Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
aionescu
Staff
Staff

Created on ‎09-12-2024 07:32 AM Edited on ‎09-18-2024 10:34 AM By Moderator

Article Id 340950

Technical Tip: Explanation of 'craction' value

Description This article describes how to interpret the values of the 'craction' field in traffic logs.
Scope FortiGate.
Solution

The field 'craction' can be seen in the traffic logs in the context of threat weight and IPS inspection. For further explanation of Threat Weight, see Threat Weight.

 

Below is an example of an IPS event-generated log:

 

date=2024-09-11 time=10:15:09 id=7413295620854644760 itime=2024-09-11 10:13:11 euid=3 epid=101 dsteuid=3 dstepid=101 type=utm subtype=anomaly level=alert action=clear_session sessionid=0 srcip=x.x.x.x dstip=y.y.y.y srcport=2560 dstport=20480 attackid=100663396 severity=critical proto=6 vrf=32 logid=0720018432 service=tcp/20480 eventtime=1726042510304419547 count=1123 policyid=0 crscore=50 craction=4096 crlevel=critical srcintfrole=lan dstintfrole=lan srcintf=bond20.transfer dstintf=bond10.128 ref=http://www.fortinet.com/ids/VID100663396 attack=tcp_syn_flood eventtype=anomaly srccountry=United States msg=anomaly: tcp_syn_flood tz=+0200 dstcountry=Reserved devid=FG34E1TB19900449 vd=root dtime=2024-09-11 10:15:09 itime_t=1726042391 cve=

 

Threat weight is used to aggregate and score threats using user-defined severity levels. In traffic logs, there are several fields:

 

  • Threat level (crlevel).
  • Threat score (crscore).
  • Threat type (craction).

'craction' is a value that indicates a threat type. Some of the values are:


IPS_ATTACK_CRITICAL 4096
IPS_ATTACK_HIGH 8192
IPS_ATTACK_MEDIUM 16384
IPS_ATTACK_LOW 32768
IPS_ATTACK_INFO 65536

 

Below is an example of an AV event-generated log:

 

date=2024-09-10 time=17:41:30 id=7413039619328966660 itime=2024-09-10 17:39:46 euid=1026 epid=101 dsteuid=3 dstepid=101 type=utm subtype=virus level=warning action=passthrough sessionid=1131 policyid=1 srcip=x.x.x.x dstip=y.y.y.y srcport=41751 dstport=80 proto=6 vrf=32 logid=0211008192 service=NNTP user=user group=group2 virus=virus_test3 eventtime=1725982890377265884 virusid=1 crscore=50 craction=2 crlevel=critical srcintfrole=lan dstintfrole=lan direction=incoming analyticssubmit=false quarskip=No-skip filename=file_test2 checksum=23456 ref=https://fortiguard.fortinet.com/encyclopedia/virus/1 dtype=dtype2 eventtype=infected srcintf=bond20.transfer dstintf=bond10.128 msg=File is infected. tz=+0200 viruscat=cat2 policytype=policy srccountry=United States dstcountry=Reserved devid=FG34E1TB19900449 vd=root dtime=2024-09-10 17:41:30 itime_t=1725982786

 

Some of the 'craction' values in AV logs are:

 

MALWARE_DETECTED 2
BOTNET_DETECTED 4
BLOCKED_SITE 8

 

Related document:

Threat weight
Labels:
341
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.