ET EXPLOIT Possible Apache log4j RCE Attempt - HTTP URI Obfuscation (CVE-2021-44228) (Inbound) - Suricata Rule 2037046 (et/open)

ET EXPLOIT Possible Apache log4j RCE Attempt - HTTP URI Obfuscation (CVE-2021-44228) (Inbound)

SID: 2037046Rev: 19 viewsHistory

Sourceet/open

CreatedJune 21, 2022

UpdatedJune 21, 2022

Classificationattempted-admin

alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt - HTTP URI Obfuscation (CVE-2021-44228) (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"|28 27 24 7b 24 7b|env|3a|"; depth:30; fast_pattern; content:"|3a 2d|j|7d|ndi|24 7b|env|3a|"; distance:0; content:"|2f|TomcatBypass|2f|Command|2f|Base64|2f|"; distance:0; reference:url,isc.sans.edu/diary/rss/28246; reference:cve,2021-44228; classtype:attempted-admin; sid:2037046; rev:1; metadata:affected_product HTTP_Server, attack_target Server, created_at 2022_06_21, cve CVE_2021_44228, deployment Perimeter, confidence Medium, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_06_21;)

References

url	isc.sans.edu/diary/rss/28246
cve	2021-44228

Metadata

affected productHTTP_Server

attack targetServer

created at2022_06_21

cveCVE-2021-44228

deploymentPerimeter

confidenceMedium

signature severityMajor

tagDescription_Generated_By_Proofpoint_Nexus

updated at2022_06_21

Comments (0)

Please sign in to leave a comment.

No comments yet. Be the first to comment!