c. Intrusion Prevention Services (IPS)
- Svetlana Sheptiy
- Karein Directo (Unlicensed)
Records intrusion prevention events.
Sample Events
date=2019-05-15 time=17:56:41 logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" eventtime=1557968201 severity="critical" srcip=10.1.100.22 srccountry="Reserved" dstip=172.16.200.55 srcintf="port10" srcintfrole="lan" dstintf="port9" dstintfrole="wan" sessionid=4017 action="dropped" proto=6 service="HTTP" policyid=1 attack="Adobe.Flash.newfunction.Handling.Code.Execution" srcport=46810 dstport=80 hostname="172.16.200.55" url="/ips/sig1.pdf" direction="incoming" attackid=23305 profile="block-critical-ips" ref="http://www.fortinet.com/ids/VID23305" incidentserialno=582633933 msg="applications3: Adobe.Flash.newfunction.Handling.Code.Execution," crscore=50 craction=4096 crlevel="critical"
date=2020-05-22 time=15:30:29 devname="PSA-OR-FTGW001" devid="FGVM4VTM20001228" logid="0422016400" type="utm" subtype="ips" eventtype="botnet" level="warning" vd="root" eventtime=1590132630731725530 tz="+0800" msg="Botnet C&C Communication." severity="high" srcip=1.1.1.1 srccountry="Australia" dstip=2.2.2.2 srcintf="port1" srcintfrole="undefined" dstintf="port2" dstintfrole="undefined" sessionid=51001 action="detected" srcport=51001 dstport=20 proto=6 service="tcp/20" vrf=32 policyid=0 profile="sensor" direction="N/A" attack="test_botnet" attackid=12345 user="user" group="group" ref="http://www.fortinet.com/be?bid=12345" crscore=50 craction=4 crlevel="critical"
Fields
Field | Description |
|---|---|
DATE | Event date, in the format YYYY-MM-DD |
TIME | Event time, in the format HH:MM:SS |
SYSTEM | The source system |
TABLE | FortiGateIPS |
CRITICALITY |
|
LOGID | Unique 10-digit identifier (log type, subtype/event type and message ID) for that specific log and includes information about the log entry |
TYPE | Represented by the first two digits of the log ID |
SUBTYPE | Represented by the first/second two digits of the log ID |
EVENTTYPE | Represented by the second two digits of the log ID |
DEVNAME |
|
DEVID | Serial number of the device for the traffic's origin |
LEVEL | Security level rating |
VD | Name of the virtual domain in which the log message was recorded |
EVENTTIME | Epoch time the log was triggered by FortiGate |
TZ |
|
SEVERITY | Severity of the attack |
SRCIP | Source IP |
SRCCOUNTRY |
|
SRCPORT | Source port |
SRCINTF | Source interface |
SRCINTFROLE |
|
DSTIP | Destination IP |
DSTPORT | Destination port |
DSTINTF | Destination interface |
DSTINTFROLE |
|
SESSIONID | Session ID |
ACTION | Security action performed by IPS |
PROTO | Protocol number |
SERVICE | Service name |
VRF |
|
POLICYID | Policy ID |
ATTACK | Attack name |
HOSTNAME |
|
URL |
|
DIRECTION |
|
ATTACKID | Attack ID |
USER | User name |
GROUP | User group name |
PROFILE | Profile name for IPS |
REF | URL of the FortiGuard IPS database entry for the attack |
INCIDENTSERIALNO | Incident serial number |
CRSCORE | Client Reputation Score |
CRACTION |
|
CRLEVEL | Client Reputation Level |
ERROR | URL rating error message |
MSG | Log message for the attack |
SNAREDATAMAP | All other data in the event will be pushed to this field |
Notes
Log Message Reference Documentation: https://docs.fortinet.com/document/fortigate/6.4.2/fortios-log-message-reference