SERVER-OTHER Apache Log4j logging remote code execution attempt
the alert detects attempts to exploit the Apache Log4j vulnerability for remote code execution. The rule matches on HTTP requests containing the string ${jndi: in the URI. The rule generates an alert when such traffic is detected flowing towards the server on an established connection. This rule helps to identify potential attempts to exploit the known Apache Log4j vulnerabilities and can aid in mitigating the risks associated with this critical security issue.
ID Number
58742
Signature
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Apache Log4j logging remote code execution attempt"; flow:to_server,established; content:"${"; fast_pattern:only; http_header; content:"|2F|"; http_uri; pcre:"/\x24\x7b(jndi|[^\x7d\x80-\xff]*?\x24\x7b[^\x7d\x80-\xff]*?\x3a[^\x7d]*?\x7d)/Hi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2021-44228; reference:cve,2021-44832; reference:cve,2021-45046; reference:cve,2021-45105; reference:cve,2022-20933; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-meraki-mx-vpn-dos-vnESbgBf; classtype:attempted-user; sid:58742; rev:8;)
MITRE ATT&CK Technique
"Technique: Exploit Public-Facing Application (T1190)" "Obfuscated Files or Information (T1027)" "Indicator Removal on Host (T1070)" "Command and Scripting Interpreter (T1059)" "Scripting (T1064)" "Data Destruction (T1485)"
Severity
medium
Recommendations/Investigative actions
Ensure that all servers running Apache Log4j are promptly patched, Authorize the connection. If the connection was approved - archive and baseline the rule. If not - check the connection and investigate relevant IP address.