|
When a DoS policy rule is triggered, the following log is generated under Anomaly logs:
"date=2020-06-15 time=11:33:30 logid="0720018432" type="utm" subtype="anomaly" eventtype="anomaly" level="alert" vd="root" eventtime=1592246010958229053 tz="-0700" severity="critical" srcip=10.1.1.2 srccountry="Reserved" dstip=11.1.1.2 srcintf="internal1" srcintfrole="undefined" sessionid=0 action="clear_session" proto=17 service="udp/1024" count=5999 attack="udp_flood" srcport=1024 dstport=1024 attackid=285212772 policyid=1 policytype="DoS-policy" ref="http://www.fortinet.com/ids/VID285212772" msg="anomaly: udp_flood, 200 > threshold 10, repeats 5999 times since last log, current pps 152" crscore=50 craction=4096 crlevel="critical"
Most of the fields are self explanatory, but some users find others less clear. See the explanations below:
action="clear_session" <- The session is removed from the session table.
proto=17 <- Protocol number ID, 17 is UDP.
count=5999 <- The number of times the same attack has been detected since the last log generated.
If the same attack happens more than once within a period of time, there will be no new log for every detection. In this case, the attack happened 5999 times within a minute, which would cause a huge amount of logs. Therefore, for continuous attacks, a log is generated every minute and the 'count' shows how many times the attack was detected since the previous log generated.
An attack is considered to be the same attack if the source IP, destination IP, and Action are the same. If any of those are different, a new log will be generated.
200 > threshold 10 <- The configured threshold is 10 packets per second, and the attack was triggered by 200 packets over the threshold.
'repeats 5999 times since last log' <- Essentially the same as 'count'.
'current pps 152' <- Packets per second for the last one second at the time log is generated.
|
