Attack log messages, Signature, Attack log messages signature – Fortinet Network Device IPS User Manual

Page 12

Advertising
background image

FortiGate IPS User Guide Version 3.0 MR7

12

01-30007-0080-20080916

Monitoring the network and dealing with attacks

IPS overview and general configuration

5

Select and configure authentication if required and enter the email addresses that
will receive the alert email.

6

Enter the time interval to wait before sending log messages for each logging
severity level.

7

Select Apply.

To access log messages from memory or on the local disk

View and download log messages stored in memory or on the FortiGate local disk
from the web-based manager. Go to Log&Report > Log Access and select the
log type to view.

See the FortiGate Administration Guide and the FortiGate Log Message
Reference Guide for more logging procedures.

Attack log messages

Signature

The following log message is generated when an attack signature is found:

Note: If more than one log message is collected before an interval is reached, the messages
are combined and sent out as one alert email.

Message ID:

70000

Severity:

Alert

Message:

attack_id=<value_attack_id> src=<ip_address> dst=<ip_address>

src_port=<port_num> dst_port=<port_num>

interface=<interface_name> src_int=<interface_name>

dst_int=<interface_name> status={clear_session | detected | dropped |

reset} proto=<protocol_num> service=<network_service>

msg="<string><[url]>"

Example:

2004-07-07 16:21:18 log_id=0420073000 type=ips subtype=signature

pri=alert attack_id=101318674 src=8.8.120.254 dst=11.1.1.254

src_port=2217 dst_port=25 interface=internal src_int=n/a dst_int=n/a

status=reset proto=6 service=smtp msg="signature: Dagger.1.4.0.Drives

[Reference: http://www.fortinet.com/ids/ID101318674]"

Meaning:

Attack signature message providing the source and destination

addressing information and the attack name.

Action:

Get more information about the attack and the steps to take from the

Fortinet Attack Encyclopedia in the FortiGuard Center. Copy and paste

the URL from the log message into your browser to go directly to the

signature description in the Attack Encyclopedia.

Advertising
Popular Brands
Popular manuals