IPS overview and general configuration

Monitoring the network and dealing with attacks

Anomaly

The following log message is generated when an attack anomaly is detected:

Message ID:

73001

Severity:

Alert

Message:

attack_id=<value_attack_id> src=<ip_address> dst=<ip_address>

 

src_port=<port_num> dst_port=<port_num>

 

interface=<interface_name> src_int=<interface_name>

 

dst_int=<interface_name> status={clear_session detected dropped

 

reset} proto=<protocol_num> service=<network_service>

 

msg="<string><[url]>"

Example:

2004-04-07 13:58:53 log_id=0420073001 type=ips subtype=anomaly

 

pri=alert attack_id=100663396 src=8.8.120.254 dst=11.1.1.254

 

src_port=2217 dst_port=25 interface=internal src_int=n/a dst_int=n/a

 

status=reset proto=6 service=smtp msg="anomaly: syn_flood, 100 >

 

threshold 10.[Reference: http://www.fortinet.com/ids/ID100663396]"

Meaning:

Attack anomaly message providing the source and destination

 

addressing information and the attack name.

Action:

Get more information about the attack and the steps to take from the

 

Fortinet Attack Encyclopedia in the FortiGuard Center. Copy and paste

 

the URL from the log message into your browser to go directly to the

 

signature description in the Attack Encyclopedia.

 

 

The FortiGuard Center

The FortiGuard Center combines the knowledge base of the Fortinet technical team into an easily searchable database. FortiGuard Center includes both virus and attack information. Go to http://www.fortinet.com/FortiGuardCenter/.

Search for attacks in the FortiGuard Attack Encyclopedia by any of the criteria shown in Figure 1.

Figure 1: Searching the FortiGuard Attack Encyclopedia

Type in the name or ID of the attack, or copy and paste the URL from the log message or alert email into a browser.

FortiGate IPS User Guide Version 3.0 MR7

 

01-30007-0080-20080916

13

Page 13
Image 13
Fortinet IPS manual Anomaly, FortiGuard Center