From 6c8b0c8fd8dcbc533d109e4ed5ea826ed4ba43c5 Mon Sep 17 00:00:00 2001
From: izysec <64199310+izysec@users.noreply.github.com>
Date: Mon, 13 Dec 2021 15:49:08 +0530
Subject: [PATCH] Added current known bypass patterns

Source: https://github.com/Puliczek/CVE-2021-44228-PoC-log4j-bypass-words
---
 rules/web/web_cve_2021_44228_log4j.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/rules/web/web_cve_2021_44228_log4j.yml b/rules/web/web_cve_2021_44228_log4j.yml
index 711655745..2d3e73356 100644
--- a/rules/web/web_cve_2021_44228_log4j.yml
+++ b/rules/web/web_cve_2021_44228_log4j.yml
@@ -37,6 +37,10 @@ detection:
         - '${${env:BARFOO:-j}'
         - '${::-l}${::-d}${::-a}${::-p}'
         - '${base64:JHtqbmRp'
+        - '${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}${env:ENV_NAME:-l}dap${env:ENV_NAME:-:}//'
+        - '${${lower:j}ndi:${lower:l}${lower:d}a${lower:p}://'
+        - '${${upper:j}ndi:${upper:l}${upper:d}a${lower:p}://'
+        - '${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://'
     condition: keywords
 falsepositives:
     - Vulnerability scanning