You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We're testing the Fortigate 5.6 decoders/rules available in the pull request 147 (fortigate-issue-137) on a new project, and so far everything works perfectly.
One small problem, it appears that we have an additional field that is not decoded correctly:
As you can see, srcip: '192.168.0.1' dstip: '10.10.10.10' are decoded correctly, but the forwardedfor="203.0.113.1" is not, although it is the "real" source ip behind our loadbalancer.
Can this field be added in the same way that srcip/dstip are ?
Let me know if you need more info/samples
Best regards
The text was updated successfully, but these errors were encountered:
Zekah
changed the title
Missing 'forwardedfor'
Missing 'forwardedfor' ip field on new Fortigate 5.6+ decoder/rules
Aug 13, 2019
Hello
We're testing the Fortigate 5.6 decoders/rules available in the pull request 147 (fortigate-issue-137) on a new project, and so far everything works perfectly.
One small problem, it appears that we have an additional field that is not decoded correctly:
Sample for an IPS alert:
date=2019-08-13 time=00:51:30 devname="fw1-forti-56" devid="FG5H0E123456789" logid="0123456789" type="utm" subtype="ips" eventtype="signature" level="alert" vd="Vdom-01" eventtime=1565650290 severity="critical" srcip=192.168.0.1 srccountry="Reserved" dstip=10.10.10.10 srcintf="bond1.1234" srcintfrole="lan" dstintf="bond1.5678" dstintfrole="lan" sessionid=1521348773 action="dropped" proto=6 service="HTTP" policyid=118 attack="MS.Windows.HTTP.sys.Request.Handling.Remote.Code.Execution" srcport=38827 dstport=80 hostname="TEST" direction="outgoing" attackid=40402 profile="default" ref="http://www.fortinet.com/ids/VID40402" incidentserialno=1233368971 msg="web_server: MS.Windows.HTTP.sys.Request.Handling.Remote.Code.Execution," forwardedfor="203.0.113.1" crscore=50 crlevel="critical"
**Phase 1: Completed pre-decoding.
full event: 'date=2019-08-13 time=00:51:30 devname="fw1-forti-56" devid="FG5H0E123456789" logid="0123456789" type="utm" subtype="ips" eventtype="signature" level="alert" vd="Vdom-01" eventtime=1565650290 severity="critical" srcip=192.168.0.1 srccountry="Reserved" dstip=10.10.10.10 srcintf="bond1.1234" srcintfrole="lan" dstintf="bond1.5678" dstintfrole="lan" sessionid=1521348773 action="dropped" proto=6 service="HTTP" policyid=118 attack="MS.Windows.HTTP.sys.Request.Handling.Remote.Code.Execution" srcport=38827 dstport=80 hostname="TEST" direction="outgoing" attackid=40402 profile="default" ref="http://www.fortinet.com/ids/VID40402" incidentserialno=1233368971 msg="web_server: MS.Windows.HTTP.sys.Request.Handling.Remote.Code.Execution," forwardedfor="203.0.113.1" crscore=50 crlevel="critical"'
timestamp: '(null)'
hostname: 'waz-01'
program_name: '(null)'
log: 'date=2019-08-13 time=00:51:30 devname="fw1-forti-56" devid="FG5H0E123456789" logid="0123456789" type="utm" subtype="ips" eventtype="signature" level="alert" vd="Vdom-01" eventtime=1565650290 severity="critical" srcip=192.168.0.1 srccountry="Reserved" dstip=10.10.10.10 srcintf="bond1.1234" srcintfrole="lan" dstintf="bond1.5678" dstintfrole="lan" sessionid=1521348773 action="dropped" proto=6 service="HTTP" policyid=118 attack="MS.Windows.HTTP.sys.Request.Handling.Remote.Code.Execution" srcport=38827 dstport=80 hostname="TEST" direction="outgoing" attackid=40402 profile="default" ref="http://www.fortinet.com/ids/VID40402" incidentserialno=1233368971 msg="web_server: MS.Windows.HTTP.sys.Request.Handling.Remote.Code.Execution," forwardedfor="203.0.113.1" crscore=50 crlevel="critical"'
**Phase 2: Completed decoding.
decoder: 'fortigate-firewall-v5'
status: 'critical'
srcip: '192.168.0.1'
dstip: '10.10.10.10'
action: 'dropped'
srcport: '38827'
dstport: '80'
extra_data: 'web_server: MS.Windows.HTTP.sys.Request.Handling.Remote.Code.Execution,'
**Phase 3: Completed filtering (rules).
Rule id: '81629'
Level: '3'
Description: 'Fortigate Attack Dropped'
As you can see, srcip: '192.168.0.1' dstip: '10.10.10.10' are decoded correctly, but the forwardedfor="203.0.113.1" is not, although it is the "real" source ip behind our loadbalancer.
Can this field be added in the same way that srcip/dstip are ?
Let me know if you need more info/samples
Best regards
The text was updated successfully, but these errors were encountered: