Hi Guy,
i have configured the IDS, i havent seen any alert for long time.
today i was looking and found those two.
is this something i have to worry about it? change the alert to Drop?
Alert
ET WEB_SERVER 401TRG Generic Webshell Request - POST with wget in body
Thank you
Might be worth being somewhat concerned about. Esp since it originated externally. Looking up that IP doesn't show a lot of info, but it does look like it's hitting others IDS's as well.
See OTX evaluation here - https://otx.alienvault.com/indicator/ip/180.188.248.230
If you are exposing port 80/443 to the internet I'd def be in IPS mode to block traffic. You can always back it back down if you block legit traffic. Harder to remove a bad actor if they make it in. My gut feeling is it's just someone's script knocking on your web server's door to see if it's open. But I can't say for sure with only an IDS entry.
Thank you for your answer.
we dont have port 80 expoesed to the net,i beleive only port is open which is redirect to the 443.
we are using IPS mode and Promiscuous mode.
this internal server is a ubuntu doing some webserver and has a fail2ban options enabled.
Today i checked the alerts again and there something similar.