No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


Log Reference

AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R007

This document supports all the logs of device, including the parameters, meaning, possible causes and solution.

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).



IPS/4/BOTNET(l): A botnet was detected. (SyslogId=[syslog-id], VSys=[vsys-name], Policy=[policy-name], SrcIp=[source-ip], DstIp=[destination-ip], SrcPort=[source-port], DstPort=[destination-port], SrcZone=[source-zone], DstZone=[destination-zone], User=[user-name], Protocol=[protocol], Application=[application-name], Profile=[profile-name], SignName=[signature-name], SignId=[signature-id], EventNum=[event-number], Target=[target], Severity=[severity], Os=[operating-system], Category=[category], Role=[role], SrcLocation=[source-location], DstLocation=[destination-location], Action=[action])


The IPS detected botnet packets and logged the details on the event.


Parameter Name Parameter Meaning
syslog-id Log ID
vsys-name Name of the virtual system
policy-name Name of the security policy
source-ip Source IP address of packets
destination-ip Destination IP address of packets
source-port Source port of packets (the field is 0 for ICMP packets)
destination-port Destination port of packets (the field is 0 for ICMP packets)
source-zone Source security zone of packets
destination-zone Destination security zone of packets
user-name User name
protocol Protocol of the packets matching the signature
application-name Application of the packets matching the signature
profile-name Profile name
signature-name Signature name
signature-id Signature ID
event-number Field for log merging: Logs are merged on the basis of the log generating frequency and the condition for log merging. The value is 1 if logs are not merged.
target Attack target of the packets matching the signature
  • Server
  • Client
  • Both
Attack severity of the packets matching the signature
  • information
  • low
  • medium
  • high
Operating system attacked by the packets matching the signature
  • all
  • android
  • ios
  • unix-like
  • windows
  • other
category Category of the attack matching the signature
role Role of communication parties on the botnet
  • 1: indicates packets from a zombie to a control terminal.
  • 2: indicates packets from a control terminal to a zombie.
  • 3: indicates packets from the IRC/Web server to a zombie.
  • 4: indicates packets from a zombie to the IRC/Web server.
  • 5: indicates packets from a control terminal to the IRC/Web server.
  • 6: indicates packets from the IRC/Web server to a control terminal.
  • 7: indicates attack packets from a zombie to the attacked.
source-location Location of the source IP address (dynamically identified)
destination-location Location of the destination IP address (dynamically identified)
action Action for the signature
  • Alert
  • Block

Possible Causes

Botnet packets matched the signature.


  1. This log message indicates a normal situation, and no action is required.
Updated: 2019-05-29

Document ID: EDOC1000097209

Views: 135746

Downloads: 189

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Previous Next