Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
khaledparis
New Contributor

[Hacking] sentbyte = 600000

Hello.

 

I have a logs file where the IP 192.168.1.1 receive requests from different IPs on the destination port 80 and answer by accept or deny.

In all these requests the quantity of transmitted data is small : from some handreds to 4000 bytes maximum.

Only one log is different :The IP 192.168.1.1 is the client client and it send a request to the destination port 80 of the IP 185.83.145.120 which send as response 600000 bytes!

 

<189>devname="D" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1565129415 srcip=192.168.1.1 srcport=49321 dstip=185.83.145.120 dstport=80 proto=6 action="accept" sentbyte=712

<189>devname="D" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1565129416 srcip=185.83.145.120 srcport=80 dstip=192.168.1.1 dstport=49321 proto=6 action="accept" sentbyte=628123

The logs file that I have is limited for 1 hour so I don't know if before a connexion existed between the 2 IPs

 

The quantity of data received by 192.168.1.1 est great compared to the other logs (minimum 150x) and see this IP make a connexion to an external host...

 

Do you have any idea plase ?

 

3 REPLIES 3
Fullmoon
Contributor III

if you feel that this ip add 185.83.145.120 floods your network, maybe you can try to use local in policy to block that external ip add.

Fortigate Newbie

Fortigate Newbie
localhost

192.168.1.1 is accessing the webserver at 185.83.145.120. A normal web server request.

Could be malicious or absolutely harmless..

 

Try to add a Webfilter on your firewall policy and check the logs, what URL/Hostname the device is accessing.

It might you give a hint what's going on.

yuriinfluenced
New Contributor

A web filter is a really good thing for determining malicious addresses and understanding where the danger comes from. It also helps you to test how well you are hiding when doing something not really legal, but that's another story.
Some years ago, I spent a lot of time on GuidedHacking.com because I had to hack some games and programs for personal use. I had no money to buy them, and it was my only choice. I know it's not the best thing to do, and I'm not proud of it, but it was the only way for me to gain access to software like Photoshop and learn to use it.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors