IPS FMC for Log4Shell

In general terms, last week, a zero-day vulnerability called Log4Shell was discovered and could be exploited by remote attackers around the world. A zero-day vulnerability is a vulnerability that has just been discovered and does not yet have a patch to fix it, so the main threat is that, until the patch is released and users install it on their equipment, attackers can exploit the vulnerability and take advantage of this security hole.

That said, a critical remote code execution vulnerability has been revealed in the popular Apache Foundation Log4j library, a logging library designed to replace the built-in log4j package that is often used in popular Java projects like Apache Struts 2 and Apache Solr. This could allow an attacker to take control of an affected server. It can be used in default settings by an unauthenticated remote attacker to point to applications that use the Log4j library.

This vulnerability, called CVE-2021-44228, received a CVSS severity score of at most 10.0 and is widely considered to be easy to exploit.

Cisco has made available some signatures in the IPS packet to detect exploit attempts directed at CVE-2021-44228.

They are: Snort 2 SIDs: 58722 - 58744 and Snort 3 SIDs: 300055 - 300058.

Before do that, you must have the latest rules update package available today (Snort Rule Update 2021 12 11 002 vrt) and the rules must be enabled in all the policies and the policies reapplied in the firewalls.

#1) Update your package rules on your FMC:

updates / rule updates / download new rules from the Support Site/ [Import]

#2) Make a filter for CVE:"2021-44228"

policy / intrusion / <your_ftd> / rules / rule content / reference / CVE ID

Under "rules state" select all and choose "drop and generate events".

Click Policy Information, confirm the changes, then Deploy.


40 views0 comments

Recent Posts

See All

Umbrella VA

What is Umbrella VA and how it works? 🤔 Umbrella virtual appliances (VAs) are lightweight virtual machines that are compatible with VMWare ESX/ESXi, Windows Hyper-V, and KVM hypervisors and the Micro

The configuration register

The configuration register is a special 16 bits value and can be used to change router behavior in several ways, such as: ▸How the router boots (into ROMmon, NetBoot); ▸Options while booting (ignore c

FTD factory reset

⧽ Technology Overview: Cisco FTD is a threat-focused, next-gen firewall (NGFW) with unified management. It provides advanced threat protection before, during and after attacks. NGFWs use a variety of