topic Re: FMC/FTD Snort Question in Network Security

FMC/FTD Snort Question

benolyndav — Sat, 11 Dec 2021 20:17:49 GMT

So received this info from and am wondering how I check we have received these on our FMC devices.???

Cisco Talos has released the following Snort SIDs to detect exploitation attempts targeting CVE-2021-44228: 58722 - 58739 and 300055 - 300057.

Apache Foundation Log4j 2 vulnerability (CVE-2021-44228).

Re: FMC/FTD Snort Question

RAFAEL LOPEZ — Sun, 12 Dec 2021 00:40:09 GMT

Hi,

in fmc go to Policies>Intrucion>"the policie that you have applied to your devices">rules, and in the filter put "Apache Log4j"

you will see all the "SID" from 58722 to 58739, and in the action you should see "a red x" thats mean "Drop and Generate Events"

From the range 300055 - 300057im not shure if its rigth or apply to FMC i cannot see any rule in that range maybe is only 2 0 instade of 3...

30057

MALWARE-CNC Win.Trojan.Peronspy outbound system information disclosure

30055

MALWARE-CNC Win.Trojan.Deventiz CWD system information disclosure via FTP

also maybe its obvius but you have to have internet acces in order to download the rule Update. i have

Running Snort Rule update version: 2021-12-11-001-vrt

I hope it helps you

Re: FMC/FTD Snort Question

Akmal Zamin — Mon, 13 Dec 2021 06:41:01 GMT

Hi Rafael,

Is by updating the snort rule in the rule update will mitigate the vulnerability since i couldnt find any other resolution officially announce by cisco.

Re: FMC/FTD Snort Question

Marvin Rhoads — Mon, 13 Dec 2021 07:07:21 GMT

The Snort rule will block traffic transiting the firewall that matches the vulnerability - if it can be seen. If, for example, the traffic is encapsulated in an undecrypted TLS flow (for example, over https) it won't be seen and thus cannot be blocked.

Note also that the rule also only applies to traffic through the firewall. As of the time of this writing, Cisco is still evaluating the firewall software itself as to the impact of the Log4j vulnerability.

Re: FMC/FTD Snort Question

Akmal Zamin — Mon, 13 Dec 2021 08:15:52 GMT

Hi Marvin,

Thanks for the explanation, so best case scenario for now is to only update the snort rule to latest once released since cisco is still evaluating the vulnerability.

Re: FMC/FTD Snort Question

Frank Osberg — Fri, 17 Dec 2021 08:12:31 GMT

Hi Rafael,

Do you have info on how to make a report on this matter, so this info can be highlighted to the business. 🙂

Thanks

Frank

Re: FMC/FTD Snort Question

RAFAEL LOPEZ — Sat, 18 Dec 2021 18:30:56 GMT

Hi the easy way that i know is,

if you can see the event under the tab of "analysis" for example on Analisis>Intrusion>events> if you see any triggered ips firm you can click on the button "Report designer" and customise your report or you can play with the field of the filter serch, for example the field called "message" on the ips events

also this is a vulnerability and it will be used by an exploit or ransomware or so, for example conty is a ransomware that are using this vulnerability and as ransomware you will see in malware events, or file policies, and as the Leyend Marvin say if it is encrypted and you cannot unencript the trafic it will never trigger an event in the FMC(and you need a proper configuration of filepolicy and also malware protection license).

Also some version of FTD are vulnerables and other cisco devices so please take a look on this security advisor from Cisco

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd

and a little meme for smile :3

Regards!

Re: FMC/FTD Snort Question

Frank Osberg — Sat, 18 Dec 2021 20:04:23 GMT

Hi Rafael,

Thanks for a great reply here..

So just to get one thing clarified.... You wrote :

also this is a vulnerability and it will be used by an exploit or ransomware or so, for example conty is a ransomware that are using this vulnerability and as ransomware you will see in malware events, or file policies, and as the Leyend Marvin say if it is encrypted and you cannot unencrypt the traffic it will never trigger an event in the FMC(and you need a proper configuration of filepolicy and also malware protection license).

Will this mean that traffic will not be detected by the FTD/FMC?? The reason why I am asking is that we can see that our FMC/FTD are not detecting any of the CVE for log4j, even do that snort2 is fully updated and should prevent this. But our MS Sentinel is telling us that we are been hit by it.... The IP we can see that are been used are also been noticed on github : Log4j IP Block List

But my FMC just see these event as legal :

Can this be because it encrypted or, are we looking to something else here?

The IP are blocked now, but I would expect that our IPS and snort2 would block this? My FTD are running with AMP, Malware licens etc. so that should be OK. 🙂

So are we looking at FTD/FMC doing it wrong, or is this wrong info in Sentinel? 🙂

Frank

Re: FMC/FTD Snort Question

Marvin Rhoads — Mon, 20 Dec 2021 01:56:11 GMT

@Frank Osberg do your ACP Security Intelligence settings include the TALOS IP blacklist items?

Re: FMC/FTD Snort Question

Frank Osberg — Mon, 20 Dec 2021 07:29:18 GMT

Hi @Marvin Rhoads

Where in my ACP should I see this? I have some in Security Intelligence today, but this might be missing

In my Object section:

But is there missing something here?

Thanks

Re: FMC/FTD Snort Question

Marvin Rhoads — Mon, 20 Dec 2021 12:26:56 GMT

You would not see the blocks as intrusion events as I had noted unless the traffic is unencrypted (or decrypted and resigned via SSL policy). But if the SI categories you show are in your ACP you should get IP blocks as a result.

If a specific set of addresses seems to be missed then I would suggest raising a TAC case and they can refer it to TALOS.