Attack log fields

Attack > Attack log fields

Attack log fields

Fields in the body of attack log messages are described below.

For descriptions of header fields that exist in every log message, see Header & body fields.

Meaning
Traffic violating a policy was detected by the FortiWeb appliance.

Solution
If your appliance was: operating in reverse proxy, true transparent proxy, or WCCP mode and configured to deny traffic (e.g. the Action is Alert & Deny in the log message) the traffic was blocked. No action is required. If many attacks come from a client, though, for performance reasons, consider blacklisting its IP address. Otherwise, if your appliance was: operating in offline protection or transparent inspection mode or configured only to monitor traffic (e.g. Monitor Mode was enabled or the Action is Alert, not Alert & Deny) examine the web server to determine whether or not it was affected. By the nature of log-only actions, detected attack attempts are logged but not blocked. You may also want to determine if the attack is from a single source IP address or distributed: blacklisting an offending client may help you to efficiently prevent further attack attempts, improving performance, until you can take further action. By the nature of the network topology for offline protection mode (which can potentially cause differences in speeds of the separate routing paths), and asynchronous inspection for transparent inspection mode, blocking cannot be guaranteed. For details, see the FortiWeb Administration Guide. Tip: If an attack is not being detected as you expect, enable session management, traffic logging, and packet payload retention. You can examine the traffic log’s packet payload to determine why it is not matching your profile rules and/or enabled attack signatures. For instructions, see the FortiWeb Administration Guide.

Solution

If your appliance was:

operating in reverse proxy, true transparent proxy, or WCCP mode and
configured to deny traffic (e.g. the Action is Alert & Deny in the log message)

the traffic was blocked. No action is required. If many attacks come from a client, though, for performance reasons, consider blacklisting its IP address.

Otherwise, if your appliance was:

operating in offline protection or transparent inspection mode or
configured only to monitor traffic (e.g. Monitor Mode was enabled or the Action is Alert, not Alert & Deny)

examine the web server to determine whether or not it was affected.

By the nature of log-only actions, detected attack attempts are logged but not blocked. You may also want to determine if the attack is from a single source IP address or distributed: blacklisting an offending client may help you to efficiently prevent further attack attempts, improving performance, until you can take further action.

By the nature of the network topology for offline protection mode (which can potentially cause differences in speeds of the separate routing paths), and asynchronous inspection for transparent inspection mode, blocking cannot be guaranteed. For details, see the FortiWeb Administration Guide.

Tip: If an attack is not being detected as you expect, enable session management, traffic logging, and packet payload retention. You can examine the traffic log’s packet payload to determine why it is not matching your profile rules and/or enabled attack signatures. For instructions, see the FortiWeb Administration Guide.

Field name Description

Field name	Description
ID (`log_id`)	An identifying number. See Log ID numbers and the column ID.
Sub Type (`subtype`)	See Subtypes and the column Sub Type.
Level (`pri`)	`alert`
Action (`action`)	The action that you configured FortiWeb to take in response to the policy violation, such as: `Alert` or `Alert_Deny` Action options vary by the nature of the attack. For details on actions, see the FortiWeb Administration Guide.
Service (`service`)	`<service_name>`
Policy (`policy`)	`<server-policy_name>`
Method (`http_method`)	Varies by the web application, but is usually `GET` or `POST`.
HTTP Host (`http_host`)	The domain name as it appears in the request from the client. This name can be different from your internal DNS name, if any, for the web server, or, if you are using HTTP `Host:` rewrites, different from the domain name of the virtual host on the web server. (For example, www.example.co.jp instead of www1.local or the virtual host that serves responses for all DNS names, www.example.com.)
URL (`http_url`)	The URL as it appears in the request from the client. Can be a rewritten URL. This URL does not include the service or host name (for example, /main/index.html).
User Agent (`http_agent`)	The HTTP client platform, as it is reported by the client itself. This is often fake in attacks.
HTTP Session ID (`http_session_id`)	The HTTP session identifier associated with the HTTP request (if any). The ID may be `unknown` if the Session Management option is not enabled in the governing protection profile.
Message (`msg`)	See the column Message.
Signature Subclass (`signature_ subclass`)	The name of the signature subclass. If the current signature has no subclass, the main class is displayed.
Signature ID (`signature_id`)	The ID of the specific signature within the subclass that triggered the log message.
Source Country (`srccountry`)	The country that is the source of the traffic.
HTTP Content Routing (`content_ switch_name`)	The name of the associated HTTP content routing policy.
Server Pool (`server_pool_name`)	The name of the server pool in the associated server policy.
False Positive Mitigation `false_positive_mitigation`	For violations of SQL injection signatures, specifies whether FortiWeb identified the attack using the signature and additional SQL syntax validation (`yes`) or the just the signature (`no`).
Threat Scoring `log_type` `event_score` `score_message` `entry_sequence`	Information about threat scores, which FortiWeb generates based on multiple signature violations by a client, instead of a single signature violation. `log_type` – `LOG_TYPE_SCORE_SUB` indicates that this signature violation contributed to the total score, but did not cause the total score to exceed the threshold. `LOG_TYPE_SCORE_SUM` indicates that the total score exceeded the threshold when FortiWeb detected this signature violation. `event_score` – The individual threat score that this signature violation contributed to the total score. `score_message` – Displayed only when `log_type` is `LOG_TYPE_SCORE_SUM`. Displays the threat scoring match scope (for example, HTTP Transaction compares the score for each transaction to the threshold), threshold, and total score. `entry_sequence` – Displayed only when `log_type` is `LOG_TYPE_SCORE_SUM`. Displays the message IDs of the other signature violations that contributed to the total threat score. By default, if `log_type` is `LOG_TYPE_SCORE_SUB`, the message is not displayed. Use the following CLI command to display these messages: `config log attack-log` `set show-all-log enable` For more information on CLI commands, see the FortiWeb CLI Reference.

(log_id)

An identifying number. See Log ID numbers and the column ID.

Sub Type

(subtype)

See Subtypes and the column Sub Type.

Level

(pri)

alert

Action

(action)

The action that you configured FortiWeb to take in response to the policy violation, such as:

Alert

Alert_Deny

Action options vary by the nature of the attack. For details on actions, see the FortiWeb Administration Guide.

Service

(service)

<service_name>

Policy

(policy)

<server-policy_name>

Method

(http_method)

Varies by the web application, but is usually GET or POST.

HTTP Host

(http_host)

The domain name as it appears in the request from the client. This name can be different from your internal DNS name, if any, for the web server, or, if you are using HTTP Host: rewrites, different from the domain name of the virtual host on the web server. (For example, www.example.co.jp instead of www1.local or the virtual host that serves responses for all DNS names, www.example.com.)

URL

(http_url)

The URL as it appears in the request from the client. Can be a rewritten URL. This URL does not include the service or host name (for example, /main/index.html).

User Agent

(http_agent)

The HTTP client platform, as it is reported by the client itself. This is often fake in attacks.

HTTP Session ID

(http_session_id)

The HTTP session identifier associated with the HTTP request (if any).

The ID may be unknown if the Session Management option is not enabled in the governing protection profile.

Message

(msg)

See the column Message.

Signature Subclass

(signature_ subclass)

The name of the signature subclass.

If the current signature has no subclass, the main class is displayed.

Signature ID

(signature_id)

The ID of the specific signature within the subclass that triggered the log message.

Source Country

(srccountry)

The country that is the source of the traffic.

HTTP Content Routing

(content_ switch_name)

The name of the associated HTTP content routing policy.

Server Pool

(server_pool_name)

The name of the server pool in the associated server policy.

False Positive Mitigation

false_positive_mitigation

For violations of SQL injection signatures, specifies whether FortiWeb identified the attack using the signature and additional SQL syntax validation (yes) or the just the signature (no).

Threat Scoring

log_type

event_score

score_message

entry_sequence

Information about threat scores, which FortiWeb generates based on multiple signature violations by a client, instead of a single signature violation.

log_type – LOG_TYPE_SCORE_SUB indicates that this signature violation contributed to the total score, but did not cause the total score to exceed the threshold. LOG_TYPE_SCORE_SUM indicates that the total score exceeded the threshold when FortiWeb detected this signature violation.
event_score – The individual threat score that this signature violation contributed to the total score.
score_message – Displayed only when log_type is LOG_TYPE_SCORE_SUM. Displays the threat scoring match scope (for example, HTTP Transaction compares the score for each transaction to the threshold), threshold, and total score.
entry_sequence – Displayed only when log_type is LOG_TYPE_SCORE_SUM. Displays the message IDs of the other signature violations that contributed to the total threat score.

By default, if log_type is LOG_TYPE_SCORE_SUB, the message is not displayed. Use the following CLI command to display these messages:

config log attack-log

set show-all-log enable

For more information on CLI commands, see the FortiWeb CLI Reference.

Example
date=2016-02-19 time=11:23:45 log_id=20000010 msg_id=000139289631 device_id=FV-1KD3A15800072 vd="root" timezone="(GMT+8:00)Beijing,ChongQing,HongKong,Urumgi" type=attack subtype="waf_signature_detection" pri=alert trigger_policy="" severity_level=Medium proto=tcp service=http action=Alert policy="123" src=172.22.6.234 src_port=60554 dst=10.0.9.13 dst_port=80 http_method=get http_url="/preview.php?file==../" http_host="10.0.9.123" http_agent="Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0" http_session_id=3B9864AEKNQSLLODNTILCG37M2FZ6A88 msg="[Signatures name: 123] [main class name: Generic Attacks(Extended)] [sub class name: Directory Traversal]: 060150002" signature_subclass="Directory Traversal" signature_id="060150002" srccountry="Reserved" content_switch_name="none" server_pool_name="123" false_positive_mitigation="none" log_type=LOG_TYPE_SCORE_SUM event_score=3 score_message="[score_type: total_score] [score_scope: TCP Session] [score_threshold: 5] [score_sum: 7]" entry_sequence="000139289630"

Example

date=2016-02-19 time=11:23:45 log_id=20000010 msg_id=000139289631 device_id=FV-1KD3A15800072 vd="root" timezone="(GMT+8:00)Beijing,ChongQing,HongKong,Urumgi" type=attack subtype="waf_signature_detection" pri=alert trigger_policy="" severity_level=Medium proto=tcp service=http action=Alert policy="123" src=172.22.6.234 src_port=60554 dst=10.0.9.13 dst_port=80 http_method=get http_url="/preview.php?file==../" http_host="10.0.9.123" http_agent="Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0" http_session_id=3B9864AEKNQSLLODNTILCG37M2FZ6A88 msg="[Signatures name: 123] [main class name: Generic Attacks(Extended)] [sub class name: Directory Traversal]: 060150002" signature_subclass="Directory Traversal" signature_id="060150002" srccountry="Reserved" content_switch_name="none" server_pool_name="123" false_positive_mitigation="none" log_type=LOG_TYPE_SCORE_SUM event_score=3 score_message="[score_type: total_score] [score_scope: TCP Session] [score_threshold: 5] [score_sum: 7]" entry_sequence="000139289630"

Open topic with navigation