Fortinet 625 FortiWeb 5.0 Patch 6 Administration Guide
How many of your attack logs are real, and how many are false positives?
Normal traffic is your best judge. Use it to adjust your FortiWeb’s protection settings and reduce
attack logs that aren’t meaningful.
For example, social media buttons for Twitter append an encoded version of your web page’s
URL as long parameters named original_referer and url after the request URL to
twitter.com.
This is normal, and used by Twitter to pre-fill the viewer’s tweet about your web site. This way,
your readers do not need to manually abbreviate and then paste your URL into their tweet. Long
request URLs (and parameters) are therefore typical for Twitter, and therefore would not
necessarily be indicative of a security bypass attempt.
On other web applications, however, where URLs and parameters are short, this might be
suspicious — it could be part of a clickjacking, URL-encoded shell code, or padded exploit. In
those cases, you might create a shorter HTTP constraint (see “HTTP/HTTPS protocol
constraints” on page 440).
Likewise, a single corporate front page or Zenphoto gallery page might involve 81 requests for
images, JavaScripts, CSS pages, and other external components. A search page, however,
might normally only have 6 requests, and merit a lower threshold when configuring rate limiting
(“Rate limiting” on page 338).
This means that “normal” is often relative to your web applications.
<script src="http://cdn.api.twitter.com/1/urls/count.json?url=http%3A%2F%2Fwww.cbc.ca%2Fnews%2F
Long URL with encoded
parameter