diff --git a/rules/web/web_cve_2021_44228_log4j_fields.yml b/rules/web/web_cve_2021_44228_log4j_fields.yml index 92c49b247..682b1aad2 100644 --- a/rules/web/web_cve_2021_44228_log4j_fields.yml +++ b/rules/web/web_cve_2021_44228_log4j_fields.yml @@ -38,6 +38,10 @@ detection: - '${${env:BARFOO:-j}' - '${::-l}${::-d}${::-a}${::-p}' - '${base64:JHtqbmRp' + - '${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}${env:ENV_NAME:-l}dap${env:ENV_NAME:-:}//' + - '${${lower:j}ndi:${lower:l}${lower:d}a${lower:p}://' + - '${${upper:j}ndi:${upper:l}${upper:d}a${lower:p}://' + - '${${::-j}${::-n}${::-d}${::-i}:' user-agent|contains: - '${jndi:ldap:/' - '${jndi:rmi:/' @@ -57,6 +61,10 @@ detection: - '${${env:BARFOO:-j}' - '${::-l}${::-d}${::-a}${::-p}' - '${base64:JHtqbmRp' + - '${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}${env:ENV_NAME:-l}dap${env:ENV_NAME:-:}//' + - '${${lower:j}ndi:${lower:l}${lower:d}a${lower:p}://' + - '${${upper:j}ndi:${upper:l}${upper:d}a${lower:p}://' + - '${${::-j}${::-n}${::-d}${::-i}:' cs-uri|contains: - '${jndi:ldap:/' - '${jndi:rmi:/' @@ -76,6 +84,10 @@ detection: - '${${env:BARFOO:-j}' - '${::-l}${::-d}${::-a}${::-p}' - '${base64:JHtqbmRp' + - '${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}${env:ENV_NAME:-l}dap${env:ENV_NAME:-:}//' + - '${${lower:j}ndi:${lower:l}${lower:d}a${lower:p}://' + - '${${upper:j}ndi:${upper:l}${upper:d}a${lower:p}://' + - '${${::-j}${::-n}${::-d}${::-i}:' cs-referrer|contains: - '${jndi:ldap:/' - '${jndi:rmi:/' @@ -95,6 +107,10 @@ detection: - '${${env:BARFOO:-j}' - '${::-l}${::-d}${::-a}${::-p}' - '${base64:JHtqbmRp' + - '${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}${env:ENV_NAME:-l}dap${env:ENV_NAME:-:}//' + - '${${lower:j}ndi:${lower:l}${lower:d}a${lower:p}://' + - '${${upper:j}ndi:${upper:l}${upper:d}a${lower:p}://' + - '${${::-j}${::-n}${::-d}${::-i}:' condition: selection falsepositives: - Vulnerability scanning