top of page

IPS FMC for Log4Shell

In general terms, last week, a zero-day vulnerability called Log4Shell was discovered and could be exploited by remote attackers around the world. A zero-day vulnerability is a vulnerability that has just been discovered and does not yet have a patch to fix it, so the main threat is that, until the patch is released and users install it on their equipment, attackers can exploit the vulnerability and take advantage of this security hole.


That said, a critical remote code execution vulnerability has been revealed in the popular Apache Foundation Log4j library, a logging library designed to replace the built-in log4j package that is often used in popular Java projects like Apache Struts 2 and Apache Solr. This could allow an attacker to take control of an affected server. It can be used in default settings by an unauthenticated remote attacker to point to applications that use the Log4j library.


This vulnerability, called CVE-2021-44228, received a CVSS severity score of at most 10.0 and is widely considered to be easy to exploit.


Cisco has made available some signatures in the IPS packet to detect exploit attempts directed at CVE-2021-44228.

They are: Snort 2 SIDs: 58722 - 58744 and Snort 3 SIDs: 300055 - 300058.


Before do that, you must have the latest rules update package available today (Snort Rule Update 2021 12 11 002 vrt) and the rules must be enabled in all the policies and the policies reapplied in the firewalls.


 

#1) Update your package rules on your FMC:

updates / rule updates / download new rules from the Support Site/ [Import]


#2) Make a filter for CVE:"2021-44228"

policy / intrusion / <your_ftd> / rules / rule content / reference / CVE ID

Under "rules state" select all and choose "drop and generate events".


Click Policy Information, confirm the changes, then Deploy.



67 views0 comments

Recent Posts

See All

Securing IOS-XE Routing Protocols

Securing the routing information prevents an attacker from introducing false routing information into the network, which could be used as part of a Denial of Service (DoS) or Man-in-the-Middle (MiTM)

Cisco Duo Log Sync (DLS)

Duologsync (DLS) is a utility written by Duo Security that supports fetching logs from Duo endpoints and ingesting them to different SIEMs. Logging: A logging filepath can be specified in config.yml.

Umbrella VA logging to Remote Syslog Server

Syslog is a protocol that computer systems use to send event data logs to a central location for storage. Logs can then be accessed by analysis and reporting software to perform audits, monitoring, tr

bottom of page