{"id":22414,"date":"2021-07-29T15:18:50","date_gmt":"2021-07-29T14:18:50","guid":{"rendered":"https:\/\/aidanfinn.com\/?p=22414"},"modified":"2021-07-29T15:18:50","modified_gmt":"2021-07-29T14:18:50","slug":"testing-azure-firewall-idps","status":"publish","type":"post","link":"https:\/\/aidanfinn.com\/?p=22414","title":{"rendered":"Testing Azure Firewall IDPS"},"content":{"rendered":"<p>In this post, I will show you how to test IDPS in Azure Firewall Premium, including test exploits and how to search the logs for alerts.<\/p>\n<h2>Azure Firewall Setup<\/h2>\n<p>You are going to need a few things:<\/p>\n<ul>\n<li>Ideally a hub and spoke deployment of some kind, with a virtual machine in two different spokes. My lab is Azure Virtual WAN, using a VNet as the &#8220;compromised on-premises&#8221; and a second VNet as the target.<\/li>\n<li>Azure Firewall Premium SKU with logging enabled to a Log Analytics Workspace.<\/li>\n<li>Azure Firewall Policy Premium SKU, with IDPS enabled for Alert &amp; Deny.<\/li>\n<\/ul>\n<p>Make sure that you have firewall rules and NSG rules <em>open\u00a0<\/em>to allow your &#8220;attacks&#8221; &#8211; the point of IDPS is to stop traffic on legitimate protocols\/ports.<\/p>\n<h2>Compromised On-Premises Machine<\/h2>\n<p>One can use Kali Linux <a href=\"https:\/\/azuremarketplace.microsoft.com\/en\/marketplace\/apps\/kali-linux.kali-linux?tab=overview\" target=\"_blank\" rel=\"noopener\">from the Azure Marketplace<\/a> but I prefer to work in Windows. So I deployed a Windows Server VM and <a href=\"https:\/\/github.com\/rapid7\/metasploit-framework\/wiki\/Nightly-Installers\" target=\"_blank\" rel=\"noopener\">downloaded\/deployed Metasploit Opensource<\/a>, which is installed into C:\\metasploit-framework.<\/p>\n<p>The console that you&#8217;ll use to run the commands is C:\\metasploit-framework\\bin\\msfconsole.bat.<\/p>\n<p>If you want to trying something simpler, then all you will need is the normal Windows Command prompt.<\/p>\n<h2>The Exploit Test<\/h2>\n<p>If you are using Metasploit, in the console, run the following to search for &#8220;coldfusion&#8221; tests:<\/p>\n<p><em>search coldfusion<\/em><\/p>\n<p>Select a test:<\/p>\n<p><em>use auxiliary\/scanner\/http\/coldfusion_locale_traversal<\/em><\/p>\n<p>Set the RHOST (remote host to target) option:<\/p>\n<p><em>set RHOST &lt;IP address to target&gt;<\/em><\/p>\n<p>Verify that all required options are set:<\/p>\n<p><em>show options<\/em><\/p>\n<p>Execute the test:<\/p>\n<p>run<\/p>\n<p>Otherwise, you can run the following CURL command in Windows Command Prompt for a simpler test to do a web request to your target IP using the well-known Blacksun user agent:<\/p>\n<p><em>curl -A &#8220;BlackSun&#8221; &lt;IP address to target&gt;<\/em><\/p>\n<h2>Check Your Logs<\/h2>\n<p>It can take a little time for data to appear in your logs. Give it a few minutes and then run this query in Log Analytics:<\/p>\n<p>AzureDiagnostics\u00a0| where ResourceType == &#8220;AZUREFIREWALLS&#8221; | where OperationName == &#8220;AzureFirewallIDSLog&#8221;\u00a0| parse msg_s with Protocol &#8221; request from&#8221; SourceIP &#8220;:&#8221; SourcePort &#8221; to &#8221; TargetIP &#8220;:&#8221; TargetPort &#8220;. Action:&#8221; Action&#8221;. Signature: &#8221; Signature &#8220;. IDS:&#8221; Reason\u00a0| project TimeGenerated, Protocol, SourceIP, SourcePort, TargetIP, TargetPort, Action, Signature, Reason\u00a0| sort by TimeGenerated<\/p>\n<p><a href=\"https:\/\/aidanfinn.com\/wp-content\/uploads\/2021\/07\/AzureFirewallIDPSBlockingMetasploit.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-22421\" src=\"https:\/\/aidanfinn.com\/wp-content\/uploads\/2021\/07\/AzureFirewallIDPSBlockingMetasploit.png\" alt=\"\" width=\"1681\" height=\"694\" srcset=\"https:\/\/aidanfinn.com\/wp-content\/uploads\/2021\/07\/AzureFirewallIDPSBlockingMetasploit.png 1681w, https:\/\/aidanfinn.com\/wp-content\/uploads\/2021\/07\/AzureFirewallIDPSBlockingMetasploit-300x124.png 300w, https:\/\/aidanfinn.com\/wp-content\/uploads\/2021\/07\/AzureFirewallIDPSBlockingMetasploit-1024x423.png 1024w, https:\/\/aidanfinn.com\/wp-content\/uploads\/2021\/07\/AzureFirewallIDPSBlockingMetasploit-768x317.png 768w, https:\/\/aidanfinn.com\/wp-content\/uploads\/2021\/07\/AzureFirewallIDPSBlockingMetasploit-1536x634.png 1536w, https:\/\/aidanfinn.com\/wp-content\/uploads\/2021\/07\/AzureFirewallIDPSBlockingMetasploit-1200x495.png 1200w\" sizes=\"auto, (max-width: 709px) 85vw, (max-width: 909px) 67vw, (max-width: 1362px) 62vw, 840px\" \/><\/a><\/p>\n<p>That should highlight anything that IDPS alerted on &amp; denied &#8211; and can also be useful for creating incidents in Azure Sentinel.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this post, I will show you how to test IDPS in Azure Firewall Premium, including test exploits and how to search the logs for alerts. Azure Firewall Setup You are going to need a few things: Ideally a hub and spoke deployment of some kind, with a virtual machine in two different spokes. My &hellip; <a href=\"https:\/\/aidanfinn.com\/?p=22414\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Testing Azure Firewall IDPS&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":22423,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"footnotes":""},"categories":[5],"tags":[306,476,423,479],"class_list":["post-22414","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-azure","tag-azure-firewall","tag-idps","tag-log-analytics","tag-metasploit"],"aioseo_notices":[],"jetpack_featured_media_url":"https:\/\/aidanfinn.com\/wp-content\/uploads\/2021\/07\/MetasploitIDPSFirewall.png","amp_enabled":true,"_links":{"self":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/posts\/22414","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=22414"}],"version-history":[{"count":8,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/posts\/22414\/revisions"}],"predecessor-version":[{"id":22424,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/posts\/22414\/revisions\/22424"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/media\/22423"}],"wp:attachment":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=22414"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=22414"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=22414"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}