CVE-2020-1472 Zerologon is about to go into the wild. Is XG able to detect those logon attacks with IPS?
Here you go: Details on the attack: https://nakedsecurity.sophos.com/2020/09/17/zerologon-hacking-windows-servers-with-a-bunch-of-zeros/
IPS Signatures with the matching attacks: https://docs.sophos.com…
See: https://news.sophos.com/en-us/2020/08/11/the-1337est-print-spooler-bug-fixed-in-august-2020s-patch-tuesday/
This story is from August. Wondering why some news pages are covering this now?
Maybe reply to this story on news to cover the CVE for Netlogon, as this CVE is missing in the table below.
__________________________________________________________________________________________________________________
Thanks for the news link. As you said, after my searchings this CVE seems not covered by Sophos IPS by now.
Snort also does not have an entry in it's database about CVE-2020-1472.
Sophos would need to add these to their IPS lists.
https://snort[.]org/rule_docs/1-55703
and
https://snort[.]org/rule_docs/1-55704
IPS Signatures with the matching attacks: https://docs.sophos.com/nsg/threatlabs/SFOS/IPSSummary.html
https://docs.sophos.com/nsg/threatlabs/SFOS/IPSReleaseNotes/9.17.45_s.pdf // https://docs.sophos.com/nsg/threatlabs/SFOS/IPSReleaseNotes/7.17.45_s.pdf
**Edit** Hopefully i did not break anything. FloSupport I accidentally flagged my post as spam.
Good work! Thanks. At least some mitigation at the subnet border.
Another layer would be: Central Endpoint does have a own set of IPS rules. Therefore the Endpoint can actually protect itself. In case you have a flat broadcast domain. See: https://community.sophos.com/intercept-x-endpoint/eap/b/blog/posts/notice-for-next-eap-update
Added to the IPS list:
docs.sophos.com/.../IPSSummary.html