Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nradia_FTNT
Staff
Staff

Created on ‎12-02-2024 05:22 AM

Article Id 350268

Technical Tip: Gather information about triggers and parameters for a certain attack ID and the attack signature

 

Description This article describes basic steps to gather information about triggers and parameters for a certain attack ID and the attack signature.
Scope FortiGate v6.x, v7.x.
Solution

A lot of data can be collected with related logs

 

  • If using FortiAnalyzer, logs can be checked for attack logs, attacks by time period, attackers by time period, attack types 
  • Custom event handlers can be created. Details of each subtype of FortiGate can be viewed in event logs. 

Example: Using FortiAnalyzer to collect DDoS attack logs.

 

  • A form can also be submitted to FortiGuard using the following link:

Fortinet Product Security Incident Response Team (PSIRT) Contact Form

 

  • Signature-based defense can be configured in FortiGate that can provide more data at the time of an attack and its signature:

Signature-based defense

 

  • PSIRT Advisories can be found here:

PSIRT Advisories

 

  • Refer to the below article. It explains how to find the description of the signature in the attack log. 

Technical Tip: How to find the description of signature in attack log

 

  • The following article shows how to identify the IPS signature matching context.

Troubleshooting Tip: Identify the IPS signature matching context

 

  • FortiGuard Encyclopedia can be a good source. e.g.  Intrusion Prevention Sybase.EAServer.Remote.Buffer.Overflow
  • More detailed information regarding the traffic signature trigger can be gathered. To gather this information, enable packet logging and attack context logging on the signature using the CLI commands below.

 

Example:

 

config ips sensor
    edit {sensor name} <--- The IPS sensor being used.
        config entries
            edit {an unused integer ID} <--- Use '?' here to find which ones are in use.
                set rule 11860 <--- Rule ID for 'Sybase.EAServer.Remote.Buffer.Overflow'.
                set log-attack-context enable
                set log-packet enable
        end
end

 

After these are enabled, when the signature triggers again a packet capture file (.pcap) will be generated and can be downloaded alongside the normal log.

 

The packet log can be downloaded on the same page Log & Report -> Intrusion Prevention. Select the alert for IPS signature 'Sybase.EAServer.Remote.Buffer.Overflow' and in the right panel under log details there should be a tab 'Archived Data'. Select the 'Archive File' button to download the PCAP file.

 

Make sure the following settings are enabled to gather Archived Data:

 

config log disk setting
    set status [enable|disable] <-- Enable.
    set ips-archive [enable|disable] <-- Enable.

 

Related article:

Technical Tip: Testing of IPS sensor packet logging
101
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.