Attack log messages record traffic that violated its matching policy. Log ID numbers of this type are listed in the table Attack logs by subtype & ID.
The operating mode, network topology, and the rule’s configured Action can all affect how a policy responds to an attack, data leak, or server information disclosure. Depending on your configuration, violating traffic is either:
FortiWeb does not record the following types of attack logs individually. Instead, it records them periodically while the attack is ongoing, even if the attack has multiple sources:
This aggregation prevents FortiWeb from flooding attack logs with identical or very similar messages. To differentiate logs caused by individual attacks from those caused by multiple attacks in the same category, FortiWeb records whether it generated the attack log message after matching multiple signatures.
In the attack log, the message field of aggregated log messages displays the message rule_name : Custom Access Violation
.
In aggregated attacks log, the type field displays the message Multiple Custom access rule Violations
.
By default, FortiWeb does not display all signature violations that contributed to a threat scoring attack log message as individual entries in the attack log. Instead, a single attack log message is displayed for the signature violations that contributed to a combined threat score that exceeded the maximum. However, all the signature violations that contributed to the score are displayed in the message details. (Double-click the message to display its details.)
Also by default, FortiWeb does not display messages for signature violations that generated a threat score but did not exceed the threat scoring threshold.
Use the following CLI command to display the signature violations that contributed to a threat scoring attack log message as individual entries and to display any signature violations that generated a threat score but did not exceed the threat scoring threshold:
config log attack-log
set show-all-log {enable | disable}
For more information on CLI commands, see FortiWeb CLI Reference.
Threat scoring attack log messages are also displayed in the aggregated attacks log.
To locate a description for an attack log message, match the ID (log_id
) field in the attack log message with that shown in the table Attack logs by subtype & ID. All attack log messages have the same body fields, described in Attack log fields.
For attack log messages generated by a HTTP protocol constraint, the associated policy name is displayed in the raw view ([policy_name:<protocol_constraint_name>]) but not in the formatted view.
( |
( |
( |
20000001 | waf_allow_method | HTTP Method Violation |
20000002 | allow_host | HTTP Host Violation |
20000003 | waf_page_rule | Page Access Rule Violation |
20000004 | waf_start_page | Start Page Violation |
20000005 | waf_cookie_poison | cookie name (<parameter_name>) : Cookie Poisoning [ <original_value> -> <corrupted_value>; Domain: <domain>; Path: <path> |
20000006 | waf_parameter_rule | Parameter Validation Violation: (<parameter_name>) |
20000007 | waf_black_ip | Blacklisted IP blocked |
20000008 | waf_url_access | <rule_name>: URL Access Violation |
20000009 | waf_custom_signature_match | Custom Signature Detection: <custom_signature_rule_name> |
20000010 waf_signature_detection |
Credit Card Detection : Signature ID n | |
Cross Site Scripting : Signature ID n | ||
Cross Site Scripting(Extended) : Signature ID n | ||
Generic Attacks-<subtype_name> : Signature ID n | ||
Generic Attacks(Extended)-<subtype_name> : Signature ID n | ||
Information Disclosure-<subtype_name>: Signature ID n | ||
KnownExploits-<subtype_name>: Signature ID n | ||
SQL Injection : Signature ID n where n is the index number of the specific predefined attack or data leak signature |
||
SQL Injection(Extended) : Signature ID n | ||
Bad Robot : Signature ID n | ||
Trojans : Signature ID n | ||
20000019 | waf_hidden_fields | Hidden Field Manipulation |
20000018 | waf_brute_login | Brute Force Login Violation |
20000027 | waf_antivirus_check | filename [<file_name>] virus name [<virus_name>]: File upload virus violation |
20000029 | waf_illegal_xml_format |
Examples: Document is empty: Illegal XML Format StartTag invalid element name: Illegal XML Format Extra content at the end of the document: Illegal XML Format Specification mandate value for attribute xss: Illegal XML Format AttValue quotation mark expected: Illegal XML Format XML declaration allowed only at the start of the document: Illegal XML Format |
20000030 | waf_custom_access | <custom_rule_name>: Custom Access Violation |
20000032 | waf_header_overflow | [policy_name:<protocol_constraint_name>] :Header Length Exceeded: (the current header length n exceeded the maximum header length limitation n) |
20000033 | waf_headline_overflow | [policy_name:<protocol_constraint_name>] :Header Line Length Exceeded: (the current HTTP header line length n exceeded the maximum length limitation n) |
20000034 | waf_body_overflow | [policy_name:<protocol_constraint_name>] :Body Length Exceeded: (the current HTTP body length n exceeded the maximum HTTP body length limitation n) |
20000035 | waf_content_overflow | [policy_name:<protocol_constraint_name>] : Content Length Exceeded: (the current content length n exceeded the maximum content length limitation n) |
20000036 | waf_parameter_overflow | [policy_name:<protocol_constraint_name>] : Total URL and Body Parameters Length Exceeded: (the current URL and body length n exceeded the maximum length limitation n) |
20000037 | waf_request_overflow | [policy_name:<protocol_constraint_name>] : HTTP Request Length Exceeded: (the current request length n exceeded the maximum request length limitation n) |
20000038 | waf_url_parameter_overflow | [policy_name:<protocol_constraint_name>] : Total URL Parameters Length Exceeded: (the current URL parameter length n exceeded the maximum length limitation n) |
20000039 | waf_illegal_http_version | [policy_name:<protocol_constraint_name>] : Illegal HTTP Version |
20000040 | waf_cookiecount_overflow | [policy_name: <protocol_constraint_name>] : Too Many Cookies in Request: (cookie number n exceeded the maximum cookie number limitation n) |
20000041 | waf_req_headline_overflow | [policy_name:<protocol_constraint_name>] : Too Many Headers In Request: (header line number n exceeded the maximum header line number limitation n) |
20000042 | waf_ip_reputation | IP Reputation Violation: <category_name> |
20000043 | waf_url_parameter_count_overflow | [policy_name:<protocol_constraint_name>] : Too Many Parameters in Request: (the current parameter number n exceeded the maximum parameter number limitation n) |
20000044 | waf_illegal_hostname | [policy_name:<protocol_constraint_name>] : Illegal Host Name: (host name <host> is illegal) |
20000045 | waf_illegal_file_type | filename [<file_str>]: Illegal file size/type |
20000046 (when based upon the HTTP session ID) |
DDOS based on HTTP session: waf_http_request_overflow | DoS Attack: HTTP Flood Prevention Violation |
20000047 (when based upon the source IP) |
DDOS based on HTTP session: waf_tcp_connection_overflow | DoS Attack: Malicious IPs Violation |
20000048 | waf_max_num_ranges_in_Range_header | [policy_name:<protocol_constraint_name>] : Too Many Range Headers: (the range header number n exceeded the maximum range header number n) |
20000049 | http_protocol_error |
[policy_name:<protocol_constraint_name>] : Malformed Request - Header Too Large : Malformed Request or [policy_name:<protocol_constraint_name>] : Malformed Request - Parameter Too Large : Malformed Request |
20000050 (when based upon the HTTP session ID) |
DDOS based on source IP: waf_http_request_overflow | DoS Attack: HTTP Access Limit Violation |
20000051 (when based upon the source IP) |
DDOS based on source IP: waf_tcp_connection_overflow | DoS Attack: TCP Flood Prevention Violation |
20000052 | https_connection_failed | Varies by the cause of the SSL/TLS error. See SSL/TLS error messages. |
20000053 | waf_padding_oracle | Padding Oracle Attack |
20000055 | fsa_detection | Malicious file detected by FortiSandbox |
20000057 | waf_illegal_content_length | Illegal Content Length: (Content length <content> is illegal) |
20000058 | waf_illegal_content_type | Illegal Content Type: (Content type <content_type> is illegal) |
20000060 | waf_missing_post_ctype | Missing Content Type |
20000061 | waf_body_parameter_overflow | Total Body Parameters Length Exceeded: (The body parameters length (<total_size_of_parameters>) exceeded the maximum allowed - <max_size_allowed>) |
20000062 | waf_header_name_overflow | Header Name Length Exceeded: (The HTTP header name (<header_name>) length (<header_name_length>) exceeded the maximum allowed - <max_allowed_length>) |
20000063 | waf_header_value_overflow | Header Value Length Exceeded: (The HTTP header value length (<header_length>) exceeded the maximum allowed - <max_allowed_length>) |
20000064 | waf_illegal_param_name | NULL Character in Parameter Name |
20000065 | waf_illegal_param_value | NULL Character in Parameter Value |
20000065 | waf_illegal_header_name | Illegal character [<character> ] in HTTP Header Name. |
21000022 | waf_dos_prevention_type | DoS Attack: SYN Flood |
DoS Attack: SYN Flood Stopped |