Fortinet white logo
Fortinet white logo

New Features

Logging - Session versus Attack Direction

Logging - Session versus Attack Direction

IPS logs have been updated to record source and destination information based on session direction instead of attack direction. This update allows for better alignment between IPS and traffic logs, as traffic logs also record source and destination information based on session direction. FortiOS can use this information to present a more accurate summary and drill-down path.

IPS logs also include a new direction field to indicate attack direction when applicable.

The following scenarios show examples of traffic and IPS logs for server-side and client-side attacks. Both scenarios use the topology illustrated below. The session direction is from the client to the server.

In both scenarios, note that both the traffic and IPS log record the source and destination IP addresses using the session direction, treating the client as the source and the server as the destination. The source fields (srcip, srcport, and srcintf) use client data. The destination fields (dstip, dstport, and dstinf) use server data. The IPS log examples also include the direction field to show the attack direction.

Server-side attack traffic and IPS logs

In this scenario, the client attempts to download malware from the server. The attack direction therefore is incoming (from the server to the client). The table below shows the traffic and IPS logs for this scenario:

Traffic log

IPS log

date=2018-12-29 time=14:50:47 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1540849847 srcip=10.1.100.22 srcport=46552 srcintf="dmz" srcintfrole="lan" dstip=172.16.200.55 dstport=80 dstintf="wan1" dstintfrole="wan" poluuid="c939f294-d6ff-51e8-3988-c628cfa2a346" sessionid=2979 proto=6 action="server-rst" policyid=1 policytype="policy" service="HTTP" dstcountry="Reserved" srccountry="Reserved" trandisp="snat" transip=172.16.200.6 transport=46552 duration=0 sentbyte=296 rcvdbyte=152 sentpkt=4 rcvdpkt=3 appcat="unscanned" utmaction="reset" countips=1 devtype="Linux PC" devcategory="None" osname="Linux" osversion="Debian" mastersrcmac="00:0c:29:6c:43:21" srcmac="00:0c:29:6c:43:21" srcserver=0 utmref=65522-42

date=2018-12-29 time=14:50:47 logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="vdom1" eventtime=1540849847 severity="info" srcip=10.1.100.22 srccountry="Reserved" dstip=172.16.200.55 srcintf="dmz" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" sessionid=2979 action="reset" proto=6 service="HTTP" policyid=1 attack="Virus.File" srcport=46552 dstport=80 hostname="172.16.200.55" url="/virus/example.com" direction="incoming" attackid=29844 profile="ips-test" ref="http://www.fortinet.com/ids/VID29844" incidentserialno=122164746 msg="file_transfer: Virus.File,"

Client-side attack traffic and IPS logs

In this scenario, the client attempts to post malware to the server. The attack direction therefore is outgoing (from the client to the server). The table below shows the traffic and IPS logs for this scenario:

Traffic log

IPS log

date=2018-12-29 time=15:30:25 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1540852225 srcip=10.1.100.22 srcport=53330 srcintf="dmz" srcintfrole="lan" dstip=172.16.200.55 dstport=80 dstintf="wan1" dstintfrole="wan" poluuid="c939f294-d6ff-51e8-3988-c628cfa2a346" sessionid=4205 proto=6 action="server-rst" policyid=1 policytype="policy" service="HTTP" dstcountry="Reserved" srccountry="Reserved" trandisp="snat" transip=172.16.200.6 transport=53330 duration=0 sentbyte=692 rcvdbyte=318 sentpkt=6 rcvdpkt=5 appcat="unscanned" utmaction="reset" countips=1 devtype="Linux PC" devcategory="None" osname="Linux" osversion="Debian" mastersrcmac="00:0c:29:6c:43:21" srcmac="00:0c:29:6c:43:21" srcserver=0 utmref=65522-96

date=2018-12-29 time=15:30:25 logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="vdom1" eventtime=1540852225 severity="info" srcip=10.1.100.22 srccountry="Reserved" dstip=172.16.200.55 srcintf="dmz" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" sessionid=4205 action="reset" proto=6 service="HTTP" policyid=1 attack="Virus.File" srcport=53330dstport=80 hostname="172.16.200.55" url="/cgi-bin/upload.py?root" direction="outgoing" attackid=29844 profile="ips-test" ref="http://www.fortinet.com/ids/VID29844" incidentserialno=2111356281 msg="file_transfer: Virus.File,"

On This Page

Related Videos

sidebar video

Traffic & IPS Log Format Consistency

  • 1,020 views
  • 5 years ago

Logging - Session versus Attack Direction

Logging - Session versus Attack Direction

IPS logs have been updated to record source and destination information based on session direction instead of attack direction. This update allows for better alignment between IPS and traffic logs, as traffic logs also record source and destination information based on session direction. FortiOS can use this information to present a more accurate summary and drill-down path.

IPS logs also include a new direction field to indicate attack direction when applicable.

The following scenarios show examples of traffic and IPS logs for server-side and client-side attacks. Both scenarios use the topology illustrated below. The session direction is from the client to the server.

In both scenarios, note that both the traffic and IPS log record the source and destination IP addresses using the session direction, treating the client as the source and the server as the destination. The source fields (srcip, srcport, and srcintf) use client data. The destination fields (dstip, dstport, and dstinf) use server data. The IPS log examples also include the direction field to show the attack direction.

Server-side attack traffic and IPS logs

In this scenario, the client attempts to download malware from the server. The attack direction therefore is incoming (from the server to the client). The table below shows the traffic and IPS logs for this scenario:

Traffic log

IPS log

date=2018-12-29 time=14:50:47 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1540849847 srcip=10.1.100.22 srcport=46552 srcintf="dmz" srcintfrole="lan" dstip=172.16.200.55 dstport=80 dstintf="wan1" dstintfrole="wan" poluuid="c939f294-d6ff-51e8-3988-c628cfa2a346" sessionid=2979 proto=6 action="server-rst" policyid=1 policytype="policy" service="HTTP" dstcountry="Reserved" srccountry="Reserved" trandisp="snat" transip=172.16.200.6 transport=46552 duration=0 sentbyte=296 rcvdbyte=152 sentpkt=4 rcvdpkt=3 appcat="unscanned" utmaction="reset" countips=1 devtype="Linux PC" devcategory="None" osname="Linux" osversion="Debian" mastersrcmac="00:0c:29:6c:43:21" srcmac="00:0c:29:6c:43:21" srcserver=0 utmref=65522-42

date=2018-12-29 time=14:50:47 logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="vdom1" eventtime=1540849847 severity="info" srcip=10.1.100.22 srccountry="Reserved" dstip=172.16.200.55 srcintf="dmz" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" sessionid=2979 action="reset" proto=6 service="HTTP" policyid=1 attack="Virus.File" srcport=46552 dstport=80 hostname="172.16.200.55" url="/virus/example.com" direction="incoming" attackid=29844 profile="ips-test" ref="http://www.fortinet.com/ids/VID29844" incidentserialno=122164746 msg="file_transfer: Virus.File,"

Client-side attack traffic and IPS logs

In this scenario, the client attempts to post malware to the server. The attack direction therefore is outgoing (from the client to the server). The table below shows the traffic and IPS logs for this scenario:

Traffic log

IPS log

date=2018-12-29 time=15:30:25 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1540852225 srcip=10.1.100.22 srcport=53330 srcintf="dmz" srcintfrole="lan" dstip=172.16.200.55 dstport=80 dstintf="wan1" dstintfrole="wan" poluuid="c939f294-d6ff-51e8-3988-c628cfa2a346" sessionid=4205 proto=6 action="server-rst" policyid=1 policytype="policy" service="HTTP" dstcountry="Reserved" srccountry="Reserved" trandisp="snat" transip=172.16.200.6 transport=53330 duration=0 sentbyte=692 rcvdbyte=318 sentpkt=6 rcvdpkt=5 appcat="unscanned" utmaction="reset" countips=1 devtype="Linux PC" devcategory="None" osname="Linux" osversion="Debian" mastersrcmac="00:0c:29:6c:43:21" srcmac="00:0c:29:6c:43:21" srcserver=0 utmref=65522-96

date=2018-12-29 time=15:30:25 logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="vdom1" eventtime=1540852225 severity="info" srcip=10.1.100.22 srccountry="Reserved" dstip=172.16.200.55 srcintf="dmz" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" sessionid=4205 action="reset" proto=6 service="HTTP" policyid=1 attack="Virus.File" srcport=53330dstport=80 hostname="172.16.200.55" url="/cgi-bin/upload.py?root" direction="outgoing" attackid=29844 profile="ips-test" ref="http://www.fortinet.com/ids/VID29844" incidentserialno=2111356281 msg="file_transfer: Virus.File,"