Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
patrickwilson82
New Contributor

Intrusion Prevention Alert

I received the following alert on my Fortigate. How do I tell that this was dropped? Or if there is still something else I need to do on my Fortigate?

 

The following intrusion was observed: Apache.Tomcat.Arbitrary.JSP.file.Upload.

date=2019-05-03 time=06:02:20 devname=FGT01 devid=FG101E4Q17000329 logid=0419016384 type=utm subtype=ips eventtype=signature level=alert vd=root severity=high srcip=60.216.17.66 srccountry="China" dstip=xxx.xxx.xxx.xxx srcintf="wan1" dstintf="lan" policyid=7 sessionid=57982235 action=dropped proto=6 service="HTTPS" attack="Apache.Tomcat.Arbitrary.JSP.file.Upload" srcport=31951 dstport=443 hostname="xxx.xxx.xxx.xxx:xxx" direction=outgoing attackid=44543 profile="protect_http_server" ref="http://www.fortinet.com/ids/VID44543" incidentserialno=1972817245 msg="web_server: Apache.Tomcat.Arbitrary.JSP.file.Upload," crscore=30 crlevel=high  

1 REPLY 1
ede_pfau
SuperUser
SuperUser

action=dropped
IPS cuts off the session if a pattern matches, that's why it's called "dropped". This one was detected and the connection was dropped after some time/bytes. It wouldn't hurt if you checked your server though.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors