IBM Security QRadar

 View Only

Enhance your detection of Log4j exploit (CVE-2021-44228) with the YARA App

By Gladys Koskas posted Thu December 16, 2021 03:41 PM

  
Hi guys

I bet all the alarms are on and you are under water right now, so I'll keep it short ! I hope you have already been notified of Adam's blog related to the Detection of Log4Shell (CVE-2021-44228) using QRadar. Please go back to it from time to time as he'll update the blog as the information is coming in.

In the meantime I also wanted to tell you about the release of the YARA app. We hope that it will help you extend your capabilities of investigation so you can respond quicker.

I said I would keep it short, so here is how to proceed with it:

1 - Download the app on the app exchange

You can find the app here on the app exchange: IBM Security QRadar Manager for YARA Rule

Notes:

  • An internet access is required only for Github synchronization
  • The app is compatible with 7.3.3 Patch 6+ and 7.4.1 Patch 2+ (7.4.0 is not supported)

2 - Configure the app with a token

3 - Go in the YARA tab and create a new Rule.

If you're seeking for help with log4j detection, you can find a rule published by Florian Roth on Github and download the content directly in the app using the following link:
https://github.com/Neo23x0/signature-base/blob/master/yara/expl_log4j_cve_2021_44228.yar


Or do a simple import of your own rules.

4 - Scan the data

Get the properties

In his blog, Adam has proposed to work on the following properties: URL, URL Query String, UrlHost, User Agent, Referrer URL, Request Site, Request URI, API Path.
We have made these properties available on the App Exchange for a few Web Application Firewall and Web Servers.

AWS WAF and Kubernetes: IBM QRadar Content Extension for Amazon AWS
Microsoft IISIBM Security QRadar Custom Properties for Microsoft IIS
NGINXIBM Security QRadar Custom Properties for NGINX
ApacheIBM Security QRadar Custom Properties for Apache

Choose the data

Many options are available to you here.

First set of options is on the data you want to scan, you can choose between 4 possibilities


You might be interested by options 1, 2 and 3 regarding today's investigation:

  • Payload: This option allows to bring raw payloads coming from an offense investigation or from a third party too as an example
  • Advanced Search (AQL) and Saved Search: These are the searches coming from the Log Activity and the Network Activity. It is a quick way to retrieve all the data from a particular device or a user on a specific period of time as an example.
  • Upload File: This option lets you upload an actual suspicious file and scan it with the YARA rules you've defined.

Choose the rules

The second half of the screen is letting you choose which rules will be used to scan your data

The app will trigger a scan on the sample of data you selected in the first part, and will return a match / not match result, depending on the options you selected here. You can decide that you need any rule in your namespace to match a payload, all the rules, or only a selection of them.




0 comments
35 views

Permalink