Web.Server.Password.Files.Access not stopped

Hello,
My web server got this request not stopped by CrowdSec, so please, what should I install to stop it :

subtype=“ips” eventtype=“signature” level=“alert” vd=“SG” severity=“medium” srcip=xxx.xxx.xxx.xxx srccountry=“France” dstip=192.168.27.3 srcintf=“APPLI_WEB” srcintfrole=“lan” dstintf=“APPLI_WEB_NAT” dstintfrole=“lan” sessionid=3792843078 action=“dropped” proto=6 service=“HTTP” policyid=215 attack=“Web.Server.Password.Files.Access” srcport=56736 dstport=80 hostname=“xxxxxx.xxxx.fr” url="/xxx/index.php?page_param=/etc/passwd" direction=“outgoing” attackid=43336 profile=“PB-DPI” ref=“http://www.fortinet.com/ids/VID43336” incidentserialno=395767594 msg=“applications3: Web.Server.Password.Files.Access,” forwardedfor=“zzz.19.www.235” crscore=10 craction=16384 crlevel=“medium”

Thx a lot :slight_smile:

Hello @Zylwee :slight_smile:

Can you provide a bit of context ? where do the logs come from ?

Hello, thanks for your time,
these logs have been catched by a fortinet firewall between my rproxy NGINX/Crowdsec and the real web server.
so on the nginx logs, you can find 11 lines with : [22/Jan/2022:04:34:47 +0100] “GET /xxx/index.php?page_param=/etc/passwd HTTP/1.1” 499 0 “https://xxxxxxx.xxxxxx.fr/gpu/index.php?page_param=/etc/passwd” “Mozilla/5.0 (Windows NT 10.0; WOW64; Rv:50.0) Gecko/20100101 Firefox/50.0”

Thanks a lot for your time reading my post

We don’t have a parser for fortinet yet. If you feel it’s relevant, please open an issue on the GitHub - crowdsecurity/hub: Main repository for crowdsec scenarios/parsers with sample logs :slight_smile:

Those should be parsed if you installed the nginx collection and provided the files to the acquisition. They are not ?

Hello @thibault ,
nginx collections is installed :
COLLECTIONS

NAME :package: STATUS VERSION LOCAL PATH

crowdsecurity/http-cve :heavy_check_mark: enabled 0.8 /etc/crowdsec/collections/http-cve.yaml
crowdsecurity/base-http-scenarios :warning: enabled,tainted 0.5 /etc/crowdsec/collections/base-http-scenarios.yaml
crowdsecurity/mysql :heavy_check_mark: enabled 0.1 /etc/crowdsec/collections/mysql.yaml
crowdsecurity/nginx :heavy_check_mark: enabled 0.1 /etc/crowdsec/collections/nginx.yaml
crowdsecurity/apache2 :heavy_check_mark: enabled 0.1 /etc/crowdsec/collections/apache2.yaml
crowdsecurity/linux :heavy_check_mark: enabled 0.2 /etc/crowdsec/collections/linux.yaml
crowdsecurity/sshd :heavy_check_mark: enabled 0.2 /etc/crowdsec/collections/sshd.yaml
crowdsecurity/fastly :heavy_check_mark: enabled 0.1 /etc/crowdsec/collections/fastly.yaml

INFO[25-01-2022 09:58:50 AM] Acquisition Metrics:
±-----------------------------------------------------±-----------±-------------±---------------±-----------------------+
| SOURCE | LINES READ | LINES PARSED | LINES UNPARSED | LINES POURED TO BUCKET |
±-----------------------------------------------------±-----------±-------------±---------------±-----------------------+
| file:/var/log/auth.log | 2168 | - | 2168 | - |
| file:/var/log/nginx/access.log | 6958 | 6958 | - | 5481 |
| file:/var/log/nginx/error.log | 83 | - | 83 | - |
| file:/var/log/syslog | 1985 | - | 1985 | - |
| file:/var/log/www/xxx-web.access.log | 34 | 20 | 14 | 17 |
| file:/var/log/www/xxx-web.nginx_error.log | 3 | - | 3 | - |
| file:/var/log/www/xxx-zzzzz.access.log | 134 | 134 | - | 127 |
| file:/var/log/www/xxx-zzzzz.access.log | 25403 | 25403 | - | 7269 |
| file:/var/log/www/xxx-zzzzz.nginx_error.log | 402 | 402 | - | 326 |
| file:/var/log/www/xxx-zzzzz.access.log | 407 | 405 | 2 | 102 |
| file:/var/log/www/xxx-zzzzz.nginx_error.log | 21 | 21 | - | 16 |
| file:/var/log/www/xxx-zzzzz-admin.access.log | 939 | 939 | - | 74 |
| file:/var/log/www/xxx-zzzzz-admin.nginx_error.log | 20 | 1 | 19 | 1 |
| file:/var/log/www/xxx-zzzzzzz-personnels.access.log | 4279831 | 4279831 | - | 63894 |
| file:/var/log/www/xxx-zzzzzzz-personnels.nginx_error.log | 1229 | 909 | 320 | 107 |
| file:/var/log/www/xxx-zzzzzzz.access.log | 1288940 | 1288938 | 2 | 11008 |
| file:/var/log/www/xxx-zzzzzzz.nginx_error.log | 72 | 54 | 18 | 9 |
| file:/var/log/www/xxx-zzzzzzz.access.log | 8736 | 8736 | - | 428 |
| file:/var/log/www/xxx-zzzzzzz.nginx_error.log | 27 | 27 | - | 16 |
| file:/var/log/www/xxx-zzzzzzz.access.log | 204883 | 204883 | - | 189026 |
| file:/var/log/www/xxx-zzzzzzz.nginx_error.log | 32013 | 60 | 31953 | 60 |
| file:/var/log/www/xxx-zzzzzzz.access.log | 11598 | 11598 | - | 823 |
| file:/var/log/www/xxx-zzzzzzz.nginx_error.log | 2 | 2 | - | 1 |
| file:/var/log/www/xxx-zzzzzzz.access.log | 42239 | 42239 | - | 24555 |
| file:/var/log/www/xxx-zzzzzzz.nginx_error.log | 20 | 20 | - | 17 |
| file:/var/log/www/xxx-nginx.access.log | 3 | 3 | - | 1 |
| file:/var/log/www/xxx-zzzzzzz.access.log | 4167 | 4167 | - | 1506 |
| file:/var/log/www/xxx-zzzzzzz.nginx_error.log | 4 | 4 | - | 4 |
| file:/var/log/www/xxx.access.log | 238 | 238 | - | 220 |
±-----------------------------------------------------±-----------±-------------±---------------±-----------------------+

Thanks :slight_smile: