Operating System - OpenVMS
Showing results for 
Search instead for 
Did you mean: 

Strange intrusion behaviour

Wim Van den Wyngaert
Honored Contributor

Strange intrusion behaviour

I have a program that tries to connect to a non-existing server, which is a decnet object.
Of course it fails but I get in operator log :

%%%%%%%%%%% OPCOM 23-OCT-2005 13:36:23.27 %%%%%%%%%%%
Message from user SYSTEM on SPVMX2
Event: Access Control Violation from: Node LOCAL:.SPVMX2 Session Control,
at: 2005-10-23-13:36:23.273+02:00Iinf
NSAP Address=49::00-14:AA-00-04-00-02-50:20,
Source=UIC = [0,0]GIS_MAINT,
Destination=name = FOE_FMI_SRV,
Destination User="",
Destination Account="",
eventUid 008FD160-43CA-11DA-860F-AA0004000250
entityUid 10953BB1-43B8-11DA-8372-AA0004000250
streamUid 1FAE48D0-43B8-11DA-8501-AA0004000250

In audit I get :

Security audit (SECURITY) on SPVMX2, system id: 20482
Auditable event: Network login failure
Event time: 23-OCT-2005 13:36:23.27
PID: 2160021D
Process name: NET$ACP
Username: *DECNET_TASK*
Remote node id: 490014AA000400025020
Remote node fullname: LOCAL:.SPVMX2
Remote username: GIS_MAINT
Status: %LOGIN-F-NOSUCHUSER, no such user

The LGI params :
LGI_BRK_TERM 0 1 0 1 Boolean D
LGI_BRK_DISUSER 0 0 0 1 Boolean D
LGI_PWD_TMO 30 30 0 255 Seconds D
LGI_RETRY_LIM 3 3 0 255 Tries D
LGI_RETRY_TMO 20 20 2 255 Seconds D
LGI_BRK_LIM 6 5 1 255 Failures D
LGI_BRK_TMO 600 300 0 5184000 Seconds D
LGI_HID_TIM 60 300 0 1261440000 Seconds D
LGI_CALLOUTS 0 0 0 255 Count D

The violation is repeated a lot of times and when I do show intrus I got a suspect intrusion with more than 120 violations in 1 hour (uptime). This while I was expecting an real intruder.

1) Why no intruder ?
2) Why is a non-existing ncl object leading to intrusion (if I do the same with type x::77=yyy" I don't get a violation but simply network object unknown) ?
2) Is it possible that a suspect intruder blocks something ?

Mike Reznak
Trusted Contributor

Re: Strange intrusion behaviour


1)As I understand it, LGI_HID_TIM gives the period for the Intruder state. So after the 60 seconds are reached the system probably returns the value 'suspect' to intrusion record. Try to watch it. You should see Intruder state some times. Or encrease LGI_HID_TIM.
2) There is for sure an logging sequence happening under the username *DECNET_TASK*. The connect request to a server as you've written (not to an object) probably causes it.
3)Suspect state shouldn't block nothing. It's defined by LGI_BRK_TMO and it specifies the length of the failure monitoring
period. This time increment is added to the suspect's expiration
time each time a login failure occurs. Once the expiration period
passes, prior failures are discarded, and the suspect is given a
clean slate.

...and I think to myself, what a wonderful world ;o)