Anomaly, The fortiguard center – Fortinet Network Device IPS User Manual
Page 13
IPS overview and general configuration
Monitoring the network and dealing with attacks
FortiGate IPS User Guide Version 3.0 MR7
01-30007-0080-20080916
13
Anomaly
The following log message is generated when an attack anomaly is detected:
The FortiGuard Center
The FortiGuard Center combines the knowledge base of the Fortinet technical
team into an easily searchable database. FortiGuard Center includes both virus
and attack information. Go to
.
Search for attacks in the FortiGuard Attack Encyclopedia by any of the criteria
shown in
Figure 1
.
Figure 1: Searching the FortiGuard Attack Encyclopedia
Type in the name or ID of the attack, or copy and paste the URL from the log
message or alert email into a browser.
Message ID:
73001
Severity:
Alert
Message:
attack_id=<value_attack_id> src=<ip_address> dst=<ip_address>
src_port=<port_num> dst_port=<port_num>
interface=<interface_name> src_int=<interface_name>
dst_int=<interface_name> status={clear_session | detected | dropped |
reset} proto=<protocol_num> service=<network_service>
msg="<string><[url]>"
Example:
2004-04-07 13:58:53 log_id=0420073001 type=ips subtype=anomaly
pri=alert attack_id=100663396 src=8.8.120.254 dst=11.1.1.254
src_port=2217 dst_port=25 interface=internal src_int=n/a dst_int=n/a
status=reset proto=6 service=smtp msg="anomaly: syn_flood, 100 >
threshold 10.[Reference: http://www.fortinet.com/ids/ID100663396]"
Meaning:
Attack anomaly message providing the source and destination
addressing information and the attack name.
Action:
Get more information about the attack and the steps to take from the
Fortinet Attack Encyclopedia in the FortiGuard Center. Copy and paste
the URL from the log message into your browser to go directly to the
signature description in the Attack Encyclopedia.