What do I do with Firewall Security vulnerability exploitation threats?

[Command IT 7]

I'm seeing a few of these related to CVE-2017-5638.Struts2. The affected servers are not running any Struts code, so I'm assuming this is detecting that someone is attempting to utilize the exploit, but how do I stop ESMC from showing these as threats once the device has been checked to ensure it's not vulnerable?

John

[Nightowl 206]

2 hours ago, Command IT said:

I'm seeing a few of these related to CVE-2017-5638.Struts2. The affected servers are not running any Struts code, so I'm assuming this is detecting that someone is attempting to utilize the exploit, but how do I stop ESMC from showing these as threats once the device has been checked to ensure it's not vulnerable?

John

If you don't run Apache I don't know how the exploit will work because it's exploiting Apache and Apache isn't installed as you have said (Apache Struts) , just keep your systems up to date with security patches , and try to know this attack is coming from what source

Why do you want it to stop showing you about threats or attacks?

Edited October 18, 2018 by Rami

[Command IT 7]

13 minutes ago, Rami said:

Why do you want it to stop showing you about threats or attacks?

I want to get notified when there's something that requires action, so I have email notifications for unresolved threats.  These show up as unresolved threats. An analogy would be, I'm interested in knowing if someone walking down the street has tried to open my front door but it was locked (resolved threat), but I really want to know if the door got opened (unresolved threat)

[Marcos 5,143]

IDS detections are blocked automatically. In Endpoint's log you should see the action Blocked. Unfortunately, the message is translated by ESMC as "Detected" which may cause confusion. This will be fixed in ESMC v7.1 at latest to my best knowledge.

To prevent network attacks, if you are behind a router / firewall also make sure that ESET (ideally Endpoint v7) is installed on every machine and that arbitrary machines cannot connect to the network. Every machine in the LAN should be fully patched.

[Command IT 7]

Is there a timeline for ESMC 7.1 ?

John

[cutting_edgetech 25]

Eset may also want to start using the terminology IDS, and IPS to prevent confusion. The following below from Marvin Rhoads, a member of the Cisco Community is a good description that explains the difference betwen IDS, and IPS. IDS does not block, or remediate any traffic at all, you need IPS to do that.

"IDS only logs or alerts on malicious traffic."

"IPS inspects traffic flowing through a network and is capable of blocking or otherwise remediating flows that it determines are malicious."

 

https://community.cisco.com/t5/firewalls/what-is-the-difference-between-ips-ids-and-a-firewall/td-p/2419412

Edited October 20, 2018 by cutting_edgetech

[itman 1,707]

Actually Eset's IDS protection is a hybrid IDS/IPS in that besides blocking the activity, it gives you the option to be informed about the activity:

Edited October 20, 2018 by itman

[cutting_edgetech 25]

Eset can actually block detected attacks, and does so it should reflect that by showing something like IDS/IPS or separate settings for IDS and IPS in the GUI.

Edited: 10/21/18 @ 1:17

I want to point out that you are correct about it being Hybrid. My suggestion is only that the GUI reflects that correctly by the changes I mentioned above.

Edited October 21, 2018 by cutting_edgetech