Good morning!
I have a question about this alert: SOC170 - Passwd Found in Requested URL - Possible LFI Attack
I ended it as True Positive, but it was listed as wrong. I looked for tutorials on the Internet and they all defined it as True Positive, but they gave it as correct. Can anyone help me understand why it is a False Positive? Even though some tutorials give the same answer as mine?
For me it is clearly True Positive.
Hello,
Investigations have been made in line with the feedback you provided. Attacks coming from 106.55.45.162 IP towards the system were seen to receive http 500 code and the response size is 0. For this reason, the attack was unsuccessful. As a result of the investigations, no planned work was seen for the relevant IP. Therefore, although potential LFI attacks towards the target system failed, the alert is True Positive.
In addition, the necessary arrangements have been made on the system and if you solve the alert again, you will see that the True positive answer is correct.
Perfect. Thanks for your feedback.
Another thing. Is there any way to fix my username so that it is marked as “Correct answer”? Because it will be marked as “Incorrect answer”, punishing me with points and decreasing my “Success Rate” percentage. Even if I finish it correctly.
Hello,
Since this problem you have experienced on the scoring side is a technical problem, we will make the necessary arrangements in the back. For this, can you send an e-mail to [email protected] with the event id and a brief description of your problem?
Sincerely,
Good morning!
I accessed the platform and the alert was corrected automatically.
Thanks for your attention, it helped a lot!
Have a great week.
