HPE Community
Operating System - OpenVMS
1752758 Members
4840 Online
108789 Solutions
New Discussion юеВ

Re: Delete Intrusion Record

 
SOLVED
Go to solution
LM_2
Frequent Advisor

тАО01-13-2009 09:30 AM

тАО01-13-2009 09:30 AM

Delete Intrusion Record

What is the proper syntax to delete an intrusion record - I have tried every imaginable combination to delete one and it just does not work - here is one of the intrustion records I had:

TERM_USER INTRUDER 27 13-JAN-2009 11:16:13.45 spduslis51.na.net.dana.com:LISROBSHIP on LISES1
0 Kudos
11 REPLIES 11
Hoff
Honored Contributor

тАО01-13-2009 09:42 AM

тАО01-13-2009 09:42 AM

Re: Delete Intrusion Record

In the absence of commands and errors, the following is somewhat of a series of guesses...

http://h71000.www7.hp.com/doc/83final/9996/9996pro_55.html

For some cases, you may have to quote the source field portion of the string. The usual commands are:

DELETE /INTRUSION "whatsit"::whatever

or

DELETE /INTRUSION whatsit::whatever

Or you can use the /NODE qualifier.

The other thing that happens here is somebody erroneously creates a DELETE symbol with some qualifiers that (in the usual case) work on the DELETE file command, and that are not valid on the DELETE /INTRUSION command. That can be bypassed using the following:

DELETEX /INTRUSION whatsit::whatever

To bypass any DCL symbol for DELETE, add a character or two at the end of the DELETE command, such as the X shown above. (And don't mask verbs with symbols, as a general suggestion.)

Otherwise, please post up the command(s) and the full text of the error message(s) received with what you've tried here. The command might not work, but the command and the error might help us figure out what is going wrong here...

0 Kudos
LM_2
Frequent Advisor

тАО01-13-2009 09:45 AM

тАО01-13-2009 09:45 AM

Re: Delete Intrusion Record

I have tried every imaginable combination - in quotes - not in quotes and I even try using just the /node option and I get the following every time:

%SECSRV-E-NOSUCHINTRUDER, no intruder or suspect matches your specification
0 Kudos
LM_2
Frequent Advisor

тАО01-13-2009 09:55 AM

тАО01-13-2009 09:55 AM

Re: Delete Intrusion Record

Here are some I have tried:

del/intr "LISROBSHIP"
del/intr LISROBSHIP
del/intr "spduslis51.na.net.dana.com:LISROBSHIP"
del/intr spduslis51.na.net.dana.com:LISROBSHIP
0 Kudos
EdgarZamora
Trusted Contributor

тАО01-13-2009 09:55 AM

тАО01-13-2009 09:55 AM

Solution

Re: Delete Intrusion Record

Maybe this won't do for your site, but I usually do a DELETE/INTR * to avoid all the frustration.
0 Kudos
LM_2
Frequent Advisor

тАО01-13-2009 10:00 AM

тАО01-13-2009 10:00 AM

Re: Delete Intrusion Record

Well, I tried the * and I get an error message - not sure why - but it did clear it - so thank you - that will work:

LISA_ES2> show intr
Intrusion Type Count Expiration Source
--------- ---- ----- ---------- ------
TERM_USER SUSPECT 5 13-JAN-2009 12:26:28.70 spduslisl15.na.net.da
na.com:MORRIS on LISES2
LISA_ES2> del/intrusion_record *
%DCL-I-IGNQUAL, qualifiers appearing before this item were ignored
\INTRUSION_RECORD\
LISA_ES2> show intr
%SHOW-F-NOINTRUDERS, no intrusion records match specification
0 Kudos
LM_2
Frequent Advisor

тАО01-13-2009 10:01 AM

тАО01-13-2009 10:01 AM

Re: Delete Intrusion Record

The delete/Intrusion_Record * works - I get an error message - but it seems to have cleared out the intrusion record so thanks a lot!
0 Kudos
Hoff
Honored Contributor

тАО01-13-2009 10:03 AM

тАО01-13-2009 10:03 AM

Re: Delete Intrusion Record

Uh, Ok, so you'd like me to guess at what DCL commands you've tried? Ok. Not the most expeditious approach. It would be much easier if a sample of the failing commands and (if it's changed since you've posted that earlier sample) the target SHOW INTRUSION output were posted, though.

Here, I'd tend to expect:

DELETE /INTRUSION -
"spduslis51.na.net.dana.com":LISROBSHIP

would work on host LISES1::.

I'd neglected another case that can get involved here: the process parsing settings can also get involved here, particularly with lowercase characters.

What OpenVMS version and what IP stack?

There have been a few cases where weird intrusion records or hidden characters have gotten into the intrusion database over the years. Those get fixed with an OpenVMS ECO or (given this looks like an IP intrusion) via ECO or upgrade of whatever IP stack is in use here.
0 Kudos
Hoff
Honored Contributor

тАО01-13-2009 10:06 AM

тАО01-13-2009 10:06 AM

Re: Delete Intrusion Record

Yikes, that's a few replies that snuck in there.

FWIW, there's your error -- look at where your quotes are in your:

del/intr "spduslis51.na.net.dana.com:LISROBSHIP"

Note where the documentation has:

delete /intrusion "whatsit"::whatever

The whole parameter string isn't quoted, just the source portion of the parameter string.
0 Kudos
RBrown_1
Trusted Contributor

тАО01-13-2009 10:09 AM

тАО01-13-2009 10:09 AM

Re: Delete Intrusion Record

Did you notice that when you said

LISA_ES2> del/intrusion_record *

that you received this message:

%DCL-I-IGNQUAL, qualifiers appearing before this item were ignored
\INTRUSION_RECORD\

This means that you have a "del" symbol which could be confusing things.

$ SHOW SYMBOL DEL

Did you try the DELETEX trick that Hoff suggested?
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.