- CheckMates
- :
- Products
- :
- Quantum
- :
- Threat Prevention
- :
- Re: can anyone tell me how to check for apache tom...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
can anyone tell me how to check for apache tomcat vulnerabilities on the checkpoint
So i got a notification from one of my team members that we are seeing an increase in apache tomcat vulenrabilities and exploits, now i dont know if he found that out by looking at logs or something else or maybe from some other device or tool, so can someone tell me if its possible to know that from the checkpoint logs or some other way?
Edit-
So i did some digging and typed apache on the logs searchbar and a lot of logs appear that shows high/critical(apache strut url anchor tag,remote code execution attempted from some foreign ip to dest ip (dest ip would be the ips in our environment), etc) and when i open them they are all set to detect in the rules, now im pretty sure there is a reason as to why they are set to detect and not block or something else but i dont know why, i do know that there are desktops in our environment running apache so its definitely related to that, so in case i do change the rule from detect to block or something that means its going to affect traffic to those desktops right? so they should update the their apache tomcat versions in their machines to preven these logs from appearing am i right or wrong?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi!
Totally doable as long as you have the respective IPS signature in detect/prevent.
You can see them by applying IPS filter + the IP of your Tomcat server in your logs.
Hope it helps 🙂
https://www.linkedin.com/in/federicomeiners/
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks for the reply , i just updated my post with more info so can you look at it and tell me if im correct or wrong?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Probably the IPS policy that you are running has some threshold values that set those signatures in detect or somebody made an override of those signatures.
First of all you will need to define if it's a false positive or not, here are some advises:
- Are those traffic flows legit? You mentioned that you see many public IPs communicating with your environment. Are they supposed to? Why your desktops are reachable by outsiders?
- Check the involved CVEs to see if your Tomcat hosts are affected by them.
- Make a custom IPS profile to protect your Tomcat servers: Include only Tomcat + Application + OS signatures and set the protected scope to only the Tomcat hosts and IPs.
- Last but not least: You can use the technique described above to start applying protections in prevent gradually and check if your signatures break legit traffic 🙂
https://www.linkedin.com/in/federicomeiners/
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content