Zylwee
January 23, 2022, 3:06pm
1
Hello,
My web server got this request not stopped by CrowdSec, so please, what should I install to stop it :
subtype=“ips” eventtype=“signature” level=“alert” vd=“SG” severity=“medium” srcip=xxx.xxx.xxx.xxx srccountry=“France” dstip=192.168.27.3 srcintf=“APPLI_WEB” srcintfrole=“lan” dstintf=“APPLI_WEB_NAT” dstintfrole=“lan” sessionid=3792843078 action=“dropped” proto=6 service=“HTTP” policyid=215 attack=“Web.Server.Password.Files.Access” srcport=56736 dstport=80 hostname=“xxxxxx.xxxx.fr ” url="/xxx/index.php?page_param=/etc/passwd" direction=“outgoing” attackid=43336 profile=“PB-DPI” ref=“http://www.fortinet.com/ids/VID43336 ” incidentserialno=395767594 msg=“applications3: Web.Server.Password.Files.Access,” forwardedfor=“zzz.19.www.235” crscore=10 craction=16384 crlevel=“medium”
Thx a lot
Hello @Zylwee
Can you provide a bit of context ? where do the logs come from ?
Zylwee
January 24, 2022, 3:10pm
3
Hello, thanks for your time,
these logs have been catched by a fortinet firewall between my rproxy NGINX/Crowdsec and the real web server.
so on the nginx logs, you can find 11 lines with : [22/Jan/2022:04:34:47 +0100] “GET /xxx/index.php?page_param=/etc/passwd HTTP/1.1” 499 0 “https://xxxxxxx.xxxxxx.fr/gpu/index.php?page_param=/etc/passwd ” “Mozilla/5.0 (Windows NT 10.0; WOW64; Rv:50.0) Gecko/20100101 Firefox/50.0”
Thanks a lot for your time reading my post
We don’t have a parser for fortinet yet. If you feel it’s relevant, please open an issue on the GitHub - crowdsecurity/hub: Main repository for crowdsec scenarios/parsers with sample logs
Those should be parsed if you installed the nginx collection and provided the files to the acquisition. They are not ?
Zylwee
January 25, 2022, 9:02am
5