Trigger Name: Attack Log Warning
Log type: attack log
Alert Severity: High
Triggered Threshold: More than 1 event occured in the last 0.5 hour.
Source Device: Local FortiAnalyzer[Hostname:FortiLog-100A IP: 192.168.1.12]
Last Raw Message:
itime=1187120433 date=2007-08-14 time=15:42:40 devname=Fortigate-200A device_id=FG200A2105401280 log_id=0419070000 type=ips subtype=signature pri=alert vd=root serial=1945370 attack_id=14770 severity=critical src=192.168.9.2 dst=192.168.1.201 src_port=55845 dst_port=389 src_int=dmz1 dst_int=internal status=detected proto=6 service=389/tcp user=N/A group=N/A ref="http://www.fortinet.com/ids/ID14770" msg="operating_system: MS.Windows.Active.Directory.LDAP.Request.DoS
We get quite a few of these. Because of the frequency, I seem to think that they are malicious in nature. The knowledge base says the attack is against a Windows 2000 vulnerability. Our servers are Windows 2003. If anyone has seen this and has any insight, I would love to hear from you.