NDR logs samples
Botnet
date="2022-02-09" time="16:43:13" tz="PST" logid="0602000001" devid="FAIVMSTM21000033" type="ndr" subtype="Botnet" severity="high" sessionid=63313 alproto="DNS" tlproto="UDP" srcip="18.1.2.2" srcport=10000 dstip="18.1.1.100" dstport=53 behavior="CONN" botname="botnet Andromeda" hostname="orrisbirth.com"
date="2022-02-09" time="16:43:13" tz="PST" logid="0602000001" devid="FAIVMSTM21000033" type="ndr" subtype="Botnet" severity="high" sessionid=63313 alproto="DNS" tlproto="UDP" srcip="18.1.2.2" srcport=10000 dstip="18.1.1.100" dstport=53 behavior="RESP" botname="botnet Other" hostname="cdn12-web-security.com"
Fields
|
User activity. For example, CONN, RESP, VISIT, GET etc. |
|
The name for this botnet |
|
Hostname |
Encrypted
date="2022-02-11" time="10:19:03" tz="PST" logid="0603000001" devid="FAI35FT321000001" type="ndr" subtype="Encrypted" severity="critical" sessionid=11554817 alproto="TLS" tlproto="TCP" srcip="172.19.236.140" srcport=5326 dstip="173.245.59.98" dstport=443 behavior="CONN" vers="7" cipher="TLS_AES_256_GCM_SHA384" md5="f436b9416f37d134cadd04886327d3e8"
Fields
|
User activity, e.g. CONN, RESP, VISIT, GET etc. |
|
The version of alproto, str |
|
The encryption algorithm. |
|
md5/hash of ja3 fingerprint |
IOC
date="2022-02-14" time="07:36:13" tz="PST" logid="0605000001" devid="FAI35FT321000001" type="ndr" subtype="IOC" severity="critical" sessionid=19906026 alproto="HTTP" tlproto="TCP" srcip="172.19.235.198" srcport=49304 dstip="178.63.120.205" dstport=443 behavior="CONN" vers="7" cipher="TLS_AES_128_GCM_SHA256" md5="52bea59cf17d9fd5dedd2835fd8e1afe" campaign="CoinMiner" hostname="s3.amazonaws.com" url="/"
Fields
|
User activity. For example, CONN, RESP, VISIT, GET etc |
|
The version of alproto |
|
The encryption algorithm. |
|
md5/hash of ja3 fingerprint |
|
IOC campaign |
|
The hostname |
|
The URL visited |
IPS attack
date="2022-02-10" time="19:16:56" tz="PST" logid="0604000001" devid="FAI35FT321000001" type="ndr" subtype="IPS attack" severity="low" sessionid=9237954 alproto="OTHER" tlproto="UDP" srcip="172.19.236.145" srcport=57325 dstip="194.69.172.33" dstport=53 behavior="CONN" vname="DNS.Amplification.Detection" vulntype="Anomaly" date="2022-02-10" time="18:32:54" tz="PST" logid="0604000001" devid="FAI35FT321000001" type="ndr" subtype="IPS attack" severity="medium" sessionid=9092973 alproto="OTHER" tlproto="ICMP" srcip="172.19.235.62" srcport=0 dstip="172.19.236.50" dstport=771 behavior="CONN" vname="BlackNurse.ICMP.Type.3.Code.3.Flood.DoS" vulntype="DoS"
Fields
|
User activity. For example, CONN, RESP, VISIT, GET etc. |
|
The virus name |
|
Vulnerability type |
Weak cipher
date="2022-02-07" time="14:18:57" tz="PST" logid="0606000001" devid="FAIVMSTM21000033" type="ndr" subtype="Weak cipher" severity="medium" sessionid=569705 alproto="IMAP" tlproto="TCP" srcip="17.1.6.20" srcport=63310 dstip="18.2.1.114" dstport=443 behavior="CONN" vers="2" cipher="TLS_NULL_WITH_NULL_NULL" ciphername="weak cipher" date="2022-02-07" time="14:18:57" tz="PST" logid="0606000001" devid="FAIVMSTM21000033" type="ndr" subtype="Weak cipher" severity="medium" sessionid=570387 alproto="SMB" tlproto="TCP" srcip="17.2.12.171" srcport=10001 dstip="17.1.1.119" dstport=443 behavior="CONN" vers="1" cipher="TLS_RSA_WITH_AES_256_GCM_SHA384" md5="9a157673907688965992b40304f50a1e" ciphername="weak version"
Fields
|
User activity. For example, CONN, RESP, VISIT, GET etc. str |
|
The version of alproto |
|
The encryption algorithm. |
|
md5/hash of ja3 fingerprint |
|
The type name of weak cipher or vulnerable protocols |
ML
date="2022-02-18" time="15:54:39" tz="PST" logid="0608000001" devid="FAIVMSTM21000033" type="ndr" subtype="ML" severity="low" sessionid=1135774 alproto="DNS" tlproto="TCP" srcip="17.1.10.185" srcport=35546 dstip="17.1.1.119" dstport=389 reasons="Device IP,Device MAC address,Session packet size,Transport layer protocol,Application layer protocol,Source port number,TLS version,Id of nta_dev_ip,Protocol or application behaviors or action"
Fields
|
A list of reasons leading to a ML anomaly detection, separated by a comma. |
Common Fields
|
The date the log was sent
in the format |
|
The time the log was sent
in the format |
|
System timezone |
|
The ID generated by log type and log subtype |
|
Device serial number |
|
ndr, str (fixed) |
|
The anomaly type by category |
|
The severity of the traffic, defined by NDR |
|
The session ID referring to NDR LOG in FortiNDR |
|
Application layer protocols |
|
Transport layer protocols |
|
Source IP |
|
Source port |
|
Destination IP |
|
Destination port |