Missing 'forwardedfor' ip field on new Fortigate 5.6+ decoder/rules #473
Comments
|
Hello! Thanks for your feedback. Best regards, |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello
We're testing the Fortigate 5.6 decoders/rules available in the pull request 147 (fortigate-issue-137) on a new project, and so far everything works perfectly.
One small problem, it appears that we have an additional field that is not decoded correctly:
Sample for an IPS alert:
date=2019-08-13 time=00:51:30 devname="fw1-forti-56" devid="FG5H0E123456789" logid="0123456789" type="utm" subtype="ips" eventtype="signature" level="alert" vd="Vdom-01" eventtime=1565650290 severity="critical" srcip=192.168.0.1 srccountry="Reserved" dstip=10.10.10.10 srcintf="bond1.1234" srcintfrole="lan" dstintf="bond1.5678" dstintfrole="lan" sessionid=1521348773 action="dropped" proto=6 service="HTTP" policyid=118 attack="MS.Windows.HTTP.sys.Request.Handling.Remote.Code.Execution" srcport=38827 dstport=80 hostname="TEST" direction="outgoing" attackid=40402 profile="default" ref="http://www.fortinet.com/ids/VID40402" incidentserialno=1233368971 msg="web_server: MS.Windows.HTTP.sys.Request.Handling.Remote.Code.Execution," forwardedfor="203.0.113.1" crscore=50 crlevel="critical"
**Phase 1: Completed pre-decoding.
full event: 'date=2019-08-13 time=00:51:30 devname="fw1-forti-56" devid="FG5H0E123456789" logid="0123456789" type="utm" subtype="ips" eventtype="signature" level="alert" vd="Vdom-01" eventtime=1565650290 severity="critical" srcip=192.168.0.1 srccountry="Reserved" dstip=10.10.10.10 srcintf="bond1.1234" srcintfrole="lan" dstintf="bond1.5678" dstintfrole="lan" sessionid=1521348773 action="dropped" proto=6 service="HTTP" policyid=118 attack="MS.Windows.HTTP.sys.Request.Handling.Remote.Code.Execution" srcport=38827 dstport=80 hostname="TEST" direction="outgoing" attackid=40402 profile="default" ref="http://www.fortinet.com/ids/VID40402" incidentserialno=1233368971 msg="web_server: MS.Windows.HTTP.sys.Request.Handling.Remote.Code.Execution," forwardedfor="203.0.113.1" crscore=50 crlevel="critical"'
timestamp: '(null)'
hostname: 'waz-01'
program_name: '(null)'
log: 'date=2019-08-13 time=00:51:30 devname="fw1-forti-56" devid="FG5H0E123456789" logid="0123456789" type="utm" subtype="ips" eventtype="signature" level="alert" vd="Vdom-01" eventtime=1565650290 severity="critical" srcip=192.168.0.1 srccountry="Reserved" dstip=10.10.10.10 srcintf="bond1.1234" srcintfrole="lan" dstintf="bond1.5678" dstintfrole="lan" sessionid=1521348773 action="dropped" proto=6 service="HTTP" policyid=118 attack="MS.Windows.HTTP.sys.Request.Handling.Remote.Code.Execution" srcport=38827 dstport=80 hostname="TEST" direction="outgoing" attackid=40402 profile="default" ref="http://www.fortinet.com/ids/VID40402" incidentserialno=1233368971 msg="web_server: MS.Windows.HTTP.sys.Request.Handling.Remote.Code.Execution," forwardedfor="203.0.113.1" crscore=50 crlevel="critical"'
**Phase 2: Completed decoding.
decoder: 'fortigate-firewall-v5'
status: 'critical'
srcip: '192.168.0.1'
dstip: '10.10.10.10'
action: 'dropped'
srcport: '38827'
dstport: '80'
extra_data: 'web_server: MS.Windows.HTTP.sys.Request.Handling.Remote.Code.Execution,'
**Phase 3: Completed filtering (rules).
Rule id: '81629'
Level: '3'
Description: 'Fortigate Attack Dropped'
As you can see, srcip: '192.168.0.1' dstip: '10.10.10.10' are decoded correctly, but the forwardedfor="203.0.113.1" is not, although it is the "real" source ip behind our loadbalancer.
Can this field be added in the same way that srcip/dstip are ?
Let me know if you need more info/samples
Best regards
The text was updated successfully, but these errors were encountered: