topic Re: IPS signature 1:45304:3 is this only relevant if installed on endpoint or? in Network Security

IPS signature 1:45304:3 is this only relevant if installed on endpoint or?

evan.chadwick1 — Fri, 21 Feb 2020 15:54:44 GMT

Hi Folks,

If I receive an inbound attempt from outside to inside and it triggers snort rule 45304 (oracle weblogic signature). How do I know if this is relevant regardless of whether it is (oracle weblogic in this instance) actually installed/listening on my internal endpoint, or if it is relevant regardless if installed or not?
If it is only relevant if it is running weblogic on the endpoint, my next step is to ask the server team to confirm if it is running weblogic, and then ensure Firepower will not trigger future events for such destinations in the future.

Re: IPS signature 1:45304:3 is this only relevant if installed on endpoint or?

Shubham Bharti — Tue, 26 Jun 2018 06:41:02 GMT

According to the documentation provided SID 1-45304, the affected system is Oracle Weblogic Server. If you do not have Weblogic Server at the IP Address provided after verifying with server team, you can mark it as false positive. You can exclude this IP address from this signature using Rule editor.

Below is the link to Snort documentation:

https://www.snort.org/rule_docs/1-45304

Re: IPS signature 1:45304:3 is this only relevant if installed on endpoint or?

evan.chadwick1 — Thu, 05 Jul 2018 22:42:07 GMT

Just confirming, Firepower can detect OS versions etc, but not if Oracle or Apache is running on a server?

Re: IPS signature 1:45304:3 is this only relevant if installed on endpoint or?

Shubham Bharti — Tue, 24 Jul 2018 07:32:02 GMT

AFAIK, It cannot actively detect the OS unless you are running tools like nmap and feeding that information to FMC. It only looks at the traffic traversing through the device and determine the OS details using certainty factor depending on the traffic information. It can only detect anything that is running at the endpoint passively using the traffic information. You need to use active scanners for accurate information about a certain endpoints' OS, applications.

Re: IPS signature 1:45304:3 is this only relevant if installed on endpoint or?

evan.chadwick1 — Tue, 24 Jul 2018 22:06:43 GMT

Thanks, I am using the inbuilt nmap scanner. What if I remove any doubt and manually set the OS?

For eg,

If I create an IPS signature for one server, and forced that server to be mircosoft 2012 R2, and then set the IPS policy to recommend on the one ip address of this server. Should I expect signatures for Linux, like

1:46736:2

to be set to drop (and not drop and generate events)?

**edit, one can't set to drop and not generate events**

I just want to make sure my expectation is right before putting effort in.

Re: IPS signature 1:45304:3 is this only relevant if installed on endpoint or?

Shubham Bharti — Thu, 26 Jul 2018 10:12:57 GMT

In my knowledge, yes, manual entry will supersede the data provided through Passive monitoring. So once you identify it as Windows Server 2012, it should ideally recommend to disable all the rules related to Linux servers. The Firepower system uses Network Discovery information to make recommendations for which rules you do or do not need to have enabled.

Re: IPS signature 1:45304:3 is this only relevant if installed on endpoint or?

evan.chadwick1 — Fri, 12 Jul 2019 10:34:17 GMT

After testing with one host and manually forcing the OS to Windows i did still receive plenty of non windows attacks.

Maybe some of them are relevant even to Windows? I dont' know. But my gut feel is its just not able to 'tune out noise as well as it should'.