These log messages refer to the IDP (Intrusion Detection & Prevention events) category.
2.27.1. scan_detected (ID: 01300001)
- Default Severity
- NOTICE
- Log Message
- Scan detected: <description>, Signature ID=<signatureid>. ID Rule: <idrule>. Protocol: <ipproto>. Source IP: <srcip>. Source
Port: <srcport>. Destination IP: <destip>. Destination Port: <destport>. Internal ID: <internalid>. Closing connection.
- Explanation
- A scan signature mapped to the "protect" action matched the traffic, closing connection.
- Firewall Action
- close
- Recommended Action
- Research the advisory (searchable by the unique ID), if you suspect an attack.
- Revision
- 2
- Parameters
- description
signatureid
idrule
ipproto
srcip
srcport
destip
destport
internalid
- Context Parameters
- Rule Name
Deep Inspection
2.27.2. idp_notice (ID: 01300002)
- Default Severity
- WARNING
- Log Message
- IDP Notice: <description>, Signature ID=<signatureid>. ID Rule: <idrule>. Protocol: <ipproto>. Source IP: <srcip>. Source
Port: <srcport>. Destination IP: <destip>. Destination Port: <destport>. Internal ID: <internalid>. Closing connection.
- Explanation
- A notice signature mapped to the "protect" action matched the traffic, closing connection.
- Firewall Action
- close
- Recommended Action
- This is probably not an attack, but you may research the advisory (searchable by the unique ID).
- Revision
- 2
- Parameters
- description
signatureid
idrule
ipproto
srcip
srcport
destip
destport
internalid
- Context Parameters
- Rule Name
Deep Inspection
2.27.3. intrusion_detected (ID: 01300003)
- Default Severity
- WARNING
- Log Message
- Intrusion detected: <description>, Signature ID=<signatureid>. ID Rule: <idrule>. Protocol: <ipproto>. Source IP: <srcip>.
Source Port: <srcport>. Destination IP: <destip>. Destination Port: <destport>. Internal ID: <internalid>. Closing connection.
- Explanation
- An attack signature mapped to the "protect" action matched the traffic.
- Firewall Action
- close
- Recommended Action
- Research the advisory (searchable by the unique ID).
- Revision
- 2
- Parameters
- description
signatureid
idrule
ipproto
srcip
srcport
destip
destport
internalid
- Context Parameters
- Rule Name
Deep Inspection
2.27.4. virus_detected (ID: 01300004)
- Default Severity
- WARNING
- Log Message
- Virus/worm detected: <description>, Signature ID=<signatureid>. ID Rule: <idrule>. Protocol: <ipproto>. Source IP: <srcip>.
Source Port: <srcport>. Destination IP: <destip>. Destination Port: <destport>. Internal ID: <internalid>. Closing connection.
- Explanation
- A virus signature mapped to the "protect" action matched the traffic.
- Firewall Action
- close
- Recommended Action
- Research the advisory (searchable by the unique ID).
- Revision
- 2
- Parameters
- description
signatureid
idrule
ipproto
srcip
srcport
destip
destport
internalid
- Context Parameters
- Rule Name
Deep Inspection
2.27.5. scan_detected (ID: 01300005)
- Default Severity
- NOTICE
- Log Message
- Scan detected: <description>, Signature ID=<signatureid>. ID Rule: <idrule>. Protocol: <ipproto>. Source IP: <srcip>. Source
Port: <srcport>. Destination IP: <destip>. Destination Port: <destport>. Internal ID: <internalid>.
- Explanation
- A scan signature matched the traffic.
- Firewall Action
- None
- Recommended Action
- Research the advisory (searchable by the unique ID).
- Revision
- 2
- Parameters
- description
signatureid
idrule
ipproto
srcip
srcport
destip
destport
internalid
- Context Parameters
- Rule Name
Deep Inspection
2.27.6. idp_notice (ID: 01300006)
- Default Severity
- NOTICE
- Log Message
- IDP Notice: <description>, Signature ID=<signatureid>. ID Rule: <idrule>. Protocol: <ipproto>. Source IP: <srcip>. Source
Port: <srcport>. Destination IP: <destip>. Destination Port: <destport>. Internal ID: <internalid>.
- Explanation
- A notice signature matched the traffic.
- Firewall Action
- None
- Recommended Action
- This is probably not an attack, but you may research the advisory (searchable by the unique ID).
- Revision
- 2
- Parameters
- description
signatureid
idrule
ipproto
srcip
srcport
destip
destport
internalid
- Context Parameters
- Rule Name
Deep Inspection
2.27.7. intrusion_detected (ID: 01300007)
- Default Severity
- NOTICE
- Log Message
- Intrusion detected: <description>, Signature ID=<signatureid>. ID Rule: <idrule>. Protocol: <ipproto>. Source IP: <srcip>.
Source Port: <srcport>. Destination IP: <destip>. Destination Port: <destport>. Internal ID: <internalid>
- Explanation
- An attack signature matched the traffic.
- Firewall Action
- None
- Recommended Action
- Research the advisory (searchable by the unique ID).
- Revision
- 2
- Parameters
- description
signatureid
idrule
ipproto
srcip
srcport
destip
destport
internalid
- Context Parameters
- Rule Name
Deep Inspection
2.27.8. virus_detected (ID: 01300008)
- Default Severity
- NOTICE
- Log Message
- Virus/Worm detected: <description>, Signature ID=<signatureid>. ID Rule: <idrule>. Protocol: <ipproto>. Source IP: <srcip>.
Source Port: <srcport>. Destination IP: <destip>. Destination Port: <destport>. Internal ID: <internalid>.
- Explanation
- A virus signature matched the traffic.
- Firewall Action
- None
- Recommended Action
- Research the advisory (searchable by the unique ID).
- Revision
- 2
- Parameters
- description
signatureid
idrule
ipproto
srcip
srcport
destip
destport
internalid
- Context Parameters
- Rule Name
Deep Inspection
2.27.9. invalid_url_format (ID: 01300009)
- Default Severity
- ERROR
- Log Message
- Failed to parse the HTTP URL. ID Rule: <idrule>. URL: <url>. Source IP: <srcip>. Source Port: <srcport>. Destination IP: <destip>.
Destination Port: <destport>. Closing connection.
- Explanation
- The unit failed parsing an URL. The reason for this is probably because the URL has an invalid format, or it contains invalid
UTF8 formatted characters.
- Firewall Action
- close
- Recommended Action
- Make sure that the URL is formatted correctly.
- Revision
- 1
- Parameters
- idrule
url
srcip
srcport
destip
destport
- Context Parameters
- Rule Name
2.27.10. invalid_url_format (ID: 01300010)
- Default Severity
- WARNING
- Log Message
- Failed to parse the HTTP URL. ID Rule: <idrule>. URL: <url>. Source IP: <srcip>. Source Port: <srcport>. Destination IP: <destip>.
Destination Port: <destport>. Ignoring the URL.
- Explanation
- The unit failed parsing an URL. The reason for this is probably because the URL has an invalid format, or it contains invalid
UTF8 formatted characters.
- Firewall Action
- ignore
- Recommended Action
- Make sure that the URL is formatted correctly.
- Revision
- 1
- Parameters
- idrule
url
srcip
srcport
destip
destport
- Context Parameters
- Rule Name
2.27.11. idp_evasion (ID: 01300011)
- Default Severity
- ERROR
- Log Message
- Failed to reassemble data. ID Rule: <idrule>. Source IP: <srcip>. Source Port: <srcport>. Destination IP: <destip>. Destination
Port: <destport>. Closing connection.
- Explanation
- The unit failed to reassemble data. The reason for this is probably due to an IDP engine evasion attack.
- Firewall Action
- close
- Recommended Action
- None
- Revision
- 1
- Parameters
- idrule
srcip
srcport
destip
destport
- Context Parameters
- Rule Name
2.27.12. idp_evasion (ID: 01300012)
- Default Severity
- ERROR
- Log Message
- Failed to reassemble data. ID Rule: <idrule>. Source IP: <srcip>. Source Port: <srcport>. Destination IP: <destip>. Destination
Port: <destport>.
- Explanation
- The unit failed to reassemble data. The reason for this is probably due to an IDP engine evasion attack.
- Firewall Action
- ignore
- Recommended Action
- None
- Revision
- 1
- Parameters
- idrule
srcip
srcport
destip
destport
- Context Parameters
- Rule Name
2.27.13. idp_outofmem (ID: 01300013)
- Default Severity
- ERROR
- Log Message
- Failed to scan data. ID Rule: <idrule>. Source IP: <srcip>. Source Port: <srcport>. Destination IP: <destip>. Destination
Port: <destport>. Closing connection.
- Explanation
- The unit failed to scan data. The reason for this is due to low amount of memory.
- Firewall Action
- close
- Recommended Action
- Review your configuration.
- Revision
- 1
- Parameters
- idrule
srcip
srcport
destip
destport
- Context Parameters
- Rule Name
2.27.14. idp_outofmem (ID: 01300014)
- Default Severity
- ERROR
- Log Message
- Failed to scan data. ID Rule: <idrule>. Source IP: <srcip>. Source Port: <srcport>. Destination IP: <destip>. Destination
Port: <destport>.
- Explanation
- The unit failed to scan data. The reason for this is due to low amount of memory.
- Firewall Action
- ignore
- Recommended Action
- Review your configuration.
- Revision
- 1
- Parameters
- idrule
srcip
srcport
destip
destport
- Context Parameters
- Rule Name
2.27.15. idp_failscan (ID: 01300015)
- Default Severity
- ERROR
- Log Message
- Failed to scan data. ID Rule: <idrule>. Source IP: <srcip>. Source Port: <srcport>. Destination IP: <destip>. Destination
Port: <destport>. Reason: <reason>. Closing connection.
- Explanation
- The unit failed to scan data.
- Firewall Action
- close
- Recommended Action
- None
- Revision
- 1
- Parameters
- idrule
srcip
srcport
destip
destport
reason
- Context Parameters
- Rule Name
2.27.16. idp_failscan (ID: 01300016)
- Default Severity
- ERROR
- Log Message
- Failed to scan data. ID Rule: <idrule>. Source IP: <srcip>. Source Port: <srcport>. Destination IP: <destip>. Destination
Port: <destport>. Reason: <reason>.
- Explanation
- The unit failed to scan data.
- Firewall Action
- ignore
- Recommended Action
- None
- Revision
- 1
- Parameters
- idrule
srcip
srcport
destip
destport
reason
- Context Parameters
- Rule Name
2.27.17. no_valid_license_or_no_signature_file (ID: 01300017)
- Default Severity
- CRITICAL
- Log Message
- IDP: No signatures loaded, skipping IDP filtering
- Explanation
- IDP scanning is aborted since the signature file has been disabled or no signature file was found.
- Firewall Action
- idp_scanning_aborted
- Recommended Action
- For IDP scanning, a valid license with IDP enabled must be installed. If already installed, manually initiate downloading
of the latest signature file. IDP scanning can be disabled to avoid this log message.
- Revision
- 1
- Context Parameters
- ALG Session ID
cOS Core 14.00.17 Log Reference Guide
