Intrusion Prevention Alert

Forum|Forum|7 years ago
May 3, 2019
1 reply
2963 views

I received the following alert on my Fortigate. How do I tell that this was dropped? Or if there is still something else I need to do on my Fortigate?

The following intrusion was observed: Apache.Tomcat.Arbitrary.JSP.file.Upload.

date=2019-05-03 time=06:02:20 devname=FGT01 devid=FG101E4Q17000329 logid=0419016384 type=utm subtype=ips eventtype=signature level=alert vd=root severity=high srcip=60.216.17.66 srccountry="China" dstip=xxx.xxx.xxx.xxx srcintf="wan1" dstintf="lan" policyid=7 sessionid=57982235 action=dropped proto=6 service="HTTPS" attack="Apache.Tomcat.Arbitrary.JSP.file.Upload" srcport=31951 dstport=443 hostname="xxx.xxx.xxx.xxx:xxx" direction=outgoing attackid=44543 profile="protect_http_server" ref="http://www.fortinet.com/ids/VID44543" incidentserialno=1972817245 msg="web_server: Apache.Tomcat.Arbitrary.JSP.file.Upload," crscore=30 crlevel=high

ede_pfau

SuperUser

action=dropped

IPS cuts off the session if a pattern matches, that's why it's called "dropped". This one was detected and the connection was dropped after some time/bytes. It wouldn't hurt if you checked your server though.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded