Attack log messages Signature | Fortinet IPS specification

Monitoring the network and dealing with attacks

IPS overview and general configuration

5Select and configure authentication if required and enter the email addresses that will receive the alert email.

6Enter the time interval to wait before sending log messages for each logging severity level.

Note: If more than one log message is collected before an interval is reached, the messages are combined and sent out as one alert email.

7Select Apply.

To access log messages from memory or on the local disk

View and download log messages stored in memory or on the FortiGate local disk from the web-based manager. Go to Log&Report > Log Access and select the log type to view.

See the FortiGate Administration Guide and the FortiGate Log Message Reference Guide for more logging procedures.

Attack log messages

Signature

The following log message is generated when an attack signature is found:

Message ID:	70000
Severity:	Alert
Message:	attack_id=<value_attack_id> src=<ip_address> dst=<ip_address>
	src_port=<port_num> dst_port=<port_num>
	interface=<interface_name> src_int=<interface_name>
	dst_int=<interface_name> status={clear_session detected dropped
	reset} proto=<protocol_num> service=<network_service>
	msg="<string><[url]>"
Example:	2004-07-07 16:21:18 log_id=0420073000 type=ips subtype=signature
	pri=alert attack_id=101318674 src=8.8.120.254 dst=11.1.1.254
	src_port=2217 dst_port=25 interface=internal src_int=n/a dst_int=n/a
	status=reset proto=6 service=smtp msg="signature: Dagger.1.4.0.Drives
	[Reference: http://www.fortinet.com/ids/ID101318674]"
Meaning:	Attack signature message providing the source and destination
	addressing information and the attack name.
Action:	Get more information about the attack and the steps to take from the
	Fortinet Attack Encyclopedia in the FortiGuard Center. Copy and paste
	the URL from the log message into your browser to go directly to the
	signature description in the Attack Encyclopedia.

FortiGate IPS User Guide Version 3.0 MR7

12	01-30007-0080-20080916

Image 12

Fortinet IPS manual Attack log messages Signature

Contents

E R G U I D E Trademarks Contents Protocol decoders IPS sensorsDoS sensors SYN flood attacks Introduction FortiGate IPS About this document Fortinet documentationDocument conventions Typographic conventions FortiGate Pptp VPN User Guide Customer service and technical support Fortinet Knowledge CenterComments on Fortinet technical documentation IPS overview and general configuration IPS settings and controlsThis section contains the following topics When to use IPS Default signature and anomaly settingsDefault fail open setting Config ips global Set fail-open enable disable end Setting the buffer size Configuring logging and alert emailMonitoring the network and dealing with attacks Controlling sessions Attack log messages Signature Anomaly FortiGuard Center Using IPS sensors in a protection profile Creating a protection profile that uses IPS sensorsAdding protection profiles to firewall policies Select Create New Adding protection profiles to user groups Using IPS sensors in a protection profile Predefined signatures IPS predefined signaturesViewing the predefined signature list Settings EnableColumn Clear All Filters Create a sensor and add IPS filters to it Viewing the predefined signature list Custom signatures IPS custom signaturesViewing the custom signature list Custom signature configuration Adding custom signatures using the web-based managerAdding custom signatures using the CLI Command syntax pattern Creating custom signatures Custom signature fieldsShows the valid characters for custom signature fields Custom signature syntax AttackidName BufferOverflow Srcport Content keywords Keyword and value Description Deprecated, see pattern and context keywords Pattern GET Context uriPattern yahoo.com Context host Pcre Regex/mdelimRegexdelimismxAEGRU Uri !uristr Protocol tcp IP header keywords Keyword and Value Description TCP header keywords Keyword and Value Description Tcpflags AP Tcpflags S,12 UDP header keywords Keyword and Value Description Icmp keywords Keyword and Value UsageOther keywords Keyword and Value Description Example 1 signature to block access to example.com Example custom signaturesSbid --name Block.example.com Sbid --name Block.example.com Example 2 signature to block the Smtp ‘vrfy’ command Sbid --name Block.SMTP.VRFY.CMDSbid --name Block.SMTP.VRFY.CMD --pattern vrfy Creating custom signatures Protocol decoders Protocol decodersUpgrading the IPS protocol decoder list Viewing the protocol decoder list Protocol decoder list Protocols Protocol decoder names Port Alldefault AlldefaultpassIPS sensors Viewing the IPS sensor list Configuring IPS sensors Adding an IPS sensorProtectclient Protectemailserver IPS sensor attributes IPS sensor filters Configuring filters ResetIPS sensor overrides Delete and Edit Delete or edit the filter Icons Configuring pre-defined and custom overrides Application Exempt IP Source DoS sensors Configuring DoS sensors Viewing the DoS sensor listSequence in which the sensors examine network traffic Appears, and select OK Anomaly configuration DoS sensor attributesName Enter or change the DoS sensor name Comments Will appear in the DoS sensor list Understanding the anomalies Anomaly Description Tcpdstsession UdpfloodUdpscan Udpsrcsession Understanding the anomalies What is a SYN flood attack? SYN flood attacksHow SYN floods work What is SYN threshold? What is SYN proxy?FortiGate IPS Response to SYN flood attacks How IPS works to prevent SYN floods IPS operation before synflood threshold is reached Configuring SYN flood protection Suggested settings for different network conditionsConfigure the options for tcpsynflood Select OK What is an Icmp sweep? Icmp sweep attacksHow Icmp sweep attacks work FortiGate IPS response to Icmp sweep attacks Predefined Icmp signatures Icmp sweep anomalies Configuring Icmp sweep protection Index FortiGate Version 3.0 MR7 IPS User Guide Technical support