From a51c03f54c19168db00d87ef359f3ae95340a0ce Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Fri, 10 Dec 2021 13:05:40 +0100
Subject: [PATCH] log4j CVE-2021-44228

---
 rules/web/web_cve_2021_44228_log4j.yml | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100644 rules/web/web_cve_2021_44228_log4j.yml

diff --git a/rules/web/web_cve_2021_44228_log4j.yml b/rules/web/web_cve_2021_44228_log4j.yml
new file mode 100644
index 000000000..6f51e97cc
--- /dev/null
+++ b/rules/web/web_cve_2021_44228_log4j.yml
@@ -0,0 +1,25 @@
+title: Log4j RCE CVE-2021-44228
+id: 5ea8faa8-db8b-45be-89b0-151b84c82702
+status: experimental
+description: Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228
+author: Florian Roth
+date: 2021/12/10
+references:
+    - https://news.ycombinator.com/item?id=29504755
+    - https://github.com/tangxiaofeng7/apache-log4j-poc
+    - https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b
+    - https://github.com/YfryTchsGD/Log4jAttackSurface
+tags:
+    - attack.initial_access
+    - attack.t1190
+logsource:
+    category: webserver
+detection:
+    keywords:
+        - '${jndi:ldap://'
+        - '${jndi:rmi://'
+        - '${jndi:ldaps://'
+    condition: keywords
+falsepositives:
+    - Vulnerability scanning
+level: high