Jump to content

What do I do with Firewall Security vulnerability exploitation threats?


Recommended Posts

I'm seeing a few of these related to CVE-2017-5638.Struts2. The affected servers are not running any Struts code, so I'm assuming this is detecting that someone is attempting to utilize the exploit, but how do I stop ESMC from showing these as threats once the device has been checked to ensure it's not vulnerable?

John

Link to comment
Share on other sites

  • Most Valued Members
2 hours ago, Command IT said:

I'm seeing a few of these related to CVE-2017-5638.Struts2. The affected servers are not running any Struts code, so I'm assuming this is detecting that someone is attempting to utilize the exploit, but how do I stop ESMC from showing these as threats once the device has been checked to ensure it's not vulnerable?

John

If you don't run Apache I don't know how the exploit will work because it's exploiting Apache and Apache isn't installed as you have said (Apache Struts) , just keep your systems up to date with security patches , and try to know this attack is coming from what source

Why do you want it to stop showing you about threats or attacks?

Edited by Rami
Link to comment
Share on other sites

13 minutes ago, Rami said:

Why do you want it to stop showing you about threats or attacks?

I want to get notified when there's something that requires action, so I have email notifications for unresolved threats.  These show up as unresolved threats. An analogy would be, I'm interested in knowing if someone walking down the street has tried to open my front door but it was locked (resolved threat), but I really want to know if the door got opened (unresolved threat)

Link to comment
Share on other sites

  • Administrators

IDS detections are blocked automatically. In Endpoint's log you should see the action Blocked. Unfortunately, the message is translated by ESMC as "Detected" which may cause confusion. This will be fixed in ESMC v7.1 at latest to my best knowledge.

To prevent network attacks, if you are behind a router / firewall also make sure that ESET (ideally Endpoint v7) is installed on every machine and that arbitrary machines cannot connect to the network. Every machine in the LAN should be fully patched.

Link to comment
Share on other sites

  • ESET Insiders

Eset may also want to start using the terminology IDS, and IPS to prevent confusion. The following below from Marvin Rhoads, a member of the Cisco Community is a good description that explains the difference betwen IDS, and IPS. IDS does not block, or remediate any traffic at all, you need IPS to do that.

"IDS only logs or alerts on malicious traffic."

"IPS inspects traffic flowing through a network and is capable of blocking or otherwise remediating flows that it determines are malicious."

 

https://community.cisco.com/t5/firewalls/what-is-the-difference-between-ips-ids-and-a-firewall/td-p/2419412

Edited by cutting_edgetech
Link to comment
Share on other sites

Actually Eset's IDS protection is a hybrid IDS/IPS in that besides blocking the activity, it gives you the option to be informed about the activity:

Eset_IDS.thumb.png.9845ad3ec9061b30d99c60e47e6e366c.png

Edited by itman
Link to comment
Share on other sites

  • ESET Insiders

Eset can actually block detected attacks, and does so it should reflect that by showing something like IDS/IPS or separate settings for IDS and IPS in the GUI.

Edited: 10/21/18 @ 1:17

I want to point out that you are correct about it being Hybrid. My suggestion is only that the GUI reflects that correctly by the changes I mentioned above.

Edited by cutting_edgetech
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...