Fortinet white logo
Fortinet white logo

FortiOS Log Message Reference

16400 - LOGID_ATTACK_BOTNET_WARNING

16400 - LOGID_ATTACK_BOTNET_WARNING

Message ID: 16400

Message Description: LOGID_ATTACK_BOTNET_WARNING

Message Meaning: Botnet C&C Communication (warning)

Type: IPS

Category: botnet

Severity: Warning

Log Field Name

Description

Data Type

Length

action

Security action performed by IPS: detected - Attack is detected , but NOT blocked (similar to monitor) dropped - Silent packet blocked reset - Blocked and respond with Reset reset_client - Blocked and reset sent to the client reset_server - Blocked and reset sent to the server drop_session - Silent block pass_session - Session allowed clear_session - Session was removed /closed

string

16

attack

Attack Name

string

256

attackcontext

The trigger patterns and the packet data with base64 encoding

string

2048

attackcontextid

Attack context ID / total

string

10

attackid

Attack ID

uint32

10

authserver

Authentication server for the user

string

64

craction

Action performed by Threat Weight

uint32

10

crlevel

Client Reputation Level

string

10

crscore

Client Reputation Score

uint32

10

date

Date

string

10

devid

Deivce ID

string

16

direction

Message/packets direction

string

8

dstauthserver

string

64

dstcountry

string

64

dstintf

Destination Interface

string

64

dstintfrole

Destination Interface's assigned role (LAN, WAN, etc.)

string

10

dstip

Destination IP

ip

39

dstport

Destination Port

uint16

5

dstuser

string

256

eventtime

Time when detection occured

uint64

20

eventtype

IPS Event Type

string

32

fctuid

FortiClient UID

string

32

forwardedfor

X-Forwarded-For HTTP header

string

128

group

User group name

string

64

level

Log Level

string

11

logid

Log ID

string

10

msg

Log message for the attack

string

518

policyid

Policy ID

uint32

10

policymode

string

8

policytype

string

24

poluuid

string

37

profile

Profile name for IPS

string

64

proto

Protocol number

uint8

3

rawdata

Extended logging data including HTTP method, URL, client content type, server content type, user agent, referer, x-forwarded-for

string

1024

rawdataid

string

10

ref

URL of the FortiGuard IPS database entry for the attack.

string

4096

service

Service name

string

80

sessionid

Session ID

uint32

10

severity

Severity of the attack

string

8

srccountry

Country name for Source IP

string

64

srcdomain

string

255

srcintf

Source Interface

string

64

srcintfrole

Source Interface's assigned role (LAN, WAN, etc.)

string

10

srcip

Source IP

ip

39

srcport

Source Port

uint16

5

subtype

Log Subtype

string

20

time

Time

string

8

trueclntip

True-Client-IP HTTP header

ip

39

type

Log type

string

16

tz

string

5

unauthuser

Unauthenticated user

string

66

unauthusersource

Unauthenticated user source

string

66

user

User name

string

256

vd

Virtual domain name

string

32

vrf

Virtual router forwarding

uint8

3

16400 - LOGID_ATTACK_BOTNET_WARNING

16400 - LOGID_ATTACK_BOTNET_WARNING

Message ID: 16400

Message Description: LOGID_ATTACK_BOTNET_WARNING

Message Meaning: Botnet C&C Communication (warning)

Type: IPS

Category: botnet

Severity: Warning

Log Field Name

Description

Data Type

Length

action

Security action performed by IPS: detected - Attack is detected , but NOT blocked (similar to monitor) dropped - Silent packet blocked reset - Blocked and respond with Reset reset_client - Blocked and reset sent to the client reset_server - Blocked and reset sent to the server drop_session - Silent block pass_session - Session allowed clear_session - Session was removed /closed

string

16

attack

Attack Name

string

256

attackcontext

The trigger patterns and the packet data with base64 encoding

string

2048

attackcontextid

Attack context ID / total

string

10

attackid

Attack ID

uint32

10

authserver

Authentication server for the user

string

64

craction

Action performed by Threat Weight

uint32

10

crlevel

Client Reputation Level

string

10

crscore

Client Reputation Score

uint32

10

date

Date

string

10

devid

Deivce ID

string

16

direction

Message/packets direction

string

8

dstauthserver

string

64

dstcountry

string

64

dstintf

Destination Interface

string

64

dstintfrole

Destination Interface's assigned role (LAN, WAN, etc.)

string

10

dstip

Destination IP

ip

39

dstport

Destination Port

uint16

5

dstuser

string

256

eventtime

Time when detection occured

uint64

20

eventtype

IPS Event Type

string

32

fctuid

FortiClient UID

string

32

forwardedfor

X-Forwarded-For HTTP header

string

128

group

User group name

string

64

level

Log Level

string

11

logid

Log ID

string

10

msg

Log message for the attack

string

518

policyid

Policy ID

uint32

10

policymode

string

8

policytype

string

24

poluuid

string

37

profile

Profile name for IPS

string

64

proto

Protocol number

uint8

3

rawdata

Extended logging data including HTTP method, URL, client content type, server content type, user agent, referer, x-forwarded-for

string

1024

rawdataid

string

10

ref

URL of the FortiGuard IPS database entry for the attack.

string

4096

service

Service name

string

80

sessionid

Session ID

uint32

10

severity

Severity of the attack

string

8

srccountry

Country name for Source IP

string

64

srcdomain

string

255

srcintf

Source Interface

string

64

srcintfrole

Source Interface's assigned role (LAN, WAN, etc.)

string

10

srcip

Source IP

ip

39

srcport

Source Port

uint16

5

subtype

Log Subtype

string

20

time

Time

string

8

trueclntip

True-Client-IP HTTP header

ip

39

type

Log type

string

16

tz

string

5

unauthuser

Unauthenticated user

string

66

unauthusersource

Unauthenticated user source

string

66

user

User name

string

256

vd

Virtual domain name

string

32

vrf

Virtual router forwarding

uint8

3