Message ID: 16401
Message Description: LOGID_ATTACK_BOTNET_NOTIF
Message Meaning: Botnet C&C Communication (notice)
Type: IPS
Category: botnet
Severity: Notice
|
Log Field Name |
Description |
Data Type |
Length |
|---|---|---|---|
|
vrf |
Virtual router forwarding |
uint16 |
3 |
|
vd |
Virtual domain name |
string |
32 |
|
user |
User name |
string |
256 |
|
unauthusersource |
Unauthenticated user source |
string |
66 |
|
unauthuser |
Unauthenticated user |
string |
66 |
|
tz |
|
string |
5 |
|
type |
Log type |
string |
16 |
|
trueclntip |
True-Client-IP HTTP header |
ip |
39 |
|
transid |
|
uint32 |
10 |
|
time |
Time |
string |
8 |
|
subtype |
Log Subtype |
string |
20 |
|
srcport |
Source Port |
uint16 |
5 |
|
srcname |
|
string |
64 |
|
srcmac |
|
string |
17 |
|
srcip |
Source IP |
ip |
39 |
|
srcintfrole |
Source Interface's assigned role (LAN, WAN, etc.) |
string |
10 |
|
srcintf |
Source Interface |
string |
64 |
|
srcdomain |
|
string |
255 |
|
srccountry |
Country name for Source IP |
string |
64 |
|
severity |
Severity of the attack |
string |
8 |
|
sessionid |
Session ID |
uint32 |
10 |
|
service |
Service name |
string |
80 |
|
ref |
URL of the FortiGuard IPS database entry for the attack. |
string |
4096 |
|
rawdataid |
|
string |
10 |
|
rawdata |
Extended logging data including HTTP method, URL, client content type, server content type, user agent, referer, x-forwarded-for |
string |
20480 |
|
proto |
Protocol number |
uint8 |
3 |
|
profile |
Profile name for IPS |
string |
64 |
|
poluuid |
|
string |
37 |
|
policytype |
|
string |
24 |
|
policymode |
|
string |
8 |
|
policyid |
Policy ID |
uint32 |
10 |
|
msg |
Log message for the attack |
string |
518 |
|
logid |
Log ID |
string |
10 |
|
level |
Log Level |
string |
11 |
|
group |
User group name |
string |
512 |
|
forwardedfor |
X-Forwarded-For HTTP header |
string |
128 |
|
fctuid |
FortiClient UID |
string |
32 |
|
eventtype |
IPS Event Type |
string |
32 |
|
eventtime |
Time when detection occured |
uint64 |
20 |
|
dstuser |
|
string |
256 |
|
dstport |
Destination Port |
uint16 |
5 |
|
dstip |
Destination IP |
ip |
39 |
|
dstintfrole |
Destination Interface's assigned role (LAN, WAN, etc.) |
string |
10 |
|
dstintf |
Destination Interface |
string |
64 |
|
dstcountry |
|
string |
64 |
|
dstauthserver |
|
string |
64 |
|
direction |
Message/packets direction |
string |
8 |
|
devid |
Deivce ID |
string |
16 |
|
date |
Date |
string |
10 |
|
crscore |
Client Reputation Score |
uint32 |
10 |
|
crlevel |
Client Reputation Level |
string |
10 |
|
craction |
Action performed by Threat Weight |
uint32 |
10 |
|
authserver |
Authentication server for the user |
string |
64 |
|
attackid |
Attack ID |
uint32 |
10 |
|
attackcontextid |
Attack context ID / total |
string |
10 |
|
attackcontext |
The trigger patterns and the packet data with base64 encoding |
string |
2048 |
|
attack |
Attack Name |
string |
256 |
|
action |
Security action performed by IPS: detected - Attack is detected , but NOT blocked (similar to monitor) dropped - Silent packet blocked reset - Blocked and respond with Reset reset_client - Blocked and reset sent to the client reset_server - Blocked and reset sent to the server drop_session - Silent block pass_session - Session allowed clear_session - Session was removed /closed |
string |
16 |