Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1600
Views
0
Helpful
4
Replies

FMC to know if server is running apache or not

evan.chadwick1
Level 1
Level 1

‎06-11-2018 04:36 PM - edited ‎02-21-2020 07:52 AM

Hi Folks,

I'm keen to reduce the amount of impact 2 'Apache Struts' remote code execution alerts. I have a couple of questions

1/ should FMC be able to tell if a server is running Apache?

2/ is there a manual setting I can set per server (that is not a IPS supression)

 

Thanks in advance

 

Labels:
0 Helpful
4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-14-2018 03:34 AM - edited ‎06-14-2018 03:36 AM

If there's a properly configured network discovery and identity policy and the sensor is online for cleartext or decrypted traffic, it should be able to tell.

 

You can always override with user input or add third party or custom mapping for hosts that you know about:

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/introduction_to_network_discovery_and_identity.html#concept_B9C9F7BF250847D6A4FB888CB738EA17

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/host_identity_sources.html#ID-2219-0000023b

0 Helpful

evan.chadwick1
Level 1
Level 1
In response to Marvin Rhoads

‎06-17-2018 08:32 PM

Thanks,

This host was populated by discovery. And I also ran Nmap at it.

I guess suppression is my only option?

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to evan.chadwick1

‎06-18-2018 07:33 AM

Overriding the host identity properties that were ascertained by discovery is not the same as suppression of IPS events / IOCs.

 

I'd go the override route if you know for sure the discovery results are in error.

0 Helpful

evan.chadwick1
Level 1
Level 1
In response to Marvin Rhoads

‎06-18-2018 02:58 PM

ok, so what your saying here is that:

- if discovery and nmap scan has been successful on an endpoint, and if Firepower treats an endpoint with the struts apache vulnerability (flagging it in the events section), then one can be confident that the endpoint is running Apache. If the endpoint is not running apache then Firepower should not apply the Apache vulnerability, and there will be no 'noise' in the logs about it.

 

I'm currently asking the server team to confirm a apache on a few devices that regularly get flagged about the struts vulnerability. Its a constant hit, and its just an outside to inside initiated attempt (fairly low importance to be visable to me, as its blocked, and not internal initiated).

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card