16401 - LOGID_ATTACK_BOTNET_NOTIF
Message ID: 16401
Message Description: LOGID_ATTACK_BOTNET_NOTIF
Message Meaning: Botnet C&C Communication (notice)
Type: ips
Category: botnet
Severity: Notice
Log Field Name |
Description |
Data Type |
Length |
---|---|---|---|
action |
Security action performed by IPS: detected - Attack is detected , but NOT blocked (similar to monitor) dropped - Silent packet blocked reset - Blocked and respond with Reset reset_client - Blocked and reset sent to the client reset_server - Blocked and reset sent to the server drop_session - Silent block pass_session - Session allowed clear_session - Session was removed /closed |
string |
16 |
attack |
Attack Name |
string |
256 |
attackcontext |
The trigger patterns and the packet data with base64 encoding |
string |
2048 |
attackcontextid |
Attack context ID / total |
string |
10 |
attackid |
Attack ID |
uint32 |
10 |
authserver |
Authentication server for the user |
string |
64 |
craction |
Action performed by Threat Weight |
uint32 |
10 |
crlevel |
Client Reputation Level |
string |
10 |
crscore |
Client Reputation Score |
uint32 |
10 |
date |
Date |
string |
10 |
devid |
Deivce ID |
string |
16 |
direction |
Message/packets direction |
string |
8 |
dstauthserver |
|
string |
64 |
dstcountry |
|
string |
64 |
dstintf |
Destination Interface |
string |
64 |
dstintfrole |
Destination Interface's assigned role (LAN, WAN, etc.) |
string |
10 |
dstip |
Destination IP |
ip |
39 |
dstport |
Destination Port |
uint16 |
5 |
dstuser |
|
string |
256 |
eventtime |
Time when detection occured |
uint64 |
20 |
eventtype |
IPS Event Type |
string |
32 |
fctuid |
FortiClient UID |
string |
32 |
forwardedfor |
X-Forwarded-For HTTP header |
string |
128 |
group |
User group name |
string |
64 |
level |
Log Level |
string |
11 |
logid |
Log ID |
string |
10 |
msg |
Log message for the attack |
string |
518 |
policyid |
Policy ID |
uint32 |
10 |
policymode |
|
string |
8 |
policytype |
|
string |
24 |
poluuid |
|
string |
37 |
profile |
Profile name for IPS |
string |
64 |
proto |
Protocol number |
uint8 |
3 |
rawdata |
Extended logging data including HTTP method, URL, client content type, server content type, user agent, referer, x-forwarded-for |
string |
1024 |
rawdataid |
|
string |
10 |
ref |
URL of the FortiGuard IPS database entry for the attack. |
string |
4096 |
service |
Service name |
string |
80 |
sessionid |
Session ID |
uint32 |
10 |
severity |
Severity of the attack |
string |
8 |
srccountry |
Country name for Source IP |
string |
64 |
srcdomain |
|
string |
255 |
srcintf |
Source Interface |
string |
64 |
srcintfrole |
Source Interface's assigned role (LAN, WAN, etc.) |
string |
10 |
srcip |
Source IP |
ip |
39 |
srcport |
Source Port |
uint16 |
5 |
subtype |
Log Subtype |
string |
20 |
time |
Time |
string |
8 |
trueclntip |
True-Client-IP HTTP header |
ip |
39 |
type |
Log type |
string |
16 |
tz |
|
string |
5 |
unauthuser |
Unauthenticated user |
string |
66 |
unauthusersource |
Unauthenticated user source |
string |
66 |
user |
User name |
string |
256 |
vd |
Virtual domain name |
string |
32 |
vrf |
Virtual router forwarding |
uint8 |
3 |