When a NetMaster Traceroute (/TRACERT) is executed using TCP protocol, the z/OS Intrusion Detection Services (IDS) component returns the following EZZ8649I message:

EZZ8649I TRMD ATTACK packet would have been discarded:date time,sipaddr=sipaddr,dipaddr=dipaddr,sport=sport,dport=dport,type=OutboundRaw,proto=proto,option=option,fragsize=fragoff,correlator=correlator,probeid=probeid,sensorhostname=sensorhostname,restrictval=restrictval

NetMaster 13.0

NetMaster Traceroute with the TCP protocol uses IPv4 RAW sockets to send TCP packets to the target remote host. 

The IDS alerts are triggered by the AttackType OUTBOUND_RAW of the IDSAttackCondition statement. OUTBOUND_RAW is described as follows:

Indicates that the rule is to enforce restrictions on the use of IPv4 RAW sockets for outbound processing, which prevents this stack from being used to attack other systems. A list of restricted IP protocols is also specified in the rule's conditions.

The NetMaster Traceroute command uses IPv4 outbound RAW sockets to manually craft headers for ICMP, UDP, and TCP probes.

If the z/OS Intrusion Detection Services (IDS) component is active, these RAW socket requests may be flagged as potential security events (attack type OUTBOUND_RAW). IBM generally recommends that IDS policies be configured to monitor and alert on outbound TCP RAW socket activity.  

If your organization's IDS policy enforces restrictions on the use of IPv4 RAW sockets for outbound processing, you might shift to ICMP-based traceroute probes, which may be subject to less restrictive IDS monitoring than UDP and TCP. If UDP or TCP traceroute is required for diagnostic purposes, coordinate with your Network Security team to ensure that the resulting IDS alerts are recognized as authorized administrative activity.

See HELP for "TCP/IP : Trace Route Result List" (/TRACERT) panel, modified by PTF LU19819