Hi,
Recently we received multiple logs from a FortiGate appliance that are related to the "diag log test" command like the one below
date=2024-05-10 time=17:33:16 devname="firewall" devid="ID" eventtime= tz="" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" severity="high" srcip=168.10.199.186 srccountry="United States" dstip=224.141.85.77 dstcountry="Reserved" srcintf="internal" srcintfrole="lan" dstintf="dmz" dstintfrole="undefined" sessionid=50000 action="detected" proto=6 service="HTTP" vrf=32 policyid=0 attack="test_attack" srcport=50000 dstport=80 hostname="host2" direction="N/A" attackid=32587 profile="sensor" ref="http://www.fortinet.com/ids/VID32587" user="user5" group="group1" incidentserialno=0 crscore=30 craction=8192 crlevel="high"
We checked the firewall and no admin account was logged in during the period of the events. Please note there are multiple events from Malware, Botenet, Filedownloads etc...
Is there a service or a different command on the Fortigate that would issue a diag log test command? Has anyone seen this before?
Thanks,
S
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
"test_attack" is indeed related to logs generated by "diag log test" command
The values are indeed randomized (including the IPs):
date=2024-05-13 time=15:51:25 eventtime=1715608285117030164 tz="+0200" logid="0422016400" type="utm" subtype="ips" eventtype="botnet" level="warning" vd="root" msg="Botnet C&C Communication." severity="high" srcip=168.10.199.186 srccountry="United States" dstip=224.141.85.77 dstcountry="Reserved" srcintf="ZSCALER" srcintfrole="undefined" dstintf="GE HEALTHCARE" dstintfrole="undefined" sessionid=1131176243 action="detected" srcport=49978 dstport=80 proto=6 service="HTTP" vrf=32 policyid=0 profile="sensor" direction="N/A" attack="test_botnet" attackid=12345 user="user3" group="group" ref="http://www.fortinet.com/be?bid=12345" crscore=50 craction=4 crlevel="critical"
The log above is very unlikely to be related to the "diag log test" command.
The logs generated by "diag log test" usually contain IPs "1.1.1.1" and "2.2.2.2" as source and destination - and not IPs like in your log. But to answer your question - this command is not used by any process or service on Fortigate, unless specifically configured (you can check in config: "show | grep 'log test' )
Hi @AlexC-FTNT ,
Thank you for your response, is there a reference somewhere for the test_attack?
We couldn't track anything in the documentation or FortiGuard websites in the logs.
Thanks,
S
"test_attack" is indeed related to logs generated by "diag log test" command
The values are indeed randomized (including the IPs):
date=2024-05-13 time=15:51:25 eventtime=1715608285117030164 tz="+0200" logid="0422016400" type="utm" subtype="ips" eventtype="botnet" level="warning" vd="root" msg="Botnet C&C Communication." severity="high" srcip=168.10.199.186 srccountry="United States" dstip=224.141.85.77 dstcountry="Reserved" srcintf="ZSCALER" srcintfrole="undefined" dstintf="GE HEALTHCARE" dstintfrole="undefined" sessionid=1131176243 action="detected" srcport=49978 dstport=80 proto=6 service="HTTP" vrf=32 policyid=0 profile="sensor" direction="N/A" attack="test_botnet" attackid=12345 user="user3" group="group" ref="http://www.fortinet.com/be?bid=12345" crscore=50 craction=4 crlevel="critical"
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1705 | |
1093 | |
752 | |
446 | |
230 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.