06-18-2017 05:14 PM - edited 03-12-2019 06:25 AM
Hi Folks,
After defining what my Home_net definitions are, I would have thought Firepower would know to only report a network trojan if it originated from a Home_net source. Main reason for asking is I want to reduce the amount of P1's I don't need to look at and I would have thought that Firepower should only tell me when my internal is originating to known trojan destinations.
for eg below is an eg of external source to x.x.x.x an internal ip.
[1:21925:6] "BLACKLIST User-Agent known malicious user agent BOT/0.1" [Impact: Vulnerable] From "firewall" at Sun Jun 18 10:25:11 2017 UTC [Classification: A Network Trojan was Detected] [Priority: 1] {tcp} 37.187.39.232:59166 (france)->x.x.x.x:80 (unknown)
Solved! Go to Solution.
06-20-2017 07:49 PM
Good point. I'm not sure.
Perhaps the TAC could assist in answering that.
06-19-2017 06:58 AM
Trojan activity would normally be expected to trigger no matter what zone the traffic is originating from.
Did your policy block it?
06-19-2017 12:42 PM
But a first attempt from outside to inside that is blocked is not even trojan activity.
Yes it blocked it as its just nefarious traffic out on the internet trying to do stuff. I would have thought it would be best to only report on network trojans if a/ they did't get blocked and b/ they made it inside, ie inside is trying to talk to outside with known trojan activity.
Is there anyway to tweak the alerting to not report P1 events that are blocked? Other than supression and thresholds via IPS? Could be a good feature a P1 category that is blocked is treated different to a P1 category that is not blocked. Or perhaps a tick box that says ignore alerting for Outside talking to Home_Net that is blocked
06-20-2017 05:40 PM
This confirms things, the ip source on the internet is a malware hunter ip address, would like to know why Firepower, with defined HOME_NET is treating as a P1:
Why did my security software raise an alert?
Malware Hunter doesn't perform any attacks and the requests it sends don't contain any malicious content. The reason your security product raised an alert is because it is using a signature that should only be used for traffic leaving the network (egress) but is incorrectly being applied to incoming traffic (ingress). In other words: the security product is using a signature that was meant to detect when a computer on your network was infected and reporting back to a C2. However, the signature is also being applied to all traffic going into your network which is why it's raising a false alert.
06-20-2017 07:49 PM
Good point. I'm not sure.
Perhaps the TAC could assist in answering that.
06-27-2017 11:00 AM
This is just the way the rule is defined. As you can se by reading the rule it is hard coded to be a Priority 1 alert.
06-27-2017 01:55 PM
We spend alot of time tuning Firepower to understand the network its on and then it performs like a 1990's IPS product? This is a no brainer improvement that should be easy to implement. If rule x is trigger and is in the direction of sending to HOME_NET = !P1
06-27-2017 02:06 PM
06-27-2017 02:11 PM
Thanks for the thought.
I'm aware of such configuration, i'm coming from a bigger perspective than just myself.
06-27-2017 02:15 PM
Great. Then you know that Cisco Talos have put almost 34.000 rules in Firepower and that they are written in a specific way for a reason. This is not only for the sake of your company
Either you you use the product, or.. you don't. :)
I hope that you find a solution that will fit your needs.
06-27-2017 02:18 PM
What is the reason that Internet sourced traffic attempts from, outside to inside that get blocked, are flagged as a P1 and classed as a Network Trojan?
06-27-2017 02:29 PM
I am not sure that I am the right person to answer that question.
I am just happy that Talos is keeping their rules up to date, so that I get alerted if anything ugly turns up.
I see that it is their 6th release of that Snort rule and they modified the rule state in a rule update not too long ago.
Just currious. Are you running Joomla on the targeted server?
06-27-2017 02:44 PM
I was justifying time updating HOME_NET to a client. I realised at another client with HOME_NET well defined it did't reduce OUTSIDE to INSIDE noise where i thought it was going to, such as this example.
I wanted to see if anyone had answers as to why, I'd say i've hit the limit here of this forum and thats fine.
Yes the customer is, there is also a WAF in place.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide