Technical Tip: Attack events for signature can be displayed
Description
This article describes an attack that can match multiple signatures.
It depends on the detection order.
In such cases, only one attack event will be logged for the first match.
If verification of logging for the second signature is required, the action of the signature can be temporarily set to 'alert only' (default is 'alert_deny').
Attack events of both signatures can be displayed.
For example, the following should match both signatures 090501003 and 050080035.
GET /index.php?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=assert&vars[1][]=phpinfo() HTTP/1.1
Scope
FortiWeb.
Solution
In default settings ('alert_deny'), only the attack event for signature 050080035 will be logged.
To allow logging of the second signature to be displayed as well, set the first signature 050080035 to 'alert_only'.
Then attack log for both signatures 050080035 and 090501003 will be displayed.
Note:
Verify whether the signature package version is up to date. If not, it may not include all of the signatures.
Verify whether the signature package version is up to date. If not, it may not include all of the signatures.