Our current configuration successfully blocks HTTP.URI.SQL.Injection and other attacks.
However I would like to understand what the attackers are trying to achieve; is there anyway of viewing the raw data that actually triggered this sensor?
You could enable "packet logging" related to the IPS Filter in order to record all the packets that matched that specific rule.
Then you could open that capture with Wireshark or similar in order to read and try to understand it.
Alby23 wrote:You could enable "packet logging" related to the IPS Filter in order to record all the packets that matched that specific rule.
Then you could open that capture with Wireshark or similar in order to read and try to understand it.
Fortunately these are rather intermittent attacks rather than sustained offensives so I was hoping to avoid the overhead of packet logging on our existing filters for an extended period of time. I will however bear this approach in mind.
Please notice that you could enable packet logging for that specific signature and leaving the others not packet-logged.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.