cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1029
Views
5
Helpful
2
Replies

Firepower Intrusion Alerts and Impact rating

MauryJ
Beginner
Beginner

Hello all,

 

I receive alerts from FMC (6.7.0.3) - Below is an example of one alert I recently received:

 

[1:58742:7] "SERVER-OTHER Apache Log4j logging remote code execution attempt" [Impact: Potentially Vulnerable] From "ASA-5516X" at Tue Apr  5 18:00:19 2022 UTC [Classification: Attempted User Privilege Gain] [Priority: 1] {tcp} 3.238.137.11:46096 (united states)-><internal IP>:80 (unknown)

 

Does this indicate that the session was blocked, or, is it just indicating that it was detected and not necessarily blocked?   And does this indicate that our host possibly is vulnerable to the exploit?

 

Thanks

1 Accepted Solution

Accepted Solutions

Marvin Rhoads
VIP Community Legend VIP Community Legend
VIP Community Legend

The default action for that Snort rule is to Block and Alert. So unless you changed the action, it was blocked. Your intrusion events screen would show you the exact disposition.

It appears your ASA-5516X was being scanned. Normally it wouldn't have port 80 open on its public interface unless you are port forwarding to something internal.

An ASA 5516-X by itself is not vulnerable to the Log4j vulnerabilities. Reference:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd

 

 

View solution in original post

2 Replies 2

Marvin Rhoads
VIP Community Legend VIP Community Legend
VIP Community Legend

The default action for that Snort rule is to Block and Alert. So unless you changed the action, it was blocked. Your intrusion events screen would show you the exact disposition.

It appears your ASA-5516X was being scanned. Normally it wouldn't have port 80 open on its public interface unless you are port forwarding to something internal.

An ASA 5516-X by itself is not vulnerable to the Log4j vulnerabilities. Reference:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd

 

 

Thank you Marvin -

 

Also, the target IP was for a web application server.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: