IPS FMC for Log4Shell

In general terms, last week, a zero-day vulnerability called Log4Shell was discovered and could be exploited by remote attackers around the world. A zero-day vulnerability is a vulnerability that has just been discovered and does not yet have a patch to fix it, so the main threat is that, until the patch is released and users install it on their equipment, attackers can exploit the vulnerability and take advantage of this security hole.


That said, a critical remote code execution vulnerability has been revealed in the popular Apache Foundation Log4j library, a logging library designed to replace the built-in log4j package that is often used in popular Java projects like Apache Struts 2 and Apache Solr. This could allow an attacker to take control of an affected server. It can be used in default settings by an unauthenticated remote attacker to point to applications that use the Log4j library.


This vulnerability, called CVE-2021-44228, received a CVSS severity score of at most 10.0 and is widely considered to be easy to exploit.


Cisco has made available some signatures in the IPS packet to detect exploit attempts directed at CVE-2021-44228.

They are: Snort 2 SIDs: 58722 - 58744 and Snort 3 SIDs: 300055 - 300058.


Before do that, you must have the latest rules update package available today (Snort Rule Update 2021 12 11 002 vrt) and the rules must be enabled in all the policies and the policies reapplied in the firewalls.


 

#1) Update your package rules on your FMC:

updates / rule updates / download new rules from the Support Site/ [Import]


#2) Make a filter for CVE:"2021-44228"

policy / intrusion / <your_ftd> / rules / rule content / reference / CVE ID

Under "rules state" select all and choose "drop and generate events".


Click Policy Information, confirm the changes, then Deploy.


gif

51 views0 comments

Recent Posts

See All

The Duo Authentication Proxy is an on-premises software service that receives authentication requests from your local devices and applications via RADIUS or LDAP, optionally performs primary authentic

This post provides a step-by-step procedure for installing the hot patch released by Cisco for ISE servers, in light of the recent Log4j vulnerability (Apache Log4j Java Logging Library). More details

We have already seen how Umbrella works in previous posts and now let's do the basic configuration. https://www.stenge.info/post/umbrella-va Configuration Mode on a VA Deployed: When you open the VA i