There is a critical 0-Day exploit for Exchange already being exploited, which is pretty much the same as the "ProxyShell" vulnerability in March.
How can I check if the mitigation is already working with Snort or IPS rules?
There is also written (see "Temporary containment measures") how to create a rewrite rule to address the vulnerability, until a patch becomes available.
You should monitor closely your Exchange with a XDR solution for compromise. Currently there is too much fog around this attacks.
TrendMicro has already their signatures adjusted since 2 days, I could imagine Snort has too, but where to look for?
You can search the IPS database in the webadmin. All signatures are there.
The question is, will IPS pick up the attack or not.
as Sophos X Ops team is also referring to the article and mitigation I posted it seems the rewrite rule should be the 1st line of defense, and everybody should have this done.
That does not answer my question regarding Snort. How could I check those?
I would start to monitor the exchange with XDR tools for IoCs and unusual activities.
You can see all signatures here:
Microsoft have been through triage now, and issued CVE-2022–41040 and CVE-2022–41082. These are two new zero day vulnerabilities in Exchange. It appears the ProxyShell patches from early 2021 did not fix the issue.
source: https://doublepulsar.com/proxynotshell-the-story-of-the-claimed-zero-day-in-microsoft-exchange-5c63d963a9e9IPS Signatures have not yet been updated (2022-09-30 11.00 AM CET): docs.sophos.com/.../index.html
Temporary solution: thehackernews.com/.../microsoft-confirms-2-new-exchange-zero.html
Just to clarify on the matter of "Could i be potentially be breached?".
If you think, there could be an attack ongoing or something odd is going on in your network / company, do not hesitate to contact an incident respond team. Every minute counts in such scenarios.
You will find Incident respond teams and services most likely on your government pages or you can contact Sophos Rapid Response. https://www.sophos.com/en-us/products/managed-threat-response/rapid-response
New protection released for Sophos Firewall for this: