Rule History

alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (http) (Outbound) (CVE-2021-44228)"; flow:established,to_server; http.uri; content:"|2f 24 7b 24 7b|"; startswith; fast_pattern; content:"|3a 2d|j|7d 24 7b|"; content:"|3a 2d|n|7d 24 7b|"; content:"|3a 2d|d|7d 24 7b|"; content:"|3a 2d|i|7d 24 7b|"; content:"|3a 2d 3a 7d 24 7b|"; reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2045125; rev:1; metadata:attack_target Server, created_at 2023_04_21, cve CVE_2021_44228, deployment Perimeter, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_04_21;)