Suricata Coverage for Log4Shell Hunting (CVE-2021-44228)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Outgoing connection after Log4j Exploit Attempt (uses xbit from sid: 21003734) - requires `stream.inline=yes` setting in suricata.yaml for this to work | |
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"FOX-SRT - Suspicious - Possible outgoing connection after Log4j Exploit Attempt"; flow:established, to_server; xbits:isset, fox.log4shell.attempt, track ip_src; stream_size:client, =, 1; stream_size:server, =, 1; threshold:type limit, track by_dst, count 1, seconds 3600; classtype:bad-unknown; metadata:ids suricata; metadata:created_at 2021-12-12; priority:3; sid:21003740; rev:1;) | |
# Detects inbound Java class | |
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "FOX-SRT - Suspicious - Java class inbound"; flow:established, to_client; content: "|CA FE BA BE 00 00 00|"; depth:20; fast_pattern; threshold:type limit, track by_dst, count 1, seconds 43200; metadata:ids suricata; metadata:created_at 2021-12-12; classtype:bad-unknown; priority:3; sid:21003742; rev:2;) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment