Signature
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Apache Log4j logging remote code execution attempt"; flow:to_server,established; content:"HTTP/"; nocase; content:"${"; fast_pattern:only; pcre:"/HTTP\x2f((?![\r\n]{4}).)*?\x24\x7b(jndi|[^\r\n\x7d\x80-\xff]*?\x24\x7b[^\r\n\x7d\x80-\xff]*?\x3a[^\r\n\x7d]*?\x7d)/si"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2021-44228; reference:cve,2021-44832; reference:cve,2021-45046; reference:cve,2021-45105; reference:url,blog.talosintelligence.com/2021/12/apache-log4j-rce-vulnerability.html; classtype:attempted-admin; sid:59246; rev:1;)
Recommendations/Investigative actions
Ensure that all servers running Apache Log4j are promptly patched, Authorize the connection. If the connection was approved - archive and baseline the rule. If not - check the connection and investigate the file and the relevant IP address.