Solved: Yes the signatures should do

clark white · ‎05-17-2017

Dears,

i have a sourcefire in my network and i want to block ramsomware attacks what shild i do for that ????? i have read on cisco sites Cisco has release a snort rules. what are these snort rules ???

https://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20170515?vs_f=Cisco%20Security%20Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=MS17-010%20(Ransomware%20WannaCry)%20Impact%20to%20Cisco%20Products&vs_k=1

what signatures i have to search in the sourcefire to confirm the sourcefire is updated with rules.

Thanks

Marvin Rhoads · ‎05-22-2017

Yes the signatures should do their job in the event of access without remote acces VPN.

If it were my servers I would add some additional endpoint protections on them like Cisco Umbrella (former OpenDNS product) or AMP for Endpoints just to be extra cautious. The most effective security does not rely on a single solution.

View solution in original post

Marvin Rhoads · ‎05-17-2017

Look under System > Updates > Rule Updates.

Best practice is to have FMC automatically check for rule updates, import them and deloy to your managed sensors. You can then view the Rule Update Log to confirm they are deployed.

Snort rule update

See the following screenshots from an FMC with 6.2 software:

clark white · ‎05-17-2017

Dear Marvin

i have done yesterday rule update 16-05-2017, is it MS17-010 signature has been included how i will come to know???

if i enable port 139,445 for the remote users,, the genuine users should get access but the hacker should get blocked by Rule signatures when something wrong in the packet seen by the firepower

Please correct me if i m wrong.

thanks

Marvin Rhoads · ‎05-18-2017

You can confirm the presence of the relevant Intrusion rules by looking at Objects > Intrusion Rules and then grouping by Microsoft Vulnerabilities and scrolling down to MS17-010.

You can further see their status in your particular Intrusion Policy via editing the policy and searching again for the MS17-010-specific rules. In my case we see the following (I am using Balanced Security and Connectiivty settings):

We do not recommend opening up the SMB ports to outside access. If you require remote access to your servers, they should be accessed via users who have connected via VPN and been duly authenticated and authorized. Otherwise you have no way of confirming their identity until they are already at the server and you are unnecessarily exposing your server to not only this threat but many other as well - some of which may be yet unknown to the community.

clark white · ‎05-22-2017

Dear Marvin,

yes their identity is confirmed but my question is if they are access without vpn than the installed signatures should do their job ??

thanks

Marvin Rhoads · ‎05-22-2017

Yes the signatures should do their job in the event of access without remote acces VPN.

If it were my servers I would add some additional endpoint protections on them like Cisco Umbrella (former OpenDNS product) or AMP for Endpoints just to be extra cautious. The most effective security does not rely on a single solution.

clark white · ‎05-31-2017

thanks marvin

+5 to you

Ramsomware blocking signature