2021-12-12 13:20:54 Author: mp.weixin.qq.com(查看原文) 阅读量:116 收藏
使用Apache Log4j RCE尝试攻击的源IP,其中包含很大部分Tor节点,建议短时间内执行阻断:
1.116.59.211 |
1.14.17.89 |
103.103.0.141 |
103.103.0.142 |
103.214.5.13 |
104.244.72.115 |
104.244.72.129 |
104.244.72.136 |
104.244.72.7 |
104.244.73.126 |
104.244.73.43 |
104.244.73.85 |
104.244.73.93 |
104.244.74.211 |
104.244.74.55 |
104.244.74.57 |
104.244.75.225 |
104.244.75.74 |
104.244.76.13 |
104.244.76.170 |
104.244.76.173 |
104.244.76.44 |
104.244.77.139 |
104.244.77.235 |
104.244.78.213 |
104.244.79.6 |
107.189.1.160 |
107.189.1.178 |
107.189.10.137 |
107.189.10.143 |
107.189.11.153 |
107.189.12.135 |
107.189.13.143 |
107.189.14.182 |
107.189.14.76 |
107.189.14.98 |
107.189.28.100 |
107.189.28.241 |
107.189.29.107 |
107.189.29.41 |
107.189.3.244 |
107.189.31.195 |
107.189.31.241 |
107.189.8.65 |
109.237.96.124 |
109.70.100.22 |
109.70.100.23 |
109.70.100.25 |
109.70.100.26 |
109.70.100.27 |
109.70.100.31 |
109.70.100.34 |
109.70.100.36 |
116.24.67.213 |
121.4.56.143 |
121.5.219.20 |
122.161.50.23 |
128.31.0.13 |
133.18.201.195 |
134.122.34.28 |
135.148.43.32 |
137.184.102.82 |
137.184.104.73 |
137.184.106.119 |
137.184.28.58 |
137.184.99.8 |
138.68.167.19 |
139.59.8.39 |
139.59.97.205 |
140.246.171.141 |
142.93.151.166 |
142.93.34.250 |
143.110.221.204 |
143.198.32.72 |
143.198.45.117 |
145.220.24.19 |
146.56.131.161 |
147.182.131.229 |
147.182.150.124 |
147.182.154.100 |
147.182.167.165 |
147.182.169.254 |
147.182.198.103 |
147.182.215.36 |
147.182.219.9 |
150.158.189.96 |
151.115.60.113 |
151.80.148.159 |
152.89.239.12 |
154.39.255.195 |
154.94.7.88 |
157.230.32.67 |
157.245.109.75 |
159.203.8.145 |
159.223.9.17 |
159.65.155.208 |
159.65.194.103 |
159.65.3.102 |
159.65.58.66 |
161.35.119.60 |
162.142.125.193 |
162.142.125.194 |
162.142.125.195 |
162.142.125.196 |
162.142.125.42 |
162.142.125.43 |
162.142.125.44 |
162.142.125.58 |
162.142.125.59 |
162.142.125.60 |
162.247.74.201 |
162.247.74.202 |
162.247.74.206 |
162.247.74.27 |
162.247.74.7 |
162.255.202.246 |
163.172.157.143 |
163.172.213.212 |
164.90.199.216 |
166.70.207.2 |
167.248.133.113 |
167.248.133.114 |
167.248.133.115 |
167.248.133.116 |
167.248.133.41 |
167.248.133.42 |
167.248.133.43 |
167.248.133.44 |
167.248.133.57 |
167.248.133.58 |
167.248.133.59 |
167.248.133.60 |
167.71.13.196 |
167.94.138.113 |
167.94.138.114 |
167.94.138.115 |
167.94.138.116 |
167.94.138.41 |
167.94.138.42 |
167.94.138.43 |
167.94.138.44 |
167.94.138.57 |
167.94.138.58 |
167.94.138.59 |
167.94.138.60 |
167.94.145.60 |
167.99.164.201 |
167.99.172.213 |
167.99.172.58 |
170.210.45.163 |
171.25.193.20 |
171.25.193.25 |
171.25.193.77 |
171.25.193.78 |
172.106.17.218 |
175.6.210.66 |
176.10.104.240 |
176.10.99.200 |
178.17.170.135 |
178.17.170.23 |
178.17.171.102 |
178.17.174.14 |
178.176.202.121 |
178.176.203.190 |
178.20.55.16 |
178.62.79.49 |
179.43.187.138 |
18.27.197.252 |
180.149.231.245 |
181.214.39.2 |
185.10.68.168 |
185.100.86.128 |
185.100.87.139 |
185.100.87.174 |
185.100.87.202 |
185.100.87.41 |
185.107.47.171 |
185.107.47.215 |
185.107.70.56 |
185.129.61.1 |
185.129.61.4 |
185.130.44.108 |
185.14.97.147 |
185.165.169.18 |
185.220.100.240 |
185.220.100.241 |
185.220.100.242 |
185.220.100.243 |
185.220.100.244 |
185.220.100.245 |
185.220.100.246 |
185.220.100.247 |
185.220.100.248 |
185.220.100.249 |
185.220.100.250 |
185.220.100.251 |
185.220.100.252 |
185.220.100.253 |
185.220.100.254 |
185.220.100.255 |
185.220.101.1 |
185.220.101.10 |
185.220.101.128 |
185.220.101.129 |
185.220.101.131 |
185.220.101.132 |
185.220.101.133 |
185.220.101.134 |
185.220.101.135 |
185.220.101.136 |
185.220.101.137 |
185.220.101.138 |
185.220.101.139 |
185.220.101.14 |
185.220.101.140 |
185.220.101.141 |
185.220.101.142 |
185.220.101.143 |
185.220.101.144 |
185.220.101.145 |
185.220.101.146 |
185.220.101.147 |
185.220.101.148 |
185.220.101.149 |
185.220.101.150 |
185.220.101.151 |
185.220.101.152 |
185.220.101.153 |
185.220.101.154 |
185.220.101.155 |
185.220.101.156 |
185.220.101.157 |
185.220.101.158 |
185.220.101.159 |
185.220.101.16 |
185.220.101.160 |
185.220.101.161 |
185.220.101.162 |
185.220.101.163 |
185.220.101.164 |
185.220.101.165 |
185.220.101.166 |
185.220.101.167 |
185.220.101.168 |
185.220.101.169 |
185.220.101.170 |
185.220.101.171 |
185.220.101.172 |
185.220.101.173 |
185.220.101.174 |
185.220.101.175 |
185.220.101.176 |
185.220.101.177 |
185.220.101.178 |
185.220.101.179 |
185.220.101.180 |
185.220.101.181 |
185.220.101.182 |
185.220.101.183 |
185.220.101.184 |
185.220.101.185 |
185.220.101.186 |
185.220.101.187 |
185.220.101.188 |
185.220.101.189 |
185.220.101.19 |
185.220.101.190 |
185.220.101.191 |
185.220.101.2 |
185.220.101.21 |
185.220.101.3 |
185.220.101.32 |
185.220.101.33 |
185.220.101.34 |
185.220.101.35 |
185.220.101.36 |
185.220.101.37 |
185.220.101.38 |
185.220.101.39 |
185.220.101.40 |
185.220.101.41 |
185.220.101.42 |
185.220.101.43 |
185.220.101.44 |
185.220.101.45 |
185.220.101.46 |
185.220.101.47 |
185.220.101.48 |
185.220.101.49 |
185.220.101.50 |
185.220.101.51 |
185.220.101.52 |
185.220.101.53 |
185.220.101.54 |
185.220.101.55 |
185.220.101.56 |
185.220.101.57 |
185.220.101.58 |
185.220.101.59 |
185.220.101.60 |
185.220.101.61 |
185.220.101.62 |
185.220.101.63 |
185.220.101.7 |
185.220.101.9 |
185.220.102.241 |
185.220.102.242 |
185.220.102.243 |
185.220.102.245 |
185.220.102.246 |
185.220.102.249 |
185.220.102.250 |
185.220.102.252 |
185.220.102.253 |
185.220.102.254 |
185.220.102.4 |
185.220.102.6 |
185.220.102.7 |
185.220.102.8 |
185.220.103.117 |
185.220.103.119 |
185.220.103.4 |
185.220.103.5 |
185.220.103.7 |
185.220.103.8 |
185.232.23.46 |
185.236.200.117 |
185.38.175.130 |
185.38.175.131 |
185.38.175.132 |
185.4.132.183 |
185.56.80.65 |
185.83.214.69 |
188.120.246.215 |
188.166.122.43 |
188.166.223.38 |
188.166.225.104 |
188.166.48.55 |
188.166.74.97 |
188.166.92.228 |
191.232.38.25 |
192.160.102.169 |
192.42.116.19 |
192.81.130.207 |
192.99.152.200 |
193.110.95.34 |
193.189.100.195 |
193.189.100.196 |
193.189.100.201 |
193.189.100.202 |
193.189.100.203 |
193.218.118.183 |
193.218.118.231 |
193.239.232.101 |
193.239.232.102 |
193.31.24.154 |
194.135.33.152 |
194.163.133.36 |
194.163.45.31 |
194.48.199.78 |
195.123.247.209 |
195.176.3.19 |
195.176.3.24 |
195.19.192.26 |
195.206.105.217 |
195.251.41.139 |
195.254.135.76 |
197.246.171.83 |
198.144.121.43 |
198.96.155.3 |
198.98.51.189 |
198.98.57.191 |
198.98.57.207 |
198.98.60.19 |
199.195.250.77 |
199.195.253.162 |
199.217.117.92 |
199.249.230.110 |
199.249.230.158 |
20.205.104.227 |
20.71.156.146 |
204.8.156.142 |
205.185.115.217 |
205.185.115.45 |
205.185.117.149 |
205.185.126.167 |
205.185.127.35 |
206.189.20.141 |
209.127.17.234 |
209.127.17.242 |
209.141.34.232 |
209.141.36.206 |
209.141.41.103 |
209.141.45.189 |
209.141.45.227 |
209.141.49.232 |
211.154.194.21 |
212.109.197.1 |
212.192.216.30 |
212.192.246.95 |
212.193.57.225 |
212.47.237.67 |
213.202.216.189 |
213.61.215.54 |
213.95.149.22 |
216.218.134.12 |
221.199.187.100 |
23.120.182.121 |
23.129.64.131 |
23.129.64.132 |
23.129.64.133 |
23.129.64.135 |
23.129.64.137 |
23.129.64.139 |
23.129.64.140 |
23.129.64.141 |
23.129.64.145 |
23.129.64.146 |
23.129.64.148 |
23.129.64.149 |
23.154.177.2 |
23.154.177.4 |
23.154.177.7 |
23.160.193.176 |
23.183.83.71 |
23.184.48.209 |
3.94.114.30 |
31.42.184.34 |
31.42.186.101 |
35.76.31.198 |
37.120.232.51 |
37.123.163.58 |
37.19.212.104 |
37.228.129.109 |
45.12.134.108 |
45.129.56.200 |
45.13.104.179 |
45.130.229.168 |
45.137.184.31 |
45.137.21.9 |
45.15.16.70 |
45.153.160.130 |
45.153.160.131 |
45.153.160.133 |
45.153.160.134 |
45.153.160.135 |
45.153.160.136 |
45.153.160.138 |
45.153.160.140 |
45.153.160.2 |
45.154.255.147 |
45.155.205.233 |
45.61.185.54 |
45.61.186.225 |
46.105.95.220 |
46.166.139.111 |
46.173.218.146 |
46.182.21.248 |
46.4.51.212 |
47.254.127.78 |
5.157.38.50 |
5.182.210.216 |
5.183.209.217 |
5.199.143.202 |
5.2.70.140 |
5.2.72.73 |
51.15.180.36 |
51.15.43.205 |
51.15.59.15 |
51.15.76.60 |
51.255.106.85 |
51.75.161.78 |
51.77.52.216 |
54.173.99.121 |
60.31.180.149 |
61.19.25.207 |
62.102.148.68 |
62.102.148.69 |
62.210.130.250 |
62.76.41.46 |
64.113.32.29 |
66.220.242.222 |
68.183.198.247 |
68.183.44.143 |
68.79.17.59 |
72.223.168.73 |
79.146.170.248 |
80.71.158.44 |
81.17.18.59 |
81.17.18.60 |
81.17.18.61 |
81.17.18.62 |
82.221.131.71 |
85.93.218.204 |
87.118.110.27 |
88.80.20.86 |
89.163.154.91 |
89.163.252.230 |
89.163.252.30 |
89.249.63.3 |
89.35.30.236 |
91.203.5.146 |
91.219.237.21 |
92.223.89.187 |
92.242.40.21 |
94.142.241.194 |
94.230.208.147 |
95.214.54.97 |
128.199.15.215 |
128.199.222.221 |
134.209.24.42 |
134.209.82.14 |
137.184.98.176 |
138.197.106.234 |
138.197.108.154 |
138.197.167.229 |
138.197.193.220 |
138.197.216.230 |
138.197.72.76 |
138.197.9.239 |
138.68.155.222 |
138.68.250.214 |
139.59.101.242 |
139.59.103.254 |
139.59.108.31 |
139.59.163.74 |
139.59.182.104 |
139.59.188.119 |
142.93.157.150 |
143.110.221.219 |
143.198.180.150 |
143.198.183.66 |
147.182.179.141 |
147.182.187.229 |
147.182.216.21 |
157.245.129.50 |
159.203.187.141 |
159.203.45.181 |
159.203.58.73 |
159.223.42.182 |
159.223.61.102 |
159.89.115.238 |
159.89.122.19 |
159.89.133.216 |
159.89.146.147 |
159.89.150.150 |
159.89.154.102 |
159.89.154.185 |
159.89.154.64 |
159.89.154.77 |
159.89.48.173 |
159.89.94.219 |
161.35.155.230 |
161.35.156.13 |
164.92.254.33 |
165.22.201.45 |
165.227.32.109 |
165.227.37.189 |
165.232.80.166 |
165.232.80.22 |
165.232.84.226 |
165.232.84.228 |
167.172.94.250 |
167.99.172.99 |
167.99.186.227 |
167.99.204.151 |
167.99.221.217 |
167.99.221.249 |
167.99.36.245 |
167.99.88.151 |
174.138.6.128 |
178.128.226.212 |
178.128.232.114 |
178.62.23.146 |
178.62.32.211 |
188.166.102.47 |
188.166.105.150 |
188.166.45.93 |
188.166.76.204 |
188.166.86.206 |
46.101.223.115 |
51.195.45.190 |
64.227.67.110 |
67.205.170.85 |
68.183.192.239 |
68.183.198.36 |
68.183.207.73 |
68.183.33.144 |
68.183.35.171 |
68.183.36.244 |
68.183.41.150 |
利用log4j漏洞传播的恶意程序、Botnet等IOC。
IOC类型 | IOC |
DOMAIN | bvprzqhoz7j2ltin.onion.ly |
DOMAIN | bvprzqhoz7j2ltin.onion.ws |
DOMAIN | bvprzqhoz7j2ltin.tor2web.su |
DOMAIN | log.exposedbotnets.ru |
DOMAIN | nazi.uy |
HASH | 0bb39ba78fc976edb9c26de1cecd60eb |
HASH | 1348a00488a5b3097681b6463321d84c |
HASH | 1fe52c0b0139660b2335dd7b7c12ea05 |
HASH | 23b317600f4d82ea58c6b39b6eb5a67c |
HASH | 2615ebcd4c82d8822ce0b58725938cc6 |
HASH | 40e3b969906c1a3315e821a8461216bb |
HASH | 6d275af23910c5a31b2d9684bbb9c6f3 |
HASH | 7b72cf30ac42c20f0a14b0b87425c00a |
HASH | 81fbe69a36650504b88756074a36c183 |
HASH | 95d9a068529dd2ea4bb4bef644f5c4f5 |
HASH | cf2ce888781958e929be430de173a0f8 |
HASH | d20478a01344026a0ecd60b0b29e9bc1 |
HASH | f14019c55e7ce19d93838a4b2f6aec12 |
HASH | 0579a8907f34236b754b07331685d79e |
HASH | 07b7746b922cf7d7fa821123a226ed36 |
HASH | dbc9125192bd1994cbb764f577ba5dda |
HASH | 648effa354b3cbaad87b45f48d59c616 |
HASH | ccef46c7edf9131ccffc47bd69eb743b |
IP_PORT | 110.42.239.3:80 |
IP_PORT | 114.132.231.19:80 |
IP_PORT | 121.41.109.54:2204 |
IP_PORT | 159.89.182.117:80 |
IP_PORT | 18.228.7.109:80 |
IP_PORT | 210.141.105.67:80 |
IP_PORT | 45.130.229.168:9999 |
SLD | *.exposedbotnets.ru |
SLD | *.nmsl.run |
SLD | *.viperdns.xyz |
SLD | *.wdnmdnmsl.xyz |
URL | http://110.42.239.3/2.hta |
URL | http://114.132.231.19/0.hta |
URL | http://114.132.231.19/OK1.hta |
URL | http://114.132.231.19/hfs.exe |
URL | http://114.132.231.19/2.hta |
URL | http://138.197.206.223/.x/xmra64 |
URL | http://159.89.182.117/wp-content/themes/twentyseventeen/ldm |
URL | http://18.228.7.109/.log/pty3; |
URL | http://18.228.7.109/.log/pty2; |
URL | http://18.228.7.109/.log/log |
URL | http://18.228.7.109/.log/pty4; |
URL | http://18.228.7.109/.log/pty5; |
URL | http://18.228.7.109/.log/pty1; |
URL | http://18.228.7.109/.log/pty2 |
URL | http://18.228.7.109/.log/pty5 |
URL | http://18.228.7.109/.log/pty3 |
URL | http://18.228.7.109/.log/ |
URL | http://18.228.7.109/.log/pty1 |
URL | http://18.228.7.109/.log/pty4 |
URL | http://210.141.105.67/wp-content/themes/twentythirteen/m8 |
URL | http://34.221.40.237/.x/ |
URL | http://45.130.229.168:9999/Exploit.class |
URL | http://62.210.130.250/web/admin/x86 |
URL | http://62.210.130.250/lh.sh |
URL | http://62.210.130.250/web/admin/x86_g |
URL | http://62.210.130.250/web/admin/x86_64 |
URL | http://62.210.130.250/web/admin/ |
URL | http://62.210.130.250/web/admin/x86 |
URL | http://62.210.130.250/web/admin/x86_64 |
URL | http://62.210.130.250/web/admin/x86_g |
IP | 185.154.53.140:80 |
URL | http://185.154.53.140/mg |
URL | http://185.154.53.140/o |
URL | http://185.154.53.140/s |
URL | http://185.154.53.140/get |
URL | http://185.154.53.140/ms |
URL | http://138.197.206.223/.x/xmra64 |
URL | http://138.197.206.223/.x/xmra32 |
URL | http://18.228.7.109/.log/pty1 |
URL | http://18.228.7.109/.log/pty4 |
URL | http://210.141.105.67/wp-content/themes/twentythirteen/m8 |
URL | http://18.228.7.109/.log/pty2 |
URL | http://18.228.7.109/.log/pty3 |
URL | http://18.228.7.109/.log/pty5 |
URL | http://159.89.182.117/wp-content/themes/twentyseventeen/ldm |
URL | http://18.228.7.109/.log/log |
URL | http://82.118.18.201/cron.sh |
URL | http://92.242.40.21/lh2.sh |
URL | http://185.191.32.198/lh.sh |
URL | http://82.118.18.201/curl-amd64 |
URL | http://82.118.18.201/libsystem.so |
URL | http://82.118.18.201/kinsing |
URL | http://82.118.18.201/lh.sh |
URL | http://62.210.130.250/web/admin/x86_64 |
URL | http://62.210.130.250/lh.sh |
URL | http://80.71.158.12/libsystem.so |
URL | http://80.71.158.12/curl-amd64 |
URL | http://80.71.158.12/lh.sh |
URL | http://185.191.32.198/unk.sh |
URL | http://45.137.155.55/cron.sh |
URL | http://185.191.32.198/ex.sh |
URL | http://45.137.155.55/ex.sh |
Snort检测规则:
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (http ldap) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|ldap|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034647; rev:1; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;) |
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (http rmi) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|rmi|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034648; rev:1; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;) |
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp ldap) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|ldap|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034649; rev:1; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;) |
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp rmi) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|rmi|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034650; rev:1; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;) |
alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp rmi) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|rmi|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034652; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;) |
alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp ldap) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|ldap|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034651; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;) |
alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp dns) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|dns|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034653; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;) |
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp dns) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|dns|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034654; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;) |
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (http dns) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|dns|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034655; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;) |
alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp ldaps) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|ldaps|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034656; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;) |
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp ldaps) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|ldaps|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034657; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;) |
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (http ldaps) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|ldaps|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034658; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;) |
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt - lower/upper TCP Bypass (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; pcre:"/^(l|r|d|\x24\x7b(lower|upper)\x3a(l|r|d)\x7d)(d|n|m|\x24\x7b(lower|upper)\x3a(d|n|m)\x7d)(a|i|s|\x24\x7b(lower|upper)\x3a(a|i|s)\x7d)(p|\x24\x7b(lower|upper)\x3a(p)\x7d)/Ri"; content:"|3a 2f 2f|"; distance:0; reference:cve,2021-44228; classtype:attempted-admin; sid:2034659; rev:1; metadata:attack_target Server, created_at 2021_12_11, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_11;) |
alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt - lower/upper UDP Bypass (CVE-2021-44228)"; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; pcre:"/^(l|r|d|\x24\x7b(lower|upper)\x3a(l|r|d)\x7d)(d|n|m|\x24\x7b(lower|upper)\x3a(d|n|m)\x7d)(a|i|s|\x24\x7b(lower|upper)\x3a(a|i|s)\x7d)(p|\x24\x7b(lower|upper)\x3a(p)\x7d)/Ri"; content:"|3a 2f 2f|"; distance:0; reference:cve,2021-44228; classtype:attempted-admin; sid:2034660; rev:2; metadata:attack_target Server, created_at 2021_12_11, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_11;) |
alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp iiop) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|iiop|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034667; rev:2; metadata:attack_target Server, created_at 2021_12_11, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_11;) |
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp iiop) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|iiop|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034668; rev:2; metadata:attack_target Server, created_at 2021_12_11, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_11;) |
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET INFO Possible Apache log4j RCE Attempt - Any Protocol (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; content:"|3a 2f 2f|"; distance:0; within:20; reference:cve,2021-44228; classtype:misc-activity; sid:2034661; rev:1; metadata:created_at 2021_12_11, cve CVE_2021_44228, former_category HUNTING, updated_at 2021_12_11;) |
alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET INFO Possible Apache log4j RCE Attempt - Any Protocol (CVE-2021-44228)"; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; content:"|3a 2f 2f|"; distance:0; within:20; reference:cve,2021-44228; classtype:misc-activity; sid:2034662; rev:2; metadata:created_at 2021_12_11, cve CVE_2021_44228, former_category HUNTING, updated_at 2021_12_11;) |
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET INFO Possible Apache log4j RCE Attempt - Any Protocol upper Bypass (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; content:"|24 7b|upper|3a|"; distance:0; reference:cve,2021-44228; classtype:misc-activity; sid:2034663; rev:1; metadata:created_at 2021_12_11, cve CVE_2021_44228, former_category HUNTING, updated_at 2021_12_11;) |
alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET INFO Possible Apache log4j RCE Attempt - Any Protocol upper Bypass (CVE-2021-44228)"; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; content:"|24 7b|upper|3a|"; distance:0; reference:cve,2021-44228; classtype:misc-activity; sid:2034664; rev:1; metadata:created_at 2021_12_11, cve CVE_2021_44228, former_category HUNTING, updated_at 2021_12_11;) |
alert udp $HOME_NET any -> any 53 (msg:"ET POLICY dnslog .cn Observed in DNS Query"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|06|dnslog|02|cn|00|"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2034669; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_12_11, deployment Perimeter, deployment Internal, performance_impact Low, signature_severity Informational, updated_at 2021_12_11;) |
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET INFO Possible Apache log4j RCE Attempt - Any Protocol lower Bypass (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; content:"|24 7b|lower|3a|"; distance:0; reference:cve,2021-44228; classtype:misc-activity; sid:2034665; rev:1; metadata:created_at 2021_12_11, cve CVE_2021_44228, former_category HUNTING, updated_at 2021_12_11;) |
alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET INFO Possible Apache log4j RCE Attempt - Any Protocol lower Bypass (CVE-2021-44228)"; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; content:"|24 7b|lower|3a|"; distance:0; reference:cve,2021-44228; classtype:misc-activity; sid:2034666; rev:1; metadata:created_at 2021_12_11, cve CVE_2021_44228, former_category HUNTING, updated_at 2021_12_11;) |
alert udp $HOME_NET any -> any 53 (msg:"ET ATTACK_RESPONSE DNS Query for Observed CVE-2121-44228 Payload Domain"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0d|bingsearchlib|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,twitter.com/sans_isc/status/1469305954835521539; reference:cve,2121-44228; classtype:trojan-activity; sid:2034670; rev:2; metadata:attack_target Client_and_Server, created_at 2021_12_11, cve CVE_2121_44228, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_12_11;) |
Suricata规则:
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt - lower/upper TCP Bypass (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; pcre:"/^(l|r|d|\x24\x7b(lower|upper)\x3a(l|r|d)\x7d)(d|n|m|\x24\x7b(lower|upper)\x3a(d|n|m)\x7d)(a|i|s|\x24\x7b(lower|upper)\x3a(a|i|s)\x7d)(p|\x24\x7b(lower|upper)\x3a(p)\x7d)/Ri"; content:"|3a 2f 2f|"; distance:0; reference:cve,2021-44228; classtype:attempted-admin; sid:2034659; rev:1; metadata:attack_target Server, created_at 2021_12_11, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_11;) |
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (http dns) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|dns|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034655; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;) |
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (http ldap) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|ldap|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034647; rev:1; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;) |
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (http ldaps) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|ldaps|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034658; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;) |
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (http rmi) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|rmi|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034648; rev:1; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;) |
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp dns) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|dns|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034654; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;) |
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp iiop) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|iiop|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034668; rev:2; metadata:attack_target Server, created_at 2021_12_11, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_11;) |
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp ldap) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|ldap|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034649; rev:1; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;) |
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp ldaps) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|ldaps|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034657; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;) |
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp rmi) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|rmi|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034650; rev:1; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;) |
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET INFO Possible Apache log4j RCE Attempt - Any Protocol (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; content:"|3a 2f 2f|"; distance:0; within:20; reference:cve,2021-44228; classtype:misc-activity; sid:2034661; rev:1; metadata:created_at 2021_12_11, cve CVE_2021_44228, former_category HUNTING, updated_at 2021_12_11;) |
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET INFO Possible Apache log4j RCE Attempt - Any Protocol lower Bypass (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; content:"|24 7b|lower|3a|"; distance:0; reference:cve,2021-44228; classtype:misc-activity; sid:2034665; rev:1; metadata:created_at 2021_12_11, cve CVE_2021_44228, former_category HUNTING, updated_at 2021_12_11;) |
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET INFO Possible Apache log4j RCE Attempt - Any Protocol upper Bypass (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; content:"|24 7b|upper|3a|"; distance:0; reference:cve,2021-44228; classtype:misc-activity; sid:2034663; rev:1; metadata:created_at 2021_12_11, cve CVE_2021_44228, former_category HUNTING, updated_at 2021_12_11;) |
alert udp $HOME_NET any -> any 53 (msg:"ET ATTACK_RESPONSE DNS Query for Observed CVE-2121-44228 Payload Domain"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0d|bingsearchlib|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,twitter.com/sans_isc/status/1469305954835521539; reference:cve,2121-44228; classtype:trojan-activity; sid:2034670; rev:2; metadata:attack_target Client_and_Server, created_at 2021_12_11, cve CVE_2121_44228, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_12_11;) |
alert udp $HOME_NET any -> any 53 (msg:"ET POLICY dnslog .cn Observed in DNS Query"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|06|dnslog|02|cn|00|"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2034669; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_12_11, deployment Perimeter, deployment Internal, performance_impact Low, signature_severity Informational, updated_at 2021_12_11;) |
alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt - lower/upper UDP Bypass (CVE-2021-44228)"; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; pcre:"/^(l|r|d|\x24\x7b(lower|upper)\x3a(l|r|d)\x7d)(d|n|m|\x24\x7b(lower|upper)\x3a(d|n|m)\x7d)(a|i|s|\x24\x7b(lower|upper)\x3a(a|i|s)\x7d)(p|\x24\x7b(lower|upper)\x3a(p)\x7d)/Ri"; content:"|3a 2f 2f|"; distance:0; reference:cve,2021-44228; classtype:attempted-admin; sid:2034660; rev:2; metadata:attack_target Server, created_at 2021_12_11, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_11;) |
alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp dns) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|dns|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034653; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;) |
alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp iiop) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|iiop|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034667; rev:2; metadata:attack_target Server, created_at 2021_12_11, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_11;) |
alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp ldap) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|ldap|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034651; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;) |
alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp ldaps) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|ldaps|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034656; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;) |
alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp rmi) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|rmi|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034652; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;) |
alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET INFO Possible Apache log4j RCE Attempt - Any Protocol (CVE-2021-44228)"; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; content:"|3a 2f 2f|"; distance:0; within:20; reference:cve,2021-44228; classtype:misc-activity; sid:2034662; rev:2; metadata:created_at 2021_12_11, cve CVE_2021_44228, former_category HUNTING, updated_at 2021_12_11;) |
alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET INFO Possible Apache log4j RCE Attempt - Any Protocol lower Bypass (CVE-2021-44228)"; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; content:"|24 7b|lower|3a|"; distance:0; reference:cve,2021-44228; classtype:misc-activity; sid:2034666; rev:1; metadata:created_at 2021_12_11, cve CVE_2021_44228, former_category HUNTING, updated_at 2021_12_11;) |
alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET INFO Possible Apache log4j RCE Attempt - Any Protocol upper Bypass (CVE-2021-44228)"; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; content:"|24 7b|upper|3a|"; distance:0; reference:cve,2021-44228; classtype:misc-activity; sid:2034664; rev:1; metadata:created_at 2021_12_11, cve CVE_2021_44228, former_category HUNTING, updated_at 2021_12_11;) |
参考链接:
https://mp.weixin.qq.com/s/fWN9mqSKU2PWpZkl49lv8Q
https://mp.weixin.qq.com/s/oWOJIJAR7915b28X3vtM8g
https://gist.github.com/gnremy/c546c7911d5f876f263309d7161a7217
https://raw.githubusercontent.com/CriticalPathSecurity/Public-Intelligence-Feeds/master/log4j.txt
https://isc.sans.edu/api/webhoneypotreportsbyua/jndi
https://urlhaus.abuse.ch/browse/tag/log4j/
https://bazaar.abuse.ch/browse/tag/log4j/
https://threatfox.abuse.ch/browse/tag/log4j/
https://rules.emergingthreatspro.com/open/
https://weibo.com/ttarticle/p/show?id=2309404713341405757603
https://blog.netlab.360.com/wei-xie-kuai-xun-log4jlou-dong-yi-jing-bei-yong-lai-zu-jian-botnet-zhen-dui-linuxshe-bei/
点击阅读原文至RedDrip GitHub项目获取更多IOCs
如有侵权请联系:admin#unsafe.sh