Rule History

alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt - HTTP URI Obfuscation (CVE-2021-44228) (Outbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"|28 27 24 7b 24 7b|env|3a|"; depth:25; fast_pattern; content:"|3a 2d|j|7d|ndi|24 7b|env|3a|"; distance:0; content:"|2f|TomcatBypass|2f|Command|2f|Base64|2f|"; distance:0; reference:url,isc.sans.edu/diary/rss/28246; reference:cve,2021-44228; classtype:attempted-admin; sid:2037047; rev:1; metadata:affected_product HTTP_Server, attack_target Server, created_at 2022_06_21, cve CVE_2021_44228, deployment Perimeter, confidence Medium, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_06_21;)