Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
x_member
Contributor

Finding out what actually triggered IDS Sensor (HTTP.URI.SQL.Injection)

Our current configuration successfully blocks HTTP.URI.SQL.Injection and other attacks.

 

However I would like to understand what the attackers are trying to achieve; is there anyway of viewing the raw data that actually triggered this sensor?

3 REPLIES 3
Alby23
Contributor II

You could enable "packet logging" related to the IPS Filter in order to record all the packets that matched that specific rule.

Then you could open that capture with Wireshark or similar in order to read and try to understand it.

x_member

Alby23 wrote:

You could enable "packet logging" related to the IPS Filter in order to record all the packets that matched that specific rule.

Then you could open that capture with Wireshark or similar in order to read and try to understand it.

 

Fortunately these are rather intermittent attacks rather than sustained offensives so I was hoping to avoid the overhead of packet logging on our existing filters for an extended period of time. I will however bear this approach in mind.

Alby23

Please notice that you could enable packet logging for that specific signature and leaving the others not packet-logged.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors