Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
vvserpent
New Contributor II

Created on ‎02-06-2013 10:51 PM

http_decoder: HTTP.Null.Session

From my fortinet firewall log messages, I found there were some " http.null.session" messages. I did google search and no details information about this signature. From fortinet website, it just said " traffic that does not comply with the protocol standard" . Where I can find the details about this signature? On the other hand, please see Log#5, the similar http.null.session message. I wondering why traffic direction from external interface to internal interface. It means the response from the server is invalid/ not comply the http standard? Here is the sample log from my firewall. Log Number 1 Last Activity 2013-02-07 14:41:49 Type ips Level alert Source Interface DMZ_Internal Source 192.168.18.96 Source Port 53166 Destination Interface DMZ-External Destination 220.181.125.191 Destination Port 80 Attack ID 107347977 Severity low Status reset Message http_decoder: HTTP.Null.Session Device Time 2013-02-07 14:41:49 Subtype signature Device ID XXXXXXXXXXXXXX Log ID 16384 Cluster ID XXXXXXXXXXXXXX_CID Timestamp 1360219309 Protocol 6 Policy ID 100 Service http Count 1 User N/A Group N/A VDom DMZ Log Number 5 Last Activity 2013-02-07 14:39:57 Type ips Level alert Source Interface DMZ-External Source 65.55.25.59 Source Port 80 Destination Interface DMZ_Internal Destination 192.168.205.19 Destination Port 1977 Attack ID 107347977 Severity low Status reset Message http_decoder: HTTP.Null.Session Device Time 2013-02-07 14:39:57 Subtype signature Device ID XXXXXXXXXXXXXX Log ID 16384 Cluster ID XXXXXXXXXXXXXX_CID Timestamp 1360219197 Protocol 6 Policy ID 4 Service 1977/tcp Count 1 User N/A Group N/A VDom DMZ
4593
0 Kudos
2 REPLIES 2
emnoc
Esteemed Contributor III

Created on ‎02-07-2013 07:00 AM

Message http_decoder: HTTP.Null.Session
Will the fortiguard services site just means that, the session is NOT of any recognized http protocol specification. What more detail do you want ? It might be something is badly design or some other tunneling attempts. Block it if you don' t feel comfortable or confront the src/dst in the alert. Since the destination is a APAC address ( china ) I would probably block it :) If this traffic is ongoing, you could even write a pcap for analysis and use tshark/wireahrk an the http decoder to inspect the traffic e.g tshark -n -V host 220.181.125.191 -R ' http' -d ' tcp.port==80,http' good luck

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
2614
0 Kudos
vvserpent
New Contributor II

Created on ‎02-25-2013 11:30 PM

Hi, Thanks for your information. From the packet trace, it seems that the suspected traffic are related to " SOGOU" . From the HTTP content, I believed it is some kind of IME input method. /web_ime/pynet.php?durcon=16&h=XXXXXXXXXXXXXXXXXXXXXX&v=6.2.0.7270&r=6222_sogou_pinyin_62_6222
2615
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.