Fortinet IPS Attack log messages Signature

FortiGate IPS User Guide Version 3.0 MR7

12 01-30007-0080-20080916

Monitoring the network and dealing with attacks IPS overview and general configuration

5Select and configure authentication if required and enter the email addresses that

will receive the alert email.

6Enter the time interval to wait before sending log messages for each logging

severity level.

7Select Apply.

To access log messages from memory or on the local disk

View and download log messages stored in memory or on the FortiGate local disk

from the web-based manager. Go to Log&Report > Log Access and select the

log type to view.

See the FortiGate Administration Guide and the FortiGate Log Message

Reference Guide for more logging procedures.

Attack log messagesSignature

The following log message is generated when an attack signature is found:

Note: If more than one log message is collected before an interval is reached, the messages

are combined and sent out as one alert email.

Message ID: 70000

Severity: Alert

Message: attack_id=<value_attack_id> src=<ip_address> dst=<ip_address>

src_port=<port_num> dst_port=<port_num>

interface=<interface_name> src_int=<interface_name>

dst_int=<interface_name> status={clear_session | detected | dropped |

reset} proto=<protocol_num> service=<network_service>

msg="<string><[url]>"

Example: 2004-07-07 16:21:18 log_id=0420073000 type=ips subtype=signature

pri=alert attack_id=101318674 src=8.8.120.254 dst=11.1.1.254

src_port=2217 dst_port=25 interface=internal src_int=n/a dst_int=n/a

status=reset proto=6 service=smtp msg="signature: Dagger.1.4.0.Drives

[Reference: http://www.fortinet.com/ids/ID101318674]"

Meaning: Attack signature message providing the source and destination

addressing information and the attack name.

Action: Get more information about the attack and the steps to take from the

Fortinet Attack Encyclopedia in the FortiGuard Center. Copy and paste

the URL from the log message into your browser to go directly to the

signature description in the Attack Encyclopedia.

Contents

Main Page Contents IPS overview and general configuration.......................................... 9 Predefined signatures ..................................................................... 17 Custom signatures........................................................................... 21 Protocol decoders ........................................................................... 37 DoS sensors..................................................................................... 45 SYN flood attacks ............................................................................ 51 ICMP sweep attacks......................................................................... 55 Introduction The FortiGate IPS About this document Document conventions Typographic conventions ! Page Fortinet Knowledge Center Comments on Fortinet technical documentation Customer service and technical support IPS overview and general configuration The FortiGate IPS IPS settings and controls When to use IPS Network performance Default signature and anomaly settings Default fail open setting Controlling sessions Setting the buffer size Monitoring the network and dealing with attacks Configuring logging and alert email Attack log messages Signature Anomaly The FortiGuard Center Using IPS sensors in a protection profile Creating a protection profile that uses IPS sensors Adding protection profiles to firewall policies Page Page Predefined signatures IPS predefined signatures Viewing the predefined signature list Fine tuning IPS predefined signatures for enhanced system performance Page Page Custom signatures IPS custom signatures Viewing the custom signature list Custom signature configuration Adding custom signatures using the web-based manager Adding custom signatures using the CLI Command syntax pattern Creating custom signatures Custom signature fields Custom signature syntax --attack_id 1234; ---name "Buffer_Overflow"; --src_port 41523; --flow bi_direction; Page Page Page Page --protocol tcp; Page --tcp_flags AP tcp_flags S,12 Page Example custom signatures Example 1: signature to block access to example.com Page Example 2: signature to block the SMTP vrfy command Page Protocol decoders Protocol decoders Upgrading the IPS protocol decoder list Page IPS sensors Viewing the IPS sensor list Adding an IPS sensor Configuring IPS sensors IPS sensor attributes: IPS sensor filters: IPS sensor overrides: Configuring filters Configuring pre-defined and custom overrides Page DoS sensors Viewing the DoS sensor list Configuring DoS sensors DoS sensor attributes: Anomaly configuration: Understanding the anomalies Page Page SYN flood attacks What is a SYN flood attack? How SYN floods work The FortiGate IPS Response to SYN flood attacks What is SYN threshold? What is SYN proxy? How IPS works to prevent SYN floods Page Configuring SYN flood protection Suggested settings for different network conditions ICMP sweep attacks What is an ICMP sweep? How ICMP sweep attacks work The FortiGate IPS response to ICMP sweep attacks Predefined ICMP signatures Tabl e 11 describes all the ICMP-related predefined signatures and the default settings for each. ICMP sweep anomalies Configuring ICMP sweep protection Suggested settings for different network conditions Index A C D F