Fixes #4. Also does the same fix for c$http$method, which is also opt…

…ional in HTTP::Info and may cause the same failure
corelight · Dec 16, 2021 · 7ca2bfd · 7ca2bfd
1 parent 3c05fdd
commit 7ca2bfd
Showing 1 changed file with 12 additions and 4 deletions.
diff --git a/scripts/CVE_2021_44228.zeek b/scripts/CVE_2021_44228.zeek
@@ -78,6 +78,14 @@ event http_header(c: connection, is_orig: bool, name: string, value: string)
     # Focus is mainly on value of header, but adding 'name' to explore what is being used in the wild
     local matched_name = exploit_pattern in name;
     local matched_value = exploit_pattern in value;
+    local http_uri: string = "";
+    local http_method: string = "";
+
+    # Handle potentially missing fields
+    if ( c$http?$uri )
+        http_uri = c$http$uri;
+    if ( c$http?$method )
+        http_method = c$http$method;
 
     # Ignore matches that contain binary goop. This was a large contributor to
     # false positives.
@@ -95,26 +103,26 @@ event http_header(c: connection, is_orig: bool, name: string, value: string)
     if ( matched_name )
         {
         payload = parse_payload(name);
-        info = Info($ts=network_time(), $uid=c$uid, $http_uri=c$http$uri, $uri=payload$uri, $stem=payload$stem, $target_host=payload$host, $target_port=payload$port_, $method=c$http$method, $is_orig=is_orig, $name=name, $value=value, $matched_name=matched_name, $matched_value=matched_value);
+        info = Info($ts=network_time(), $uid=c$uid, $http_uri=http_uri, $uri=payload$uri, $stem=payload$stem, $target_host=payload$host, $target_port=payload$port_, $method=http_method, $is_orig=is_orig, $name=name, $value=value, $matched_name=matched_name, $matched_value=matched_value);
         NOTICE([$note=LOG4J_ATTEMPT_HEADER,
                 $conn=c,
                 $identifier=cat(c$id$orig_h,c$id$resp_h,c$id$resp_p,cat(name,value)),
                 # $suppress_for=3600sec,
                 $msg=fmt("Possible Log4j exploit CVE-2021-44228 exploit in header. Refer to sub field for sample of payload, original_URI and list of server headers"),
-                $sub=fmt("uri='%s', payload_uri=%s, payload_stem=%s, payload_host=%s, payload_port=%s, method=%s, is_orig=%s, header name='%s',  header value='%s' ", c$http$uri, payload$uri, payload$stem, payload$host, payload$port_, c$http$method, is_orig, name, value)]);
+                $sub=fmt("uri='%s', payload_uri=%s, payload_stem=%s, payload_host=%s, payload_port=%s, method=%s, is_orig=%s, header name='%s',  header value='%s' ", http_uri, payload$uri, payload$stem, payload$host, payload$port_, http_method, is_orig, name, value)]);
         if ( log )
             Log::write(LOG, info);
         }
     if ( matched_value )
         {
         payload = parse_payload(value);
-        info = Info($ts=network_time(), $uid=c$uid, $http_uri=c$http$uri, $uri=payload$uri, $stem=payload$stem, $target_host=payload$host, $target_port=payload$port_, $method=c$http$method, $is_orig=is_orig, $name=name, $value=value, $matched_name=matched_name, $matched_value=matched_value);
+        info = Info($ts=network_time(), $uid=c$uid, $http_uri=http_uri, $uri=payload$uri, $stem=payload$stem, $target_host=payload$host, $target_port=payload$port_, $method=http_method, $is_orig=is_orig, $name=name, $value=value, $matched_name=matched_name, $matched_value=matched_value);
         NOTICE([$note=LOG4J_ATTEMPT_HEADER,
                 $conn=c,
                 $identifier=cat(c$id$orig_h,c$id$resp_h,c$id$resp_p,cat(name,value)),
                 # $suppress_for=3600sec,
                 $msg=fmt("Possible Log4j exploit CVE-2021-44228 exploit in header. Refer to sub field for sample of payload, original_URI and list of server headers"),
-                $sub=fmt("uri='%s', payload_uri=%s, payload_stem=%s, payload_host=%s, payload_port=%s, method=%s, is_orig=%s, header name='%s',  header value='%s' ", c$http$uri, payload$uri, payload$stem, payload$host, payload$port_, c$http$method, is_orig, name, value)]);
+                $sub=fmt("uri='%s', payload_uri=%s, payload_stem=%s, payload_host=%s, payload_port=%s, method=%s, is_orig=%s, header name='%s',  header value='%s' ", http_uri, payload$uri, payload$stem, payload$host, payload$port_, http_method, is_orig, name, value)]);
         if ( log )
             Log::write(LOG, info);
         }