Monitoring the network and dealing with attacks | IPS overview and general configuration |
5Select and configure authentication if required and enter the email addresses that will receive the alert email.
6Enter the time interval to wait before sending log messages for each logging severity level.
Note: If more than one log message is collected before an interval is reached, the messages are combined and sent out as one alert email.
7Select Apply.
To access log messages from memory or on the local disk
View and download log messages stored in memory or on the FortiGate local disk from the
See the FortiGate Administration Guide and the FortiGate Log Message Reference Guide for more logging procedures.
Attack log messages
Signature
The following log message is generated when an attack signature is found:
Message ID: | 70000 |
Severity: | Alert |
Message: | attack_id=<value_attack_id> src=<ip_address> dst=<ip_address> |
| src_port=<port_num> dst_port=<port_num> |
| interface=<interface_name> src_int=<interface_name> |
| dst_int=<interface_name> status={clear_session detected dropped |
| reset} proto=<protocol_num> service=<network_service> |
| msg="<string><[url]>" |
Example: | |
| pri=alert attack_id=101318674 src=8.8.120.254 dst=11.1.1.254 |
| src_port=2217 dst_port=25 interface=internal src_int=n/a dst_int=n/a |
| status=reset proto=6 service=smtp msg="signature: Dagger.1.4.0.Drives |
| [Reference: http://www.fortinet.com/ids/ID101318674]" |
Meaning: | Attack signature message providing the source and destination |
| addressing information and the attack name. |
Action: | Get more information about the attack and the steps to take from the |
| Fortinet Attack Encyclopedia in the FortiGuard Center. Copy and paste |
| the URL from the log message into your browser to go directly to the |
| signature description in the Attack Encyclopedia. |
|
|
FortiGate IPS User Guide Version 3.0 MR7
12 |