Intrusion Prevention Alert

Author
patrickwilson82
Bronze Member
  • Total Posts : 40
  • Scores: 2
  • Reward points: 0
  • Joined: 2018/03/01 13:55:27
  • Status: offline
2019/05/03 06:01:21 (permalink)
0

Intrusion Prevention Alert

I received the following alert on my Fortigate. How do I tell that this was dropped? Or if there is still something else I need to do on my Fortigate?
 
The following intrusion was observed: Apache.Tomcat.Arbitrary.JSP.file.Upload.
date=2019-05-03 time=06:02:20 devname=FGT01 devid=FG101E4Q17000329 logid=0419016384 type=utm subtype=ips eventtype=signature level=alert vd=root severity=high srcip=60.216.17.66 srccountry="China" dstip=xxx.xxx.xxx.xxx srcintf="wan1" dstintf="lan" policyid=7 sessionid=57982235 action=dropped proto=6 service="HTTPS" attack="Apache.Tomcat.Arbitrary.JSP.file.Upload" srcport=31951 dstport=443 hostname="xxx.xxx.xxx.xxx:xxx" direction=outgoing attackid=44543 profile="protect_http_server" ref="http://www.fortinet.com/ids/VID44543" incidentserialno=1972817245 msg="web_server: Apache.Tomcat.Arbitrary.JSP.file.Upload," crscore=30 crlevel=high  
#1

1 Reply Related Threads

    ede_pfau
    Expert Member
    • Total Posts : 6019
    • Scores: 480
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: Intrusion Prevention Alert 2019/05/03 06:42:40 (permalink)
    0
    action=dropped
    IPS cuts off the session if a pattern matches, that's why it's called "dropped". This one was detected and the connection was dropped after some time/bytes. It wouldn't hurt if you checked your server though.

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #2
    Jump to:
    © 2019 APG vNext Commercial Version 5.5