Fortinet black logo

Attack

Copy Link
Copy Doc ID ebb8b5c3-9344-11eb-b70b-00505692583a:445549
Download PDF

Attack

Attack log messages record traffic that violated its matching policy. Log ID numbers of this type are listed in the table Attack logs by main type, subtype & ID.

The operating mode, network topology, and the rule’s configured Action can all affect how a policy responds to an attack, data leak, or server information disclosure. Depending on your configuration, violating traffic is either:

  • blocked
  • sanitized, then passed through
  • allowed to continue unmodified (that is, logged only)
Attacks that generate log messages periodically

FortiWeb does not record the following types of attack logs individually. Instead, it records them periodically while the attack is ongoing, even if the attack has multiple sources:

  • DoS attacks
  • Padding oracle attacks
  • HTTP/HTTPS protocol constraints

This aggregation prevents FortiWeb from flooding attack logs with identical or very similar messages. To differentiate logs caused by individual attacks from those caused by multiple attacks in the same category, FortiWeb records whether it generated the attack log message after matching multiple signatures.

In the attack log, the message field of aggregated log messages displays the message rule_name : Custom Access Violation.

In aggregated attacks log, the type field displays the message Multiple Custom access rule Violations.

Logging for threat scoring

By default, FortiWeb does not display all signature violations that contributed to a threat scoring attack log message as individual entries in the attack log. Instead, a single attack log message is displayed for the signature violations that contributed to a combined threat score that exceeded the maximum. However, all the signature violations that contributed to the score are displayed in the message details. (Double-click the message to display its details.)

Also by default, FortiWeb does not display messages for signature violations that generated a threat score but did not exceed the threat scoring threshold.

Use the following CLI command to display the signature violations that contributed to a threat scoring attack log message as individual entries and to display any signature violations that generated a threat score but did not exceed the threat scoring threshold:

config log attack-log

set show-all-log {enable | disable}

For more information on CLI commands, see FortiWeb CLI Reference:

http://docs.fortinet.com/fortiweb/reference

Threat scoring attack log messages are also displayed in the aggregated attacks log.

Attack log descriptions

To locate a description for an attack log message, match the ID (log_id) field in the attack log message with that shown in the table Attack logs by main type, subtype & ID. All attack log messages have the same body fields, described in Attack log fields.

For attack log messages generated by a HTTP protocol constraint, the associated policy name is displayed in the raw view ([policy_name:<protocol_constraint_name>]) but not in the formatted view.

Attack logs by main type, subtype & ID

ID

main type

sub-type

20000001 Allow Method N/A
20000002 Protected Hostnames N/A
20000003 Page Access N/A
20000004 Start Pages N/A
20000005 Parameter Validation N/A
20000006 Black IP List N/A
20000007 URL Access N/A
20000008 Signature Detection
  • Cross Site Scripting
  • Cross Site Scripting (Extended)
  • Generic Attacks
  • Generic Attacks (Extended)
  • Bad Robot
  • Information Disclosure
  • Known Exploits
  • SQL Injection
  • SQL Injection (Extended)
  • SQL Injection (Syntax Based Detection)
  • Personally Identifiable Information
  • Trojans
20000009 Custom Signature Detection N/A
20000011 Hidden Fields N/A
20000012 Site Publish Account Lockout
20000014 DoS Protection
  • HTTP Flood Prevention
  • Malicious IPs
  • HTTP Access Limit
  • TCP Flood Prevention

20000015

SYN Flood Protection

N/A

20000016

HTTPS Connection Failure

N/A

20000017

File Upload Restriction

  • Antivirus Detection
  • Trojan Detection
  • FortiSandbox Detection
  • Illegal File Type
  • Illegal File Size

20000018

GEO IP

N/A

20000021

Custom Access

  • Predefined-Crawler
  • Predefined-Vulnerability Scanning
  • Predefined-Slow-Attack
  • Predefined-Content-Scraping

20000022

IP Reputation

  • Botnet
  • Anonymous Proxy
  • Phishing
  • Spam
  • Tor
  • Others

20000023

Padding Oracle

N/A

20000024

CSRF Protection

N/A

20000025

Quarantined IPs

N/A

20000026

HTTP Protocol Constraints

  • Header Length Violation
  • Header Line Violation
  • Body Length Violation
  • Content Length Violation
  • Parameter Length Violation
  • HTTP Request Length Violation
  • URL Parameter Length Violation
  • Illegal HTTP Version
  • Cookie Number Overflow
  • Request Header Line number Overflow
  • URL Parameter Number Overflow
  • Illegal Hostname
  • Range Header Violation
  • Illegal HTTP Method
  • Illegal Content Length
  • Illegal Content Type
  • Illegal Response Code
  • Missing POST Content Type
  • Body Parameter Length Violation
  • Header Name Length Violation
  • Header Value Length Violation
  • NULL Character in Parameter Name
  • NULL Character in Paramter Value
  • Illegal Header Name
  • Illegal Header Value
  • HTTP Request Filename Violation
  • Web Socket Protocol
  • Illegal Frame Type
  • Illegal Frame Flag
  • Illegal Connection Preface
  • HTTP/2 Header Table Size Overflow
  • HTTP/2 Concurrent Stream Number Overflow
  • HTTP/2 Initial Window Size Overflow
  • HTTP/2 Frame Size Overflow
  • HTTP/2 Header List Overflow
  • Illegal URL Parameter Name
  • Illegal URL Parameter Value
  • URL Parameter Name Overflow
  • URL Parameter Value Overflow
  • NULL Character in URL
  • Illegal Character in URL
  • Redundant HTTP Header
  • Malformed URL
  • Illegal Chunk Size
  • HTTP Parsing Error
  • HTTP Duplicated Parameter Name
  • Odd and Even Space Attack

20000027

Credential Stuffing Defense

  • User Tracking
  • Site Publish

20000028

User Tracking

N/A

20000029

XML Validation Violation

  • XML Schema Validation Violation
  • XML Element Attribute Number Overflow
  • XML Element Attribute Name Length Violations
  • XML Element Attribute Value Length Violations
  • XML Element Cdata Length Violations
  • XML Element Depth Violations
  • XML Element Name Length Violations
  • XML External Entity Violation
  • XML Entity Expansion Violations
  • XML XInclude Violation
  • XML SchemaLocation Violation
  • XML SOAP Protocol Violation
  • XML SOAPAction Violation
  • XML SOAP Header Violation
  • XML SOAP Body Violation
  • SOAP Signature Error
  • SOAP Signature Verification Error
  • SOAP Encryption Error
  • SOAP Decryption Error
20000030 Cookie Security
  • Cookie Decryption Error
  • Cookie Signed Verification Failed
  • IP replay protection violation
20000031 FTP Command Restriction N/A
20000033 Timeout Session N/A
20000035 FTP File Security
  • FTP Antivirus Detection
  • FTP FortiSandbox Detection
20000036 FTPS Connection Failure N/A
20000037 Machine Learning
  • Anomaly in http argument
  • HTTP Method violation
  • Charset detect failed
20000038 Openapi Validation Violation
  • Openapi Query Parameter Violation
  • Openapi Path Parameter Violation
  • Openapi Cookie Parameter Violation
  • Openapi Header Parameter Violation
  • Openapi Request Body Violation
20000039 WebSocket Security
  • Disallow WebSocket
  • Disallow Extensions
  • Illegal Format
  • Illegal Frame Size
  • Illegal Message Size
  • Disallow Origin
  • Parse error
20000040 MiTB AJAX Security N/A
20000041 Bot Detection N/A
20000042 CORS Check Security
  • Invalid Origin
  • Disallow CORS
  • Disallow Origin
  • Disallow method
  • Disallow header
20000043 JSON Validation Security
  • JSON Schema Validation Violation
  • JSON Format Invalid Violation
  • JSON Data Size Violation
  • JSON Key Size Violation
  • JSON Key Number Violation
  • JSON Value Size Violation
  • JSON Value Number Violation
  • JSON Value Number in Array Violation
  • JSON Object Depth Violation

Attack

Attack log messages record traffic that violated its matching policy. Log ID numbers of this type are listed in the table Attack logs by main type, subtype & ID.

The operating mode, network topology, and the rule’s configured Action can all affect how a policy responds to an attack, data leak, or server information disclosure. Depending on your configuration, violating traffic is either:

  • blocked
  • sanitized, then passed through
  • allowed to continue unmodified (that is, logged only)
Attacks that generate log messages periodically

FortiWeb does not record the following types of attack logs individually. Instead, it records them periodically while the attack is ongoing, even if the attack has multiple sources:

  • DoS attacks
  • Padding oracle attacks
  • HTTP/HTTPS protocol constraints

This aggregation prevents FortiWeb from flooding attack logs with identical or very similar messages. To differentiate logs caused by individual attacks from those caused by multiple attacks in the same category, FortiWeb records whether it generated the attack log message after matching multiple signatures.

In the attack log, the message field of aggregated log messages displays the message rule_name : Custom Access Violation.

In aggregated attacks log, the type field displays the message Multiple Custom access rule Violations.

Logging for threat scoring

By default, FortiWeb does not display all signature violations that contributed to a threat scoring attack log message as individual entries in the attack log. Instead, a single attack log message is displayed for the signature violations that contributed to a combined threat score that exceeded the maximum. However, all the signature violations that contributed to the score are displayed in the message details. (Double-click the message to display its details.)

Also by default, FortiWeb does not display messages for signature violations that generated a threat score but did not exceed the threat scoring threshold.

Use the following CLI command to display the signature violations that contributed to a threat scoring attack log message as individual entries and to display any signature violations that generated a threat score but did not exceed the threat scoring threshold:

config log attack-log

set show-all-log {enable | disable}

For more information on CLI commands, see FortiWeb CLI Reference:

http://docs.fortinet.com/fortiweb/reference

Threat scoring attack log messages are also displayed in the aggregated attacks log.

Attack log descriptions

To locate a description for an attack log message, match the ID (log_id) field in the attack log message with that shown in the table Attack logs by main type, subtype & ID. All attack log messages have the same body fields, described in Attack log fields.

For attack log messages generated by a HTTP protocol constraint, the associated policy name is displayed in the raw view ([policy_name:<protocol_constraint_name>]) but not in the formatted view.

Attack logs by main type, subtype & ID

ID

main type

sub-type

20000001 Allow Method N/A
20000002 Protected Hostnames N/A
20000003 Page Access N/A
20000004 Start Pages N/A
20000005 Parameter Validation N/A
20000006 Black IP List N/A
20000007 URL Access N/A
20000008 Signature Detection
  • Cross Site Scripting
  • Cross Site Scripting (Extended)
  • Generic Attacks
  • Generic Attacks (Extended)
  • Bad Robot
  • Information Disclosure
  • Known Exploits
  • SQL Injection
  • SQL Injection (Extended)
  • SQL Injection (Syntax Based Detection)
  • Personally Identifiable Information
  • Trojans
20000009 Custom Signature Detection N/A
20000011 Hidden Fields N/A
20000012 Site Publish Account Lockout
20000014 DoS Protection
  • HTTP Flood Prevention
  • Malicious IPs
  • HTTP Access Limit
  • TCP Flood Prevention

20000015

SYN Flood Protection

N/A

20000016

HTTPS Connection Failure

N/A

20000017

File Upload Restriction

  • Antivirus Detection
  • Trojan Detection
  • FortiSandbox Detection
  • Illegal File Type
  • Illegal File Size

20000018

GEO IP

N/A

20000021

Custom Access

  • Predefined-Crawler
  • Predefined-Vulnerability Scanning
  • Predefined-Slow-Attack
  • Predefined-Content-Scraping

20000022

IP Reputation

  • Botnet
  • Anonymous Proxy
  • Phishing
  • Spam
  • Tor
  • Others

20000023

Padding Oracle

N/A

20000024

CSRF Protection

N/A

20000025

Quarantined IPs

N/A

20000026

HTTP Protocol Constraints

  • Header Length Violation
  • Header Line Violation
  • Body Length Violation
  • Content Length Violation
  • Parameter Length Violation
  • HTTP Request Length Violation
  • URL Parameter Length Violation
  • Illegal HTTP Version
  • Cookie Number Overflow
  • Request Header Line number Overflow
  • URL Parameter Number Overflow
  • Illegal Hostname
  • Range Header Violation
  • Illegal HTTP Method
  • Illegal Content Length
  • Illegal Content Type
  • Illegal Response Code
  • Missing POST Content Type
  • Body Parameter Length Violation
  • Header Name Length Violation
  • Header Value Length Violation
  • NULL Character in Parameter Name
  • NULL Character in Paramter Value
  • Illegal Header Name
  • Illegal Header Value
  • HTTP Request Filename Violation
  • Web Socket Protocol
  • Illegal Frame Type
  • Illegal Frame Flag
  • Illegal Connection Preface
  • HTTP/2 Header Table Size Overflow
  • HTTP/2 Concurrent Stream Number Overflow
  • HTTP/2 Initial Window Size Overflow
  • HTTP/2 Frame Size Overflow
  • HTTP/2 Header List Overflow
  • Illegal URL Parameter Name
  • Illegal URL Parameter Value
  • URL Parameter Name Overflow
  • URL Parameter Value Overflow
  • NULL Character in URL
  • Illegal Character in URL
  • Redundant HTTP Header
  • Malformed URL
  • Illegal Chunk Size
  • HTTP Parsing Error
  • HTTP Duplicated Parameter Name
  • Odd and Even Space Attack

20000027

Credential Stuffing Defense

  • User Tracking
  • Site Publish

20000028

User Tracking

N/A

20000029

XML Validation Violation

  • XML Schema Validation Violation
  • XML Element Attribute Number Overflow
  • XML Element Attribute Name Length Violations
  • XML Element Attribute Value Length Violations
  • XML Element Cdata Length Violations
  • XML Element Depth Violations
  • XML Element Name Length Violations
  • XML External Entity Violation
  • XML Entity Expansion Violations
  • XML XInclude Violation
  • XML SchemaLocation Violation
  • XML SOAP Protocol Violation
  • XML SOAPAction Violation
  • XML SOAP Header Violation
  • XML SOAP Body Violation
  • SOAP Signature Error
  • SOAP Signature Verification Error
  • SOAP Encryption Error
  • SOAP Decryption Error
20000030 Cookie Security
  • Cookie Decryption Error
  • Cookie Signed Verification Failed
  • IP replay protection violation
20000031 FTP Command Restriction N/A
20000033 Timeout Session N/A
20000035 FTP File Security
  • FTP Antivirus Detection
  • FTP FortiSandbox Detection
20000036 FTPS Connection Failure N/A
20000037 Machine Learning
  • Anomaly in http argument
  • HTTP Method violation
  • Charset detect failed
20000038 Openapi Validation Violation
  • Openapi Query Parameter Violation
  • Openapi Path Parameter Violation
  • Openapi Cookie Parameter Violation
  • Openapi Header Parameter Violation
  • Openapi Request Body Violation
20000039 WebSocket Security
  • Disallow WebSocket
  • Disallow Extensions
  • Illegal Format
  • Illegal Frame Size
  • Illegal Message Size
  • Disallow Origin
  • Parse error
20000040 MiTB AJAX Security N/A
20000041 Bot Detection N/A
20000042 CORS Check Security
  • Invalid Origin
  • Disallow CORS
  • Disallow Origin
  • Disallow method
  • Disallow header
20000043 JSON Validation Security
  • JSON Schema Validation Violation
  • JSON Format Invalid Violation
  • JSON Data Size Violation
  • JSON Key Size Violation
  • JSON Key Number Violation
  • JSON Value Size Violation
  • JSON Value Number Violation
  • JSON Value Number in Array Violation
  • JSON Object Depth Violation