From 5819aa98883adc08f91eaac99843df77bc6f7390 Mon Sep 17 00:00:00 2001
From: izysec <64199310+izysec@users.noreply.github.com>
Date: Mon, 13 Dec 2021 15:51:25 +0530
Subject: [PATCH 1/2] Added current known bypass patterns

Source: https://github.com/Puliczek/CVE-2021-44228-PoC-log4j-bypass-words
---
 rules/web/web_cve_2021_44228_log4j_fields.yml | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/rules/web/web_cve_2021_44228_log4j_fields.yml b/rules/web/web_cve_2021_44228_log4j_fields.yml
index 92c49b247..534cfd164 100644
--- a/rules/web/web_cve_2021_44228_log4j_fields.yml
+++ b/rules/web/web_cve_2021_44228_log4j_fields.yml
@@ -38,6 +38,10 @@ detection:
          - '${${env:BARFOO:-j}'
          - '${::-l}${::-d}${::-a}${::-p}'
          - '${base64:JHtqbmRp'
+         - '${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}${env:ENV_NAME:-l}dap${env:ENV_NAME:-:}//'
+         - '${${lower:j}ndi:${lower:l}${lower:d}a${lower:p}://'
+         - '${${upper:j}ndi:${upper:l}${upper:d}a${lower:p}://'
+         - '${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://'
       user-agent|contains:
          - '${jndi:ldap:/'
          - '${jndi:rmi:/'
@@ -57,6 +61,10 @@ detection:
          - '${${env:BARFOO:-j}'
          - '${::-l}${::-d}${::-a}${::-p}'
          - '${base64:JHtqbmRp'
+         - '${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}${env:ENV_NAME:-l}dap${env:ENV_NAME:-:}//'
+         - '${${lower:j}ndi:${lower:l}${lower:d}a${lower:p}://'
+         - '${${upper:j}ndi:${upper:l}${upper:d}a${lower:p}://'
+         - '${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://'
       cs-uri|contains:
          - '${jndi:ldap:/'
          - '${jndi:rmi:/'
@@ -76,6 +84,10 @@ detection:
          - '${${env:BARFOO:-j}'
          - '${::-l}${::-d}${::-a}${::-p}'
          - '${base64:JHtqbmRp'
+         - '${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}${env:ENV_NAME:-l}dap${env:ENV_NAME:-:}//'
+         - '${${lower:j}ndi:${lower:l}${lower:d}a${lower:p}://'
+         - '${${upper:j}ndi:${upper:l}${upper:d}a${lower:p}://'
+         - '${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://'
       cs-referrer|contains:
          - '${jndi:ldap:/'
          - '${jndi:rmi:/'
@@ -95,6 +107,10 @@ detection:
          - '${${env:BARFOO:-j}'
          - '${::-l}${::-d}${::-a}${::-p}'
          - '${base64:JHtqbmRp'
+         - '${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}${env:ENV_NAME:-l}dap${env:ENV_NAME:-:}//'
+         - '${${lower:j}ndi:${lower:l}${lower:d}a${lower:p}://'
+         - '${${upper:j}ndi:${upper:l}${upper:d}a${lower:p}://'
+         - '${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://'
    condition: selection
 falsepositives:
     - Vulnerability scanning

From 04ff26c786d37b641caa91f5882a0ba7572dc3f9 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Mon, 13 Dec 2021 11:47:55 +0100
Subject: [PATCH 2/2] Update web_cve_2021_44228_log4j_fields.yml

---
 rules/web/web_cve_2021_44228_log4j_fields.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/rules/web/web_cve_2021_44228_log4j_fields.yml b/rules/web/web_cve_2021_44228_log4j_fields.yml
index 534cfd164..682b1aad2 100644
--- a/rules/web/web_cve_2021_44228_log4j_fields.yml
+++ b/rules/web/web_cve_2021_44228_log4j_fields.yml
@@ -41,7 +41,7 @@ detection:
          - '${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}${env:ENV_NAME:-l}dap${env:ENV_NAME:-:}//'
          - '${${lower:j}ndi:${lower:l}${lower:d}a${lower:p}://'
          - '${${upper:j}ndi:${upper:l}${upper:d}a${lower:p}://'
-         - '${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://'
+         - '${${::-j}${::-n}${::-d}${::-i}:'
       user-agent|contains:
          - '${jndi:ldap:/'
          - '${jndi:rmi:/'
@@ -64,7 +64,7 @@ detection:
          - '${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}${env:ENV_NAME:-l}dap${env:ENV_NAME:-:}//'
          - '${${lower:j}ndi:${lower:l}${lower:d}a${lower:p}://'
          - '${${upper:j}ndi:${upper:l}${upper:d}a${lower:p}://'
-         - '${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://'
+         - '${${::-j}${::-n}${::-d}${::-i}:'
       cs-uri|contains:
          - '${jndi:ldap:/'
          - '${jndi:rmi:/'
@@ -87,7 +87,7 @@ detection:
          - '${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}${env:ENV_NAME:-l}dap${env:ENV_NAME:-:}//'
          - '${${lower:j}ndi:${lower:l}${lower:d}a${lower:p}://'
          - '${${upper:j}ndi:${upper:l}${upper:d}a${lower:p}://'
-         - '${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://'
+         - '${${::-j}${::-n}${::-d}${::-i}:'
       cs-referrer|contains:
          - '${jndi:ldap:/'
          - '${jndi:rmi:/'
@@ -110,7 +110,7 @@ detection:
          - '${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}${env:ENV_NAME:-l}dap${env:ENV_NAME:-:}//'
          - '${${lower:j}ndi:${lower:l}${lower:d}a${lower:p}://'
          - '${${upper:j}ndi:${upper:l}${upper:d}a${lower:p}://'
-         - '${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://'
+         - '${${::-j}${::-n}${::-d}${::-i}:'
    condition: selection
 falsepositives:
     - Vulnerability scanning