Fields in the body of attack log messages are described below.
For descriptions of header fields that exist in every log message, see Header & body fields.
Meaning |
---|
Traffic violating a policy was detected by the FortiWeb appliance. |
Solution |
---|
If your appliance was:
the traffic was blocked. No action is required. If many attacks come from a client, though, for performance reasons, consider blacklisting its IP address. Otherwise, if your appliance was:
examine the web server to determine whether or not it was affected. By the nature of log-only actions, detected attack attempts are logged but not blocked. You may also want to determine if the attack is from a single source IP address or distributed: blacklisting an offending client may help you to efficiently prevent further attack attempts, improving performance, until you can take further action. By the nature of the network topology for offline protection mode (which can potentially cause differences in speeds of the separate routing paths), and asynchronous inspection for transparent inspection mode, blocking cannot be guaranteed. For details, see the FortiWeb Administration Guide. Tip: If an attack is not being detected as you expect, enable session management, traffic logging, and packet payload retention. You can examine the traffic log’s packet payload to determine why it is not matching your profile rules and/or enabled attack signatures. For instructions, see the FortiWeb Administration Guide. |
Field name | Description |
ID ( |
An identifying number. See Log ID numbers and the column ID. |
Sub Type ( |
See Subtypes and the column Sub Type. |
Level ( |
alert
|
Action ( |
The action that you configured FortiWeb to take in response to the policy violation, such as:
or
Action options vary by the nature of the attack. For details on actions, see the FortiWeb Administration Guide. |
Service ( |
<service_name>
|
Policy ( |
<server-policy_name>
|
Method ( |
Varies by the web application, but is usually GET or POST . |
HTTP Host ( |
The domain name as it appears in the request from the client. This name can be different from your internal DNS name, if any, for the web server, or, if you are using HTTP Host: rewrites, different from the domain name of the virtual host on the web server. (For example, www.example.co.jp instead of www1.local or the virtual host that serves responses for all DNS names, www.example.com.) |
URL ( |
The URL as it appears in the request from the client. Can be a rewritten URL. This URL does not include the service or host name (for example, /main/index.html). |
User Agent ( |
The HTTP client platform, as it is reported by the client itself. This is often fake in attacks. |
HTTP Session ID ( |
The HTTP session identifier associated with the HTTP request (if any). The ID may be |
Message ( |
See the column Message. |
Signature Subclass ( |
The name of the signature subclass. If the current signature has no subclass, the main class is displayed. |
Signature ID ( |
The ID of the specific signature within the subclass that triggered the log message. |
Source Country ( |
The country that is the source of the traffic. |
HTTP Content Routing ( |
The name of the associated HTTP content routing policy. |
Server Pool ( |
The name of the server pool in the associated server policy. |
False Positive Mitigation
|
For violations of SQL injection signatures, specifies whether FortiWeb identified the attack using the signature and additional SQL syntax validation (yes ) or the just the signature (no ). |
Threat Scoring
|
Information about threat scores, which FortiWeb generates based on multiple signature violations by a client, instead of a single signature violation.
By default, if
For more information on CLI commands, see the FortiWeb CLI Reference. |
Example |
---|
date=2016-02-19 time=11:23:45 log_id=20000010 msg_id=000139289631 device_id=FV-1KD3A15800072 vd="root" timezone="(GMT+8:00)Beijing,ChongQing,HongKong,Urumgi" type=attack subtype="waf_signature_detection" pri=alert trigger_policy="" severity_level=Medium proto=tcp service=http action=Alert policy="123" src=172.22.6.234 src_port=60554 dst=10.0.9.13 dst_port=80 http_method=get http_url="/preview.php?file==../" http_host="10.0.9.123" http_agent="Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0" http_session_id=3B9864AEKNQSLLODNTILCG37M2FZ6A88 msg="[Signatures name: 123] [main class name: Generic Attacks(Extended)] [sub class name: Directory Traversal]: 060150002" signature_subclass="Directory Traversal" signature_id="060150002" srccountry="Reserved" content_switch_name="none" server_pool_name="123" false_positive_mitigation="none" log_type=LOG_TYPE_SCORE_SUM event_score=3 score_message="[score_type: total_score] [score_scope: TCP Session] [score_threshold: 5] [score_sum: 7]" entry_sequence="000139289630" |