Fortinet black logo

FortiOS Log Message Reference

16401 - LOGID_ATTACK_BOTNET_NOTIF

Message ID: 16401

Message Description: LOGID_ATTACK_BOTNET_NOTIF

Message Meaning: Botnet C&C Communication (notice)

Type: IPS

Category: BOTNET

Severity: Notice

Log Field Name

Description

Data Type

Length

action

Security action performed by IPS: detected - Attack is detected , but NOT blocked (similar to monitor) dropped - Silent packet blocked reset - Blocked and respond with Reset reset_client - Blocked and reset sent to the client reset_server - Blocked and reset sent to the server drop_session - Silent block pass_session - Session allowed clear_session - Session was removed /closed

string

16

attack

Attack Name

string

256

attackcontext

The trigger patterns and the packet data with base64 encoding

string

2048

attackcontextid

Attack context ID / total

string

10

attackid

Attack ID

uint32

10

authserver

Authentication server for the user

string

64

craction

Action performed by Threat Weight

uint32

10

crlevel

Client Reputation Level

string

10

crscore

Client Reputation Score

uint32

10

date

Date

string

10

devid

Deivce ID

string

16

direction

Message/packets direction

string

8

dstintf

Destination Interface

string

64

dstintfrole

Destination Interface's assigned role (LAN, WAN, etc.)

string

10

dstip

Destination IP

ip

39

dstport

Destination Port

uint16

5

eventtime

Time when detection occured

uint64

20

eventtype

IPS Event Type

string

32

fctuid

FortiClient UID

string

32

forwardedfor

X-Forwarded-For HTTP header

string

128

group

User group name

string

64

level

Log Level

string

11

logid

Log ID

string

10

msg

Log message for the attack

string

518

policyid

Policy ID

uint32

10

policymode

string

8

profile

Profile name for IPS

string

64

proto

Protocol number

uint8

3

rawdata

Extended logging data including HTTP method, URL, client content type, server content type, user agent, referer, x-forwarded-for

string

1024

rawdataid

string

10

ref

URL of the FortiGuard IPS database entry for the attack.

string

4096

service

Service name

string

80

sessionid

Session ID

uint32

10

severity

Severity of the attack

string

8

srccountry

Country name for Source IP

string

64

srcdomain

string

255

srcintf

Source Interface

string

64

srcintfrole

Source Interface's assigned role (LAN, WAN, etc.)

string

10

srcip

Source IP

ip

39

srcport

Source Port

uint16

5

subtype

Log Subtype

string

20

time

Time

string

8

trueclntip

True-Client-IP HTTP header

ip

39

type

Log type

string

16

tz

string

5

unauthuser

Unauthenticated user

string

66

unauthusersource

Unauthenticated user source

string

66

user

User name

string

256

vd

Virtual domain name

string

32

vrf

Virtual router forwarding

uint8

3

Message ID: 16401

Message Description: LOGID_ATTACK_BOTNET_NOTIF

Message Meaning: Botnet C&C Communication (notice)

Type: IPS

Category: BOTNET

Severity: Notice

Log Field Name

Description

Data Type

Length

action

Security action performed by IPS: detected - Attack is detected , but NOT blocked (similar to monitor) dropped - Silent packet blocked reset - Blocked and respond with Reset reset_client - Blocked and reset sent to the client reset_server - Blocked and reset sent to the server drop_session - Silent block pass_session - Session allowed clear_session - Session was removed /closed

string

16

attack

Attack Name

string

256

attackcontext

The trigger patterns and the packet data with base64 encoding

string

2048

attackcontextid

Attack context ID / total

string

10

attackid

Attack ID

uint32

10

authserver

Authentication server for the user

string

64

craction

Action performed by Threat Weight

uint32

10

crlevel

Client Reputation Level

string

10

crscore

Client Reputation Score

uint32

10

date

Date

string

10

devid

Deivce ID

string

16

direction

Message/packets direction

string

8

dstintf

Destination Interface

string

64

dstintfrole

Destination Interface's assigned role (LAN, WAN, etc.)

string

10

dstip

Destination IP

ip

39

dstport

Destination Port

uint16

5

eventtime

Time when detection occured

uint64

20

eventtype

IPS Event Type

string

32

fctuid

FortiClient UID

string

32

forwardedfor

X-Forwarded-For HTTP header

string

128

group

User group name

string

64

level

Log Level

string

11

logid

Log ID

string

10

msg

Log message for the attack

string

518

policyid

Policy ID

uint32

10

policymode

string

8

profile

Profile name for IPS

string

64

proto

Protocol number

uint8

3

rawdata

Extended logging data including HTTP method, URL, client content type, server content type, user agent, referer, x-forwarded-for

string

1024

rawdataid

string

10

ref

URL of the FortiGuard IPS database entry for the attack.

string

4096

service

Service name

string

80

sessionid

Session ID

uint32

10

severity

Severity of the attack

string

8

srccountry

Country name for Source IP

string

64

srcdomain

string

255

srcintf

Source Interface

string

64

srcintfrole

Source Interface's assigned role (LAN, WAN, etc.)

string

10

srcip

Source IP

ip

39

srcport

Source Port

uint16

5

subtype

Log Subtype

string

20

time

Time

string

8

trueclntip

True-Client-IP HTTP header

ip

39

type

Log type

string

16

tz

string

5

unauthuser

Unauthenticated user

string

66

unauthusersource

Unauthenticated user source

string

66

user

User name

string

256

vd

Virtual domain name

string

32

vrf

Virtual router forwarding

uint8

3