apache_log4j2_cve-2021-44228 Configuration

« apache_log4j2_cve-2021-44228 »
v0.6 by crowdsecurity
Attack scenarioremediation:trueservice:apachespoofable:0MITRE:T1595MITRE:T1190confidence:3

Detect cve-2021-44228 exploitation attemps

Installation

cscli scenarios install crowdsecurity/apache_log4j2_cve-2021-44228

Description

Scenario to detect exploitation attempts of "log4j" CVE-2021-44228.

⚠️ Crowdsec is not a WAF and, as such, bypass to those signatures are likely ⚠️

YAML Configuration

1type: trigger
2format: 2.0
3#debug: true
4name: crowdsecurity/apache_log4j2_cve-2021-44228
5description: "Detect cve-2021-44228 exploitation attemps"
6filter: |
7  evt.Meta.log_type in ["http_access-log", "http_error-log"] and 
8  (
9    any(File("log4j2_cve_2021_44228.txt"), { Upper(evt.Meta.http_path) contains Upper(#)})
10  or
11    any(File("log4j2_cve_2021_44228.txt"), { Upper(evt.Parsed.http_user_agent) contains Upper(#)})
12  or
13    any(File("log4j2_cve_2021_44228.txt"), { Upper(evt.Parsed.http_referer) contains Upper(#)})  
14  )
15data:
16  - source_url: https://hub-data.crowdsec.net/web/log4j2_cve_2021_44228.txt
17    dest_file: log4j2_cve_2021_44228.txt
18    type: string
19groupby: "evt.Meta.source_ip"
20blackhole: 2m
21labels:
22  service: apache
23  confidence: 3
24  spoofable: 0
25  classification:
26    - attack.T1595
27    - attack.T1190
28    - cve.CVE-2021-44228
29  behavior: "http:exploit"
30  label: "Log4j CVE-2021-44228"
31  remediation: true
32

Hub configuration

« apache_log4j2_cve-2021-44228 »v0.6 by crowdsecurityAttack scenarioremediation:trueservice:apacheCVE-2021-44228spoofable:0MITRE:T1595MITRE:T1190confidence:3

« apache_log4j2_cve-2021-44228 »
v0.6 by crowdsecurity
Attack scenarioremediation:trueservice:apachespoofable:0MITRE:T1595MITRE:T1190confidence:3