06-11-2018 04:36 PM - edited 02-21-2020 07:52 AM
Hi Folks,
I'm keen to reduce the amount of impact 2 'Apache Struts' remote code execution alerts. I have a couple of questions
1/ should FMC be able to tell if a server is running Apache?
2/ is there a manual setting I can set per server (that is not a IPS supression)
Thanks in advance
06-14-2018 03:34 AM - edited 06-14-2018 03:36 AM
If there's a properly configured network discovery and identity policy and the sensor is online for cleartext or decrypted traffic, it should be able to tell.
You can always override with user input or add third party or custom mapping for hosts that you know about:
06-17-2018 08:32 PM
Thanks,
This host was populated by discovery. And I also ran Nmap at it.
I guess suppression is my only option?
06-18-2018 07:33 AM
Overriding the host identity properties that were ascertained by discovery is not the same as suppression of IPS events / IOCs.
I'd go the override route if you know for sure the discovery results are in error.
06-18-2018 02:58 PM
ok, so what your saying here is that:
- if discovery and nmap scan has been successful on an endpoint, and if Firepower treats an endpoint with the struts apache vulnerability (flagging it in the events section), then one can be confident that the endpoint is running Apache. If the endpoint is not running apache then Firepower should not apply the Apache vulnerability, and there will be no 'noise' in the logs about it.
I'm currently asking the server team to confirm a apache on a few devices that regularly get flagged about the struts vulnerability. Its a constant hit, and its just an outside to inside initiated attempt (fairly low importance to be visable to me, as its blocked, and not internal initiated).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide