How diagnose false/positive on FGT300D

Question

Hi all, I have been recieving some IPS attacks from the internal zone, and some of these attacks are repetitive, for example this one:

HTTP.Server.Authorization.Buffer.Overflow (http://www.fortinet.com/ids/VID12351)

I don't have full access to the source (linux host) of the attack. Only ssh access. It fisically very far away

Here is the RAW log:

date=2017-08-08 time=17:51:56 devname=FGT300D devid= logid=0419016384 type=utm subtype=ips eventtype=signature level=alert vd="root" severity=critical srcip=1.1.1.1 dstip=2.2.2.2 srcintf="port3" dstintf="port4" policyid=5 sessionid=327875167 action=detected proto=6 service=tcp/20480 attack="HTTP.Server.Authorization.Buffer.Overflow" srcport=43080 dstport=80 direction=outgoing attackid=12351 profile="default" ref="http://www.fortinet.com/ids/VID12351" incidentserialno=1687848714 msg="web_server: HTTP.Server.Authorization.Buffer.Overflow," crscore=50 crlevel=critical

Can you help diagnose this? how i know if is a false/positive?

Thanks!

Condor

hmtay_FTNT · Answer

Hello condor,

Can you do a packet capture on the port3 interface, filtering the ip 1.1.1.1? If it is a recurring attack, do you think you can get the capture. The signature was recently updated in IPS Definition 11.198. Are you using the latest definition? If possible, can you send me the pcap at my email hmtay@fortinet.com? Thanks.

Homing

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded