IDSAttackCondition { AttackType } IDSActionRef } IDSRule { ConditionType IDSAttackCondition { AttackType EEXIDTimeOut } IDSActionRef } IDSAction {

Attack IP_FRAGMENT IPv4Fragmentation EEMalformedPacket Attack EE_MALFORMED_PACKET EEMalformedPacket EELDLCCheck Attack EE_LDLC_CHECK EELDLCCheck EEPortCheck Attack EE_PORT_CHECK EEPortCheck EEXIDFlood Attack EE_XID_FLOOD 100 EEXIDFlood DataHiding

13

ActionType IDSReportSet { TypeActions LoggingLevel TypeActions StatType StatInterval } } IDSAction { ActionType IDSReportSet { TypeActions LoggingLevel TypeActions StatType StatInterval } } IDSAction { ActionType IDSReportSet { TypeActions LoggingLevel TypeActions StatType StatInterval } } IDSAction { ActionType IDSReportSet { TypeActions LoggingLevel TypeActions StatType StatInterval } } IDSAction

Attack nodiscard LOG 4 STATISTICS Normal 60

IPv6OutboundRaw Attack nodiscard LOG 4 STATISTICS Normal 60

IPv6DestinationOptions Attack nodiscard LOG 4 STATISTICS Normal 60

IPv6HopByHop Attack nodiscard LOG 4 STATISTICS Normal 60

IPv6NextHeader 14

{ ActionType IDSReportSet { TypeActions LoggingLevel TypeActions StatType StatInterval } } IDSAction { ActionType IDSReportSet { TypeActions LoggingLevel TypeActions StatType StatInterval } } IDSAction { ActionType IDSReportSet { TypeActions LoggingLevel TypeActions StatType StatInterval } } IDSAction { ActionType IDSReportSet { TypeActions LoggingLevel TypeActions StatType StatInterval } } TcpQueueSize Attack noresetconn LOG 4 STATISTICS Normal 60 Attack nodiscard LOG 4 STATISTICS Normal 60

GlobalTCPStall Attack noresetconn LOG 4 STATISTICS Normal 60

Flood Attack discard LOG 4 STATISTICS Normal 60

15

IDSAction { ActionType IDSReportSet { TypeActions LoggingLevel TypeActions StatType StatInterval } } IDSAction { ActionType IDSReportSet { TypeActions LoggingLevel TypeActions StatType StatInterval } } IDSAction { ActionType IDSReportSet { TypeActions LoggingLevel TypeActions StatType StatInterval } } IDSAction { ActionType IDSReportSet { TypeActions LoggingLevel TypeActions StatType StatInterval } }

Echo Attack nodiscard LOG 4 STATISTICS Normal 60

IPv4Protocol Attack nodiscard LOG 4 STATISTICS Normal 60

IPv4Option Attack nodiscard LOG 4 STATISTICS Normal 60

ICMPRedirect Attack nodiscard LOG 4 STATISTICS Normal 60

16

IDSAction { ActionType IDSReportSet { TypeActions LoggingLevel TypeActions StatType StatInterval } } IDSAction { ActionType IDSReportSet { TypeActions LoggingLevel TypeActions StatType StatInterval } } IDSAction { ActionType IDSReportSet { TypeActions LoggingLevel TypeActions StatType StatInterval } } IDSAction { ActionType IDSReportSet { TypeActions LoggingLevel TypeActions StatType StatInterval }

MalformedPacket Attack discard LOG 4 STATISTICS Normal 60

IPv4OutboundRaw Attack nodiscard LOG 4 STATISTICS Normal 60

IPv4Fragmentation Attack nodiscard LOG 4 STATISTICS Normal 60

EEMalformedPacket Attack nodiscard LOG 4 STATISTICS Normal 60

17

} IDSAction { ActionType IDSReportSet { TypeActions LoggingLevel TypeActions StatType StatInterval } } IDSAction { ActionType IDSReportSet { TypeActions LoggingLevel TypeActions StatType StatInterval } } IDSAction { ActionType IDSReportSet { TypeActions LoggingLevel TypeActions StatType StatInterval } } IpProtocolGroup { IpProtocolRangeRef IpProtocolRangeRef IpProtocolRangeRef IpProtocolRangeRef } IpProtocolGroup { IpProtocolRangeRef IpProtocolRangeRef EELDLCCheck Attack nodiscard LOG 4 STATISTICS Normal 60

EEPortCheck Attack nodiscard LOG 4 STATISTICS Normal 60

EEXIDFlood Attack nodiscard LOG 4 STATISTICS Normal 60 IpProtGroup~1 IpProtRange~1 IpProtRange~2 IpProtRange~3 IpProtRange~4 IpProtGroup~2 IpProtRange~5 IpProtRange~6 18

IpProtocolRangeRef IpProtocolRangeRef IpProtocolRangeRef IpProtocolRangeRef IpProtocolRangeRef IpProtocolRangeRef IpProtocolRangeRef } IpProtocolGroup { IpProtocolRangeRef IpProtocolRangeRef IpProtocolRangeRef IpProtocolRangeRef } IpProtocolRange { IpProtocol } IpProtocolRange { IpProtocol } IpProtocolRange { IpProtocol } IpProtocolRange { IpProtocol } IpProtocolRange { IpProtocol } IpProtocolRange { IpProtocol } IpProtocolRange { IpProtocol } IpProtocolRange { IpProtocol } IpProtocolRange { IpProtocol }

IpProtRange~7 IpProtRange~8 IpProtRange~9 IpProtRange~10 IpProtRange~11 IpProtRange~12 IpProtRange~13 IpProtGroup~3 IpProtRange~14 IpProtRange~15 IpProtRange~16 IpProtRange~17 IpProtRange~1 0 16 IpProtRange~2 18 57 IpProtRange~3 59 88 IpProtRange~4 90 255 IpProtRange~5 0 0 IpProtRange~6 3 3 IpProtRange~7 5 5 IpProtRange~8 7 16 IpProtRange~9 18 45

19

IpProtocolRange { IpProtocol } IpProtocolRange { IpProtocol } IpProtocolRange { IpProtocol } IpProtocolRange { IpProtocol } IpProtocolRange { IpProtocol } IpProtocolRange { IpProtocol } IpProtocolRange { IpProtocol } IpProtocolRange { IpProtocol } IpOptionGroup { IpOptionRangeRef IpOptionRangeRef IpOptionRangeRef IpOptionRangeRef IpOptionRangeRef } IpOptionGroup { IpOptionRangeRef IpOptionRangeRef IpOptionRangeRef IpOptionRangeRef IpOptionRangeRef } IpOptionGroup { IpOptionRangeRef

IpProtRange~10 48 49 IpProtRange~11 52 88 IpProtRange~12 90 93 IpProtRange~13 95 255 IpProtRange~14 0 0 IpProtRange~15 2 16 IpProtRange~16 18 88 IpProtRange~17 90 255 IpOptGroup~1 IpOptRange~1 IpOptRange~2 IpOptRange~3 IpOptRange~4 IpOptRange~5 IpOptGroup~2 IpOptRange~6 IpOptRange~7 IpOptRange~8 IpOptRange~9 IpOptRange~10 IpOptGroup~3 IpOptRange~11 20

IpOptionRangeRef IpOptionRangeRef IpOptionRangeRef IpOptionRangeRef } IpOptionRange { IpOption } IpOptionRange { IpOption } IpOptionRange { IpOption } IpOptionRange { IpOption } IpOptionRange { IpOption } IpOptionRange { IpOption } IpOptionRange { IpOption } IpOptionRange { IpOption } IpOptionRange { IpOption } IpOptionRange { IpOption } IpOptionRange { IpOption } IpOptionRange {

IpOptRange~12 IpOptRange~13 IpOptRange~14 IpOptRange~15 IpOptRange~1 2 3 IpOptRange~2 8 137 IpOptRange~3 139 193 IpOptRange~4 195 200 IpOptRange~5 202 255 IpOptRange~6 2 3 IpOptRange~7 8 137 IpOptRange~8 139 193 IpOptRange~9 195 200 IpOptRange~10 202 255 IpOptRange~11 2 6 IpOptRange~12

21

IpOption 8 67 } IpOptionRange IpOptRange~13 { IpOption 69 81 } IpOptionRange IpOptRange~14 { IpOption 83 147 } IpOptionRange IpOptRange~15 { IpOption 149 255 } IPv6NextHdrGroup IPv6NextHdrGroup~1 { IPv6NextHdrRangeRef IPv6NextHdrRange~1 IPv6NextHdrRangeRef IPv6NextHdrRange~2 IPv6NextHdrRangeRef IPv6NextHdrRange~3 IPv6NextHdrRangeRef IPv6NextHdrRange~4 IPv6NextHdrRangeRef IPv6NextHdrRange~5 IPv6NextHdrRangeRef IPv6NextHdrRange~6 IPv6NextHdrRangeRef IPv6NextHdrRange~7 IPv6NextHdrRangeRef IPv6NextHdrRange~8 IPv6NextHdrRangeRef IPv6NextHdrRange~9 } IPv6NextHdrRange IPv6NextHdrRange~1 { IPv6NextHdr 1 5 } IPv6NextHdrRange IPv6NextHdrRange~2 { IPv6NextHdr 7 16 } IPv6NextHdrRange IPv6NextHdrRange~3 { IPv6NextHdr 18 40 } IPv6NextHdrRange IPv6NextHdrRange~4 { IPv6NextHdr 42 42 } IPv6NextHdrRange IPv6NextHdrRange~5 { IPv6NextHdr 45 49 } IPv6NextHdrRange IPv6NextHdrRange~6 { IPv6NextHdr 52 57 } IPv6NextHdrRange IPv6NextHdrRange~7 22

{ IPv6NextHdr 61 88 } IPv6NextHdrRange IPv6NextHdrRange~8 { IPv6NextHdr 90 134 } IPv6NextHdrRange IPv6NextHdrRange~9 { IPv6NextHdr 136 255 } PortGroup LocalEchoPortGroup~1 { PortRange { Port 7 } PortRange { Port 13 } PortRange { Port 17 } PortRange { Port 19 } } PortGroup RemoteEchoPortGroup~1 { PortRange { Port 7 } PortRange { Port 13 } PortRange { Port 17 } PortRange { Port 19 } } IDSRule All_Well-Known_TCP~1 23

{ Priority ConditionType IDSScanEventCondition { Sensitivity Protocol LocalPortRange } IDSActionRef } IDSRule { Priority ConditionType IDSScanEventCondition { Sensitivity Protocol LocalPortRange } IDSActionRef } IDSRule { Priority ConditionType IDSScanEventCondition { Sensitivity Protocol } IDSActionRef } IDSRule { ConditionType IDSScanGlobalCondition { FSInterval FSThreshold SSInterval SSThreshold } IDSActionRef } IDSAction All_Well-Known_UDP~1 64990 ScanEvent MEDIUM UDP 1-1023 ScanAction ICMP~1 64980 ScanEvent HIGH ICMP ScanAction ScanGlobal ScanGlobal 1 5 120 10 ScanGlobalAction ScanAction 24 65000 ScanEvent MEDIUM TCP 1-1023 ScanAction

{ Actiontype } IDSAction { ActionType IDSReportSet { TypeActions } } IDSRule { Priority ConditionType IDSTRCondition { LocalPortRange Protocol TRtcpTotalConnections TRtcpPercentage TRtcpLimitScope } IDSActionRef } IDSAction { ActionType IDSReportSet { TypeActions LogDetail LoggingLevel TypeActions StatType StatInterval } } ScanGlobalAction ScanGlobal CONSOLE ScanEvent count

All_Well-Known_TCP1~1 65000 TR 1-1023 TCP 65535 100 PORT_INSTANCE All_Well-Known_TCP1 All_Well-Known_TCP1 TR limit LOG No 4 STATISTICS Normal 60

SYSLOGD entries
*.TRMD*.*.* /var/syslog/%Y/%m/%d/trmd.log -F 640 -D 770 *.PAGENT*.*.* /var/syslog/%Y/%m/%d/pagent.log -F 640 -D 770 *.IKE*.*.* /var/syslog/%Y/%m/%d/inetd.log -F 640 -D 770 *.SYSLOGD*.*.* /var/syslog/%Y/%m/%d/syslogd.log -F 640 -D 770

25

Extended Analytics Reports


F AXR,EZACMD TRMDSTAT -I '/var/syslog/2012/03/28/trmd.log' System REXX EZACMD: trmdstat command - start - userID=ESSJGR1 System REXX EZACMD: trmdstat -I /var/syslog/2012/03/28/trmd.log trmdstat for z/OS CS V1R13 Wed Mar 28 19:11:46 2012 Command Entered Log Time Interval Stack Time Interval TRM Records Scanned : : : : trmdstat -I /var/syslog/2012/03/28/trmd.log Mar 28 19:07:55 - Mar 28 19:08:55 Mar 28 19:07:52 - Mar 28 19:08:53 12

TCP - Traffic Regulation -----------------------------------------------Connections would have been refused : 0 Connections refused : 0 Constrained Constrained Constrained Constrained entry logged exit logged entry exit : : : : : : 0 0 0 0 0 0

QOS exceptions logged QOS exceptions made

UDP - Traffic Regulation -----------------------------------------------Constrained entry logged : 0 Constrained exit logged : 0 Constrained entry : 0 Constrained exit : 0 SCAN Detection -----------------------------------------------Threshold exceeded : 2 Detection delayed : 0 Storage constrained entry : 0 Storage constrained exit : 0 ATTACK Detection -----------------------------------------------Packet would have been discarded : 0 Packet discarded : 0 FLOOD Detection -----------------------------------------------Accept queue expanded : 0 SYN flood start : 0 SYN flood end : 0 Interface flood start : 2 Interface flood end : 2 26

EE XID flood start EE XID flood end

: :

0 0

Global TCP Stall Detection -----------------------------------------------Global TCP stall entry : 0 Global TCP stall exit : 0 Connections would have been reset : 0 Connections reset : 0 TCP Queue Size Detection -----------------------------------------------Send queue Constrained entry : 0 Constrained exit : 0 Connections reset : 0 Receive queue Constrained entry : 0 Constrained exit : 0 Connections reset : 0 Out-of-order queue Constrained entry : 0 Constrained exit : 0 Connections reset : 0 System REXX EZACMD: trmdstat command - end - RC=0 F AXR,EZACMD TRMDSTAT -ND '/var/syslog/2012/03/28/trmd.log' System REXX EZACMD: trmdstat command - start - userID=ESSJGR1 System REXX EZACMD: trmdstat -ND /var/syslog/2012/03/28/trmd.log trmdstat for z/OS CS V1R13 Wed Mar 28 19:16:01 2012 Command Entered Log Time Interval Stack Time Interval TRM Records Scanned : : : : trmdstat -ND /var/syslog/2012/03/28/trmd.log Mar 28 19:08:25 - Mar 28 19:08:25 Mar 28 19:08:06 - Mar 28 19:08:06 22 SCAN Date and Time Suspicion Level Events

Source IP Address Type Correlator

Very Possibly Normal ---------------------- ------------------------------------------------------ ---------- ---------- ---- ---------03/28/2012 19:08:06.26 192.168.50.31 0 9 1 F 12 03/28/2012 19:08:06.26 192.168.50.31 0 9 1 F 12

27

System REXX EZACMD: trmdstat command - end - RC=0 F AXR,EZACMD TRMDSTAT -FD '/var/syslog/2012/03/28/trmd.log' System REXX EZACMD: trmdstat command - start - userID=ESSJGR1 System REXX EZACMD: trmdstat -FD /var/syslog/2012/03/28/trmd.log trmdstat for z/OS CS V1R13 Wed Mar 28 19:18:02 2012 Command Entered Log Time Interval Stack Time Interval TRM Records Scanned : : : : trmdstat -FD /var/syslog/2012/03/28/trmd.log Mar 28 19:07:55 - Mar 28 19:08:55 Mar 28 19:07:52 - Mar 28 19:08:53 22 SYN FLOOD No records to display Interface FLOOD Date and Time/ Interface Type Duration Correlator/ ----------------Most Frequent-------------Last Last Source IP/ ProbeID -----Overall-----------Source MAC DataCount Dest Address Proto/ Category/ SrcMAC/ Proto/ Cat Percent Percent Percent Percent Per 03/28/2012 19:07:52.38 OSDL E 13 192.168.50.31 04070010 192.168.50.56 03/28/2012 19:07:52.38 OSDL E 13 192.168.50.31 04070010 192.168.50.56 03/28/2012 19:08:53.25 OSDL X 57 13 6 Dest 1C6F6572D9A4 6 17 192.168.50.75 04070014 48 49 48 100 192.168.50.56 03/28/2012 19:08:53.25 OSDL X 57 13 6 Dest 1C6F6572D9A4 6 17 192.168.50.75 04070014 48 49 48 100 192.168.50.56 XID FLOOD No records to display System REXX EZACMD: trmdstat command - end - RC=0 28 Events Events Discard Count/ Percent Events

1000 99 1000 99 1993 97 1993 97