|
|
IPS overview and general configuration | Monitoring the network and dealing with attacks |
Anomaly
The following log message is generated when an attack anomaly is detected:
Message ID: | 73001 |
Severity: | Alert |
Message: | attack_id=<value_attack_id> src=<ip_address> dst=<ip_address> |
| src_port=<port_num> dst_port=<port_num> |
| interface=<interface_name> src_int=<interface_name> |
| dst_int=<interface_name> status={clear_session detected dropped |
| reset} proto=<protocol_num> service=<network_service> |
| msg="<string><[url]>" |
Example: | |
| pri=alert attack_id=100663396 src=8.8.120.254 dst=11.1.1.254 |
| src_port=2217 dst_port=25 interface=internal src_int=n/a dst_int=n/a |
| status=reset proto=6 service=smtp msg="anomaly: syn_flood, 100 > |
| threshold 10.[Reference: http://www.fortinet.com/ids/ID100663396]" |
Meaning: | Attack anomaly message providing the source and destination |
| addressing information and the attack name. |
Action: | Get more information about the attack and the steps to take from the |
| Fortinet Attack Encyclopedia in the FortiGuard Center. Copy and paste |
| the URL from the log message into your browser to go directly to the |
| signature description in the Attack Encyclopedia. |
|
|
The FortiGuard Center
The FortiGuard Center combines the knowledge base of the Fortinet technical team into an easily searchable database. FortiGuard Center includes both virus and attack information. Go to http://www.fortinet.com/FortiGuardCenter/.
Search for attacks in the FortiGuard Attack Encyclopedia by any of the criteria shown in Figure 1.
Figure 1: Searching the FortiGuard Attack Encyclopedia
Type in the name or ID of the attack, or copy and paste the URL from the log message or alert email into a browser.
FortiGate IPS User Guide Version 3.0 MR7 |
|
13 |