I thought i understood how to read logs but the two examples below have me confused. I have redacted some of the information.
The confusing part is the 'direction'. Both examples have an external internet address as the source IP and a destination that is on our internal network. The difference is the direction. One is outgoing and one is incoming. Can someone point me to the documentation that would help me understand or if you can ELI5 that is helpful too. thanks
Log Details:
Date
2016-09-14
Time
11:45:56
logver
52
Time Stamp
2016-09-14 11:45:56
Device Name
Firewall name
Device ID
Serial number
Log ID
16384
Type
utm
Sub Type
ips
Event Type
signature
Level
alert
Virtual Domain
root
Severity
high
Source IP
46.243.173.2
Destination IP
internal private IP
Source Interface
wan1
Destination Interface
port1
Session ID
187946657
Action
dropped
Protocol
6
Service
tcp/20480
Attack Name
HTTP.URI.SQL.Injection
Source Port
32922
Destination Port
80
Host Name
website url we host
Direction
outgoing
Attack ID
15621
Profile
protect_http_server
Reference
http://www.fortinet.com/ids/VID15621
Incident Serial No.
1886305917
Message
web_misc: HTTP.URI.SQL.Injection,
Threat Score
30
Threat Level
high
Log Details:
logver
54
Time Stamp
2016-09-14 11:31:57
Device ID
serial
Device Name
firewall name
Virtual Domain
root
Date
2016-09-14
Time
11:31:56
Log ID
0419016384
Type
utm
Sub Type
ips
Event Type
signature
Level
alert
Virtual Domain
root
Severity
critical
Source IP
69.162.103.180
Source Country
United States
Destination IP
internal IP
Source Interface
wan1
Destination Interface
Internal Interface
Policy ID
19
Session ID
1325083
Action
dropped
Protocol
6
Service
HTTP
Attack Name
RIG.Exploit.Kit
Source Port
80
Destination Port
53027
Host Name
lientymisen-skotske.manhattansi
Direction
incoming
Attack ID
38920
Profile
default
Reference
http://www.fortinet.com/ids/VID38920
User
user
Group
DomainUsers
Incident Serial No.
89895808
Message
backdoor: RIG.Exploit.Kit,
Threat Score
50
Threat Level
critical
