diff --git a/scripts/CVE_2021_44228.zeek b/scripts/CVE_2021_44228.zeek index 9514fe3..be2e5c0 100644 --- a/scripts/CVE_2021_44228.zeek +++ b/scripts/CVE_2021_44228.zeek @@ -78,6 +78,14 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) # Focus is mainly on value of header, but adding 'name' to explore what is being used in the wild local matched_name = exploit_pattern in name; local matched_value = exploit_pattern in value; + local http_uri: string = ""; + local http_method: string = ""; + + # Handle potentially missing fields + if ( c$http?$uri ) + http_uri = c$http$uri; + if ( c$http?$method ) + http_method = c$http$method; # Ignore matches that contain binary goop. This was a large contributor to # false positives. @@ -95,26 +103,26 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) if ( matched_name ) { payload = parse_payload(name); - info = Info($ts=network_time(), $uid=c$uid, $http_uri=c$http$uri, $uri=payload$uri, $stem=payload$stem, $target_host=payload$host, $target_port=payload$port_, $method=c$http$method, $is_orig=is_orig, $name=name, $value=value, $matched_name=matched_name, $matched_value=matched_value); + info = Info($ts=network_time(), $uid=c$uid, $http_uri=http_uri, $uri=payload$uri, $stem=payload$stem, $target_host=payload$host, $target_port=payload$port_, $method=http_method, $is_orig=is_orig, $name=name, $value=value, $matched_name=matched_name, $matched_value=matched_value); NOTICE([$note=LOG4J_ATTEMPT_HEADER, $conn=c, $identifier=cat(c$id$orig_h,c$id$resp_h,c$id$resp_p,cat(name,value)), # $suppress_for=3600sec, $msg=fmt("Possible Log4j exploit CVE-2021-44228 exploit in header. Refer to sub field for sample of payload, original_URI and list of server headers"), - $sub=fmt("uri='%s', payload_uri=%s, payload_stem=%s, payload_host=%s, payload_port=%s, method=%s, is_orig=%s, header name='%s', header value='%s' ", c$http$uri, payload$uri, payload$stem, payload$host, payload$port_, c$http$method, is_orig, name, value)]); + $sub=fmt("uri='%s', payload_uri=%s, payload_stem=%s, payload_host=%s, payload_port=%s, method=%s, is_orig=%s, header name='%s', header value='%s' ", http_uri, payload$uri, payload$stem, payload$host, payload$port_, http_method, is_orig, name, value)]); if ( log ) Log::write(LOG, info); } if ( matched_value ) { payload = parse_payload(value); - info = Info($ts=network_time(), $uid=c$uid, $http_uri=c$http$uri, $uri=payload$uri, $stem=payload$stem, $target_host=payload$host, $target_port=payload$port_, $method=c$http$method, $is_orig=is_orig, $name=name, $value=value, $matched_name=matched_name, $matched_value=matched_value); + info = Info($ts=network_time(), $uid=c$uid, $http_uri=http_uri, $uri=payload$uri, $stem=payload$stem, $target_host=payload$host, $target_port=payload$port_, $method=http_method, $is_orig=is_orig, $name=name, $value=value, $matched_name=matched_name, $matched_value=matched_value); NOTICE([$note=LOG4J_ATTEMPT_HEADER, $conn=c, $identifier=cat(c$id$orig_h,c$id$resp_h,c$id$resp_p,cat(name,value)), # $suppress_for=3600sec, $msg=fmt("Possible Log4j exploit CVE-2021-44228 exploit in header. Refer to sub field for sample of payload, original_URI and list of server headers"), - $sub=fmt("uri='%s', payload_uri=%s, payload_stem=%s, payload_host=%s, payload_port=%s, method=%s, is_orig=%s, header name='%s', header value='%s' ", c$http$uri, payload$uri, payload$stem, payload$host, payload$port_, c$http$method, is_orig, name, value)]); + $sub=fmt("uri='%s', payload_uri=%s, payload_stem=%s, payload_host=%s, payload_port=%s, method=%s, is_orig=%s, header name='%s', header value='%s' ", http_uri, payload$uri, payload$stem, payload$host, payload$port_, http_method, is_orig, name, value)]); if ( log ) Log::write(LOG, info); }