Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1747
Views
5
Helpful
2
Replies

Firepower Intrusion Alerts and Impact rating

Go to solution
MauryJ
Level 1
Level 1

‎04-07-2022 06:00 AM

Hello all,

 

I receive alerts from FMC (6.7.0.3) - Below is an example of one alert I recently received:

 

[1:58742:7] "SERVER-OTHER Apache Log4j logging remote code execution attempt" [Impact: Potentially Vulnerable] From "ASA-5516X" at Tue Apr  5 18:00:19 2022 UTC [Classification: Attempted User Privilege Gain] [Priority: 1] {tcp} 3.238.137.11:46096 (united states)-><internal IP>:80 (unknown)

 

Does this indicate that the session was blocked, or, is it just indicating that it was detected and not necessarily blocked?   And does this indicate that our host possibly is vulnerable to the exploit?

 

Thanks

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-07-2022 08:18 AM

The default action for that Snort rule is to Block and Alert. So unless you changed the action, it was blocked. Your intrusion events screen would show you the exact disposition.

It appears your ASA-5516X was being scanned. Normally it wouldn't have port 80 open on its public interface unless you are port forwarding to something internal.

An ASA 5516-X by itself is not vulnerable to the Log4j vulnerabilities. Reference:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd

 

 

View solution in original post

2 Replies 2

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-07-2022 08:18 AM

The default action for that Snort rule is to Block and Alert. So unless you changed the action, it was blocked. Your intrusion events screen would show you the exact disposition.

It appears your ASA-5516X was being scanned. Normally it wouldn't have port 80 open on its public interface unless you are port forwarding to something internal.

An ASA 5516-X by itself is not vulnerable to the Log4j vulnerabilities. Reference:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd

 

 

Go to solution
MauryJ
Level 1
Level 1
In response to Marvin Rhoads

‎04-07-2022 11:55 AM

Thank you Marvin -

 

Also, the target IP was for a web application server.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card