security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Merge pull request #2446 from izysec/patch-4

Browse Source 
Added current known bypass patterns
This commit is contained in:
Florian Roth
2021-12-13 14:04:54 +01:00
committed by GitHub
parent 7b93291439 04ff26c786
commit fb167c5698
1 changed files with 16 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/web/web_cve_2021_44228_log4j_fields.yml
+16
View File
@@ -38,6 +38,10 @@ detection:
- '${${env:BARFOO:-j}'
- '${::-l}${::-d}${::-a}${::-p}'
- '${base64:JHtqbmRp'
- '${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}${env:ENV_NAME:-l}dap${env:ENV_NAME:-:}//'
- '${${lower:j}ndi:${lower:l}${lower:d}a${lower:p}://'
- '${${upper:j}ndi:${upper:l}${upper:d}a${lower:p}://'
- '${${::-j}${::-n}${::-d}${::-i}:'
user-agent|contains:
- '${jndi:ldap:/'
- '${jndi:rmi:/'
@@ -57,6 +61,10 @@ detection:
- '${${env:BARFOO:-j}'
- '${::-l}${::-d}${::-a}${::-p}'
- '${base64:JHtqbmRp'
- '${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}${env:ENV_NAME:-l}dap${env:ENV_NAME:-:}//'
- '${${lower:j}ndi:${lower:l}${lower:d}a${lower:p}://'
- '${${upper:j}ndi:${upper:l}${upper:d}a${lower:p}://'
- '${${::-j}${::-n}${::-d}${::-i}:'
cs-uri|contains:
- '${jndi:ldap:/'
- '${jndi:rmi:/'
@@ -76,6 +84,10 @@ detection:
- '${${env:BARFOO:-j}'
- '${::-l}${::-d}${::-a}${::-p}'
- '${base64:JHtqbmRp'
- '${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}${env:ENV_NAME:-l}dap${env:ENV_NAME:-:}//'
- '${${lower:j}ndi:${lower:l}${lower:d}a${lower:p}://'
- '${${upper:j}ndi:${upper:l}${upper:d}a${lower:p}://'
- '${${::-j}${::-n}${::-d}${::-i}:'
cs-referrer|contains:
- '${jndi:ldap:/'
- '${jndi:rmi:/'
@@ -95,6 +107,10 @@ detection:
- '${${env:BARFOO:-j}'
- '${::-l}${::-d}${::-a}${::-p}'
- '${base64:JHtqbmRp'
- '${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}${env:ENV_NAME:-l}dap${env:ENV_NAME:-:}//'
- '${${lower:j}ndi:${lower:l}${lower:d}a${lower:p}://'
- '${${upper:j}ndi:${upper:l}${upper:d}a${lower:p}://'
- '${${::-j}${::-n}${::-d}${::-i}:'
condition: selection
falsepositives:
- Vulnerability scanning