Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
kdawd
Staff
Staff

Created on ‎06-17-2025 09:53 PM

Article Id 396878

Technical Tip: IPS Signature logs of the same session missing information

Description

 

This article indicates why there is missing information in IPS Signature logs, where some logs of a single session appear to be missing some fields such as URL, agent, and hostname.

 

Scope

 

FortiGate.

 

Solution

 

This is an expected behavior. In a single session, there can be several packets that match the same signature. Each packet that matches the signature will not necessarily generate the same log fields. This is because the IPSengine does not save every field per session, as this requires a large amount of memory. IPSengine will save client/server IP address, source and destination ports, service and session ID throughout the session.

 

The protocol state changes throughout the session, and at the time of each signature detection, there may be different information available depending on whether the packet is from the client or server, during a file transfer, etc.

 

The following logs are from the same session and have matched the same IPS signature. The second log is not showing several of the fields found in the first log:

 

date=2025-05-12 time=11:58:21 eventtime=1747015101630641589 tz="+1000" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="proxyips" severity="medium" srcip=192.168.21.1 srccountry="Reserved" dstip=103.78.91.53 dstcountry="United States" srcintf="labint" srcintfrole="undefined" dstintf="labint2" dstintfrole="undefined" sessionid=130407355 action="detected" proto=6 service="HTTP" policyid=2 poluuid="71c064fc-985b-34ef-3425-7b4d4079a86b" policytype="interface-policy" attack="Cross.Site.Scripting" srcport=59582 dstport=443 hostname="lab.test.com" url="test.url.com" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:138.0) Gecko/20100101 Firefox/138.0" httpmethod="GET" direction="outgoing" attackid=17702 profile="Lab_Protect" ref="http://www.fortinet.com/ids/" incidentserialno=126146519 msg="web_app2: Cross.Site.Scripting" crscore=10 craction=16384 crlevel="medium"

 

date=2025-05-12 time=11:58:28 eventtime=1747015108929936540 tz="+1000" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="proxyips" severity="medium" srcip=192.168.21.1 srccountry="Reserved" dstip=103.78.91.53 dstcountry="United States" srcintf="labint" srcintfrole="undefined" dstintf="labint2" dstintfrole="undefined" sessionid=130407355 action="detected" proto=6 service="HTTP" policyid=2 poluuid="71c064fc-985b-34ef-3425-7b4d4079a86b" policytype="interface-policy" attack="Cross.Site.Scripting" srcport=59582 dstport=443 direction="outgoing" attackid=17702 profile="Lab_Protect" ref="http://www.fortinet.com/ids/" incidentserialno=126146555 msg="web_app2: Cross.Site.Scripting" crscore=10 craction=16384 crlevel="medium"

290
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.