Strange intrusion behaviour

Wim Van den Wyngaert — Tue, 25 Oct 2005 06:58:38 GMT

I have a program that tries to connect to a non-existing server, which is a decnet object.
Of course it fails but I get in operator log :

%%%%%%%%%%% OPCOM 23-OCT-2005 13:36:23.27 %%%%%%%%%%%
Message from user SYSTEM on SPVMX2
Event: Access Control Violation from: Node LOCAL:.SPVMX2 Session Control,
at: 2005-10-23-13:36:23.273+02:00Iinf
NSAP Address=49::00-14:AA-00-04-00-02-50:20,
Source=UIC = [0,0]GIS_MAINT,
Destination=name = FOE_FMI_SRV,
Destination User="",
Destination Account="",
Node Name=LOCAL:.SPVMX2
eventUid 008FD160-43CA-11DA-860F-AA0004000250
entityUid 10953BB1-43B8-11DA-8372-AA0004000250
streamUid 1FAE48D0-43B8-11DA-8501-AA0004000250

In audit I get :

Security audit (SECURITY) on SPVMX2, system id: 20482
Auditable event: Network login failure
Event time: 23-OCT-2005 13:36:23.27
PID: 2160021D
Process name: NET$ACP
Username: *DECNET_TASK*
Remote node id: 490014AA000400025020
Remote node fullname: LOCAL:.SPVMX2
Remote username: GIS_MAINT
Status: %LOGIN-F-NOSUCHUSER, no such user

The LGI params :
LGI_BRK_TERM 0 1 0 1 Boolean D
LGI_BRK_DISUSER 0 0 0 1 Boolean D
LGI_PWD_TMO 30 30 0 255 Seconds D
LGI_RETRY_LIM 3 3 0 255 Tries D
LGI_RETRY_TMO 20 20 2 255 Seconds D
LGI_BRK_LIM 6 5 1 255 Failures D
LGI_BRK_TMO 600 300 0 5184000 Seconds D
LGI_HID_TIM 60 300 0 1261440000 Seconds D
LGI_CALLOUTS 0 0 0 255 Count D

The violation is repeated a lot of times and when I do show intrus I got a suspect intrusion with more than 120 violations in 1 hour (uptime). This while I was expecting an real intruder.

1) Why no intruder ?
2) Why is a non-existing ncl object leading to intrusion (if I do the same with type x::77=yyy" I don't get a violation but simply network object unknown) ?
2) Is it possible that a suspect intruder blocks something ?

Wim
Wim

Re: Strange intrusion behaviour

Mike Reznak — Wed, 26 Oct 2005 05:11:03 GMT

Hi,

1)As I understand it, LGI_HID_TIM gives the period for the Intruder state. So after the 60 seconds are reached the system probably returns the value 'suspect' to intrusion record. Try to watch it. You should see Intruder state some times. Or encrease LGI_HID_TIM.
2) There is for sure an logging sequence happening under the username *DECNET_TASK*. The connect request to a server as you've written (not to an object) probably causes it.
3)Suspect state shouldn't block nothing. It's defined by LGI_BRK_TMO and it specifies the length of the failure monitoring
period. This time increment is added to the suspect's expiration
time each time a login failure occurs. Once the expiration period
passes, prior failures are discarded, and the suspect is given a
clean slate.

Mike

topic Re: Strange intrusion behaviour in Operating System - OpenVMS

Strange intrusion behaviour

Re: Strange intrusion behaviour