Skip to main content
smkml
Staff
smkml
Staff
December 31, 2024

Technical Tip: FortiWeb Report showing 'None' output in Top Attack URLs Chart

  • December 31, 2024
  • 0 replies
  • 610 views
Description

 

This article describes the output FortiWeb report for the Top Attack URLs chart showing 'none' output.

 

Top Attack URLs showing None.png

 

Scope

 

FortiWeb, FortiAnalyzer.

 

Solution

 

The output of the Chart is using default dataset (fwb-attack-Top-Attack-URLs), where the SQL query is as per below:

 

select
    http_host,
    http_url,
count(*) as totalnum
from
    $log
where
    $filter
    and http_host is not null
    and http_url is not null
group by
    http_host,
    http_url
order by
    totalnum desc

 

Using this information, searching Attack logs in Log View and checking the attributes http_host and http_url will show a 'none' value.

 

Example logs:

 

Line 413: date="2024-07-10" time="10:19:42" id=7389826158637875905 bid=8174286 dvid=1180 itime=1720577981 euid=3 epid=3 dsteuid=3 dstepid=101 log_id=20000016 type="attack" subtype="N/A" pri="alert" msg_id=1882323069 timezone="(GMT-7:00)" proto="tcp" service="https/tls1.2" src="64.62.122.144" src_port=59961 dst="10.0.3.32" dst_port=443 policy="financial-link-server-policy" action="Alert_Deny" http_method="none" http_url="none" http_host="none" http_agent="none" http_session_id="none" severity_level="Low" trigger_policy="N/A" msg="SSL Error(319) - ssl3 ext invalid servername" signature_subclass="N/A" signature_id="N/A" srccountry="United States" content_switch_name="none" server_pool_name="none" false_positive_mitigation="none" user_name="Unknown" monitor_status="Disabled" http_refer="none" http_version="1.x" dev_id="none" threat_weight=0 history_threat_weight=0 threat_level="Off" main_type="HTTP Connection Failure" ftp_mode="N/A" ftp_cmd="N/A" cipher_suite="none" signature_cve_id="N/A" ml_log_hmm_probability=0 ml_log_sample_prob_mean=0 ml_log_sample_arglen_mean=0 ml_log_arglen=0 ml_svm_log_main_types=0 ml_svm_log_match_types="none" ml_svm_accuracy="none" ml_domain_index=0 ml_url_dbid=0 ml_arg_dbid=0 ml_allow_method="none" matched_field="none" matched_pattern="name" owasp_top10="N/A" bot_info="none" backend_service="tcp" es=0 data="iwCAe30D" data_format="b64/brt" client_level="Unidentified" timezone_dayst="GMTc-8" device_id="FWBVMETM000000000" vd="LINK" devname="WAF"

 

This is because in FortiWeb logs setting 'Ignore SSL Errors' has been disabled, therefore, it will log all the failed SSL handshake connections into the attack logs.

 

The settings need to be enabled to eliminate most of the attack events logs with URL 'none' under FortiWeb -> Log&Report -> Log Config -> Other Log Settings -> Ignore SSL Errors.

 

fortiweb log configuration.png

    Terms & ConditionsAccessibility statement