Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
vvserpent
New Contributor II

http_decoder: HTTP.Null.Session

From my fortinet firewall log messages, I found there were some " http.null.session" messages. I did google search and no details information about this signature. From fortinet website, it just said " traffic that does not comply with the protocol standard" . Where I can find the details about this signature? On the other hand, please see Log#5, the similar http.null.session message. I wondering why traffic direction from external interface to internal interface. It means the response from the server is invalid/ not comply the http standard? Here is the sample log from my firewall. Log Number 1 Last Activity 2013-02-07 14:41:49 Type ips Level alert Source Interface DMZ_Internal Source 192.168.18.96 Source Port 53166 Destination Interface DMZ-External Destination 220.181.125.191 Destination Port 80 Attack ID 107347977 Severity low Status reset Message http_decoder: HTTP.Null.Session Device Time 2013-02-07 14:41:49 Subtype signature Device ID XXXXXXXXXXXXXX Log ID 16384 Cluster ID XXXXXXXXXXXXXX_CID Timestamp 1360219309 Protocol 6 Policy ID 100 Service http Count 1 User N/A Group N/A VDom DMZ Log Number 5 Last Activity 2013-02-07 14:39:57 Type ips Level alert Source Interface DMZ-External Source 65.55.25.59 Source Port 80 Destination Interface DMZ_Internal Destination 192.168.205.19 Destination Port 1977 Attack ID 107347977 Severity low Status reset Message http_decoder: HTTP.Null.Session Device Time 2013-02-07 14:39:57 Subtype signature Device ID XXXXXXXXXXXXXX Log ID 16384 Cluster ID XXXXXXXXXXXXXX_CID Timestamp 1360219197 Protocol 6 Policy ID 4 Service 1977/tcp Count 1 User N/A Group N/A VDom DMZ
2 REPLIES 2
emnoc
Esteemed Contributor III

Message http_decoder: HTTP.Null.Session
Will the fortiguard services site just means that, the session is NOT of any recognized http protocol specification. What more detail do you want ? It might be something is badly design or some other tunneling attempts. Block it if you don' t feel comfortable or confront the src/dst in the alert. Since the destination is a APAC address ( china ) I would probably block it :) If this traffic is ongoing, you could even write a pcap for analysis and use tshark/wireahrk an the http decoder to inspect the traffic e.g tshark -n -V host 220.181.125.191 -R ' http' -d ' tcp.port==80,http' good luck

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
vvserpent
New Contributor II

Hi, Thanks for your information. From the packet trace, it seems that the suspected traffic are related to " SOGOU" . From the HTTP content, I believed it is some kind of IME input method. /web_ime/pynet.php?durcon=16&h=XXXXXXXXXXXXXXXXXXXXXX&v=6.2.0.7270&r=6222_sogou_pinyin_62_6222
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors