From d8613fedfe30fdb9fb4d2bbf0cb87936a78073f8 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Sun, 12 Dec 2021 21:27:01 +0100
Subject: [PATCH] more Log4Shell patterns

---
 rules/web/web_cve_2021_44228_log4j.yml        | 1 +
 rules/web/web_cve_2021_44228_log4j_fields.yml | 4 ++++
 2 files changed, 5 insertions(+)

diff --git a/rules/web/web_cve_2021_44228_log4j.yml b/rules/web/web_cve_2021_44228_log4j.yml
index 5759aa331..711655745 100644
--- a/rules/web/web_cve_2021_44228_log4j.yml
+++ b/rules/web/web_cve_2021_44228_log4j.yml
@@ -36,6 +36,7 @@ detection:
         - '${jndi:iiop'
         - '${${env:BARFOO:-j}'
         - '${::-l}${::-d}${::-a}${::-p}'
+        - '${base64:JHtqbmRp'
     condition: keywords
 falsepositives:
     - Vulnerability scanning
diff --git a/rules/web/web_cve_2021_44228_log4j_fields.yml b/rules/web/web_cve_2021_44228_log4j_fields.yml
index dcad43d5d..92c49b247 100644
--- a/rules/web/web_cve_2021_44228_log4j_fields.yml
+++ b/rules/web/web_cve_2021_44228_log4j_fields.yml
@@ -37,6 +37,7 @@ detection:
          - '${jndi:iiop'
          - '${${env:BARFOO:-j}'
          - '${::-l}${::-d}${::-a}${::-p}'
+         - '${base64:JHtqbmRp'
       user-agent|contains:
          - '${jndi:ldap:/'
          - '${jndi:rmi:/'
@@ -55,6 +56,7 @@ detection:
          - '${jndi:iiop'
          - '${${env:BARFOO:-j}'
          - '${::-l}${::-d}${::-a}${::-p}'
+         - '${base64:JHtqbmRp'
       cs-uri|contains:
          - '${jndi:ldap:/'
          - '${jndi:rmi:/'
@@ -73,6 +75,7 @@ detection:
          - '${jndi:iiop'
          - '${${env:BARFOO:-j}'
          - '${::-l}${::-d}${::-a}${::-p}'
+         - '${base64:JHtqbmRp'
       cs-referrer|contains:
          - '${jndi:ldap:/'
          - '${jndi:rmi:/'
@@ -91,6 +94,7 @@ detection:
          - '${jndi:iiop'
          - '${${env:BARFOO:-j}'
          - '${::-l}${::-d}${::-a}${::-p}'
+         - '${base64:JHtqbmRp'
    condition: selection
 falsepositives:
     - Vulnerability scanning