This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
kb1
Collaborator
‎2020-02-21 03:37 PM

can anyone tell me how to check for apache tomcat vulnerabilities on the checkpoint

So i got a notification from one of my team members that we are seeing an increase in apache tomcat vulenrabilities and exploits, now i dont know if he found that out by looking at logs or something else or maybe from some other device or tool, so can someone tell me if its possible to know that from the checkpoint logs or some other way?

 

Edit-

So i did some digging and typed apache on the logs searchbar and a lot of logs appear that shows high/critical(apache strut url anchor tag,remote code execution attempted from some foreign ip to dest ip (dest ip would be the ips in our environment), etc) and when i open them they are all set to detect in the rules, now im pretty sure there is a reason as to why they are set to detect and not block or something else but i dont know why, i do know that there are desktops in our environment running apache so its definitely related to that, so in case i do change the rule from detect to block or something that means its going to affect traffic to those desktops right? so they should update the their apache tomcat versions in their machines to preven these logs from appearing am i right or wrong?

0 Kudos
4 Replies
FedericoMeiners
Advisor
‎2020-02-21 04:19 PM

Hi!

Totally doable as long as you have the respective IPS signature in detect/prevent.

You can see them by applying IPS filter + the IP of your Tomcat server in your logs.

Hope it helps 🙂

____________
https://www.linkedin.com/in/federicomeiners/
0 Kudos
kb1
Collaborator
‎2020-02-21 04:23 PM
In response to FedericoMeiners

hi federico,
thanks for the reply , i just updated my post with more info so can you look at it and tell me if im correct or wrong?
0 Kudos
FedericoMeiners
Advisor
‎2020-02-21 04:48 PM
In response to kb1

Probably the IPS policy that you are running has some threshold values that set those signatures in detect or somebody made an override of those signatures.

First of all you will need to define if it's a false positive or not, here are some advises:

  • Are those traffic flows legit? You mentioned that you see many public IPs communicating with your environment. Are they supposed to? Why your desktops are reachable by outsiders?
  • Check the involved CVEs to see if your Tomcat hosts are affected by them.
  • Make a custom IPS profile to protect your Tomcat servers: Include only Tomcat + Application + OS signatures and set the protected scope to only the Tomcat hosts and IPs.
  • Last but not least: You can use the technique described above to start applying protections in prevent gradually and check if your signatures break legit traffic 🙂

 

____________
https://www.linkedin.com/in/federicomeiners/
0 Kudos
kb1
Collaborator
‎2020-02-21 11:40 PM
In response to FedericoMeiners

Thanks for the suggestions!
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events