Mitigating log4j (CVE-2021-44228) with AFM Protocol Inspection Custom Signatures
The Log4j vulnerability has drawn a great deal of attention and I won't recap anything that other people have said better than I can. See https://www.f5.com/company/blog/protection-against-apache-log4j2-vulnerability and https://support.f5.com/csp/article/K59329043 for background.
UPDATE:
I recommend using these three signatures based on Regular Expressions/PCRE to detect attacks using padding and different character encoding schemes to disguise the attack. The first signature is redundant and limited in its application, but very low in resource use. The second will catch exploit attempts that use a bewildering variety of alternate character encoding schemes, but is resource intensive. The third is a specialty signature that deems any payload with "Base64" together with " $ " and " { " (however encoded) to be suspect. This third signature is cheap to use.
Simple, low-impact signature that handles padding between significant characters but not character encoding. Limited capability compared with the next two signatures, but if it matches it saves the effort of attempting to match other signatures.
create log4j-pcre sig "content: \"$\"; content: \"{\"; distance: 1; pcre:\"/(\?i)\\$'\?\\{.*\?j.*\?n.*\?d.*\?i.*\?\\:/s\";" description "Apache Log4j attempt" service http documentation "https://www.f5.com/company/blog/protection-against-apache-log4j2-vulnerability" direction to-server references "CVE-2021-44228"
See the related article "Using Perl Compatible Regular Expressions (PCR) in Protocol Inspection Custom Signatures" for a detailed breakdown.
Complex signature that checks for a variety of encoding types for each of the significant characters. WARNING: may cause a performance hit because we can't use a content check as a pre-filter.
create log4j2-encoded sig "pcre:\"/(\\$|(0\?44|([u0]00|x|(%|%25|[u0]00)78|%|[u0]0025|%25)24))/\"; pcre:\"/\\{|(0\?173|([u0]00|x|170|(%|045|%25|[u0]00)78|%|[u0]0025|%25)7b)/i\";distance: 1;pcre:\"/j|b|1[5140]2|([u0]00|x|170|([u0]00|%|045|%25|x)78)|%|045|(([u0]00|%|%25|x)25)[64][a2]/i\";distance: 1; pcre:\"/n|1[15]6|([u0]00|x|170|([u0]00|%|045|%25|x)78)|%|045|(([u0]00|%|%25|x)25)[46]e/i\";distance: 1; pcre:\"/d|1[04]4|([u0]00|x|170|([u0]00|%|045|%25|x)78)|%|045|(([u0]00|%|%25|x)25)[46]4/i\";distance: 1; pcre:\"/i|1[15]1|([u0]00|x|170|([u0]00|%|045|%25|x)78)|%|045|(([u0]00|%|%25|x)25)[46]9/i\";distance: 1;" description "Apache Log4j2 exploitation attempt encoded" service http attack-type attempted-admin documentation "https://www.f5.com/company/blog/protection-against-apache-log4j2-vulnerability" direction to-server references "CVE-2021-44228"
Simple and low-impact signature to check for attempts using Base64 encoding
create log4j2-base64 sig "content:\"Base64\";nocase; pcre:\"/(\\$|(0\?44|([u0]00|x|(%|%25|[u0]00)78|%|[u0]0025|%25)24))/\"; pcre:\"/\\{|(0\?173|([u0]00|x|170|(%|045|%25|[u0]00)78|%|[u0]0025|%25)7b)/i\";distance: 1;" description "Apache Log4j2 exploitation attempt encoded in Base64" service http attack-type attempted-admin documentation "https://www.f5.com/company/blog/protection-against-apache-log4j2-vulnerability" direction to-server references "CVE-2021-44228"
End of Update. The following signatures are obsolete due to the use of static content patterns.
I took some Snort signatures provided by the RSA SOC Prime team, and ported them (with permission) to AFM Protocol Inspection custom signatures. This is similar to an exercise I performed about a year ago in the wake of the Fireeye breach (see https://devcentral.f5.com/s/articles/Converting-a-Snort-Rule-to-an-AFM-Protocol-Inspection-Custom-Signature).
Without belaboring the point, here are the signatures. IMPORTANT: these signatures make no attempt to defeat obfuscation attempts. They are simple string matches. To enable them, start a tmsh session and switch to the security > protocol-inspection > signature context. Then paste these 3-4 at a time, depending on the size of your paste buffer:
create ET_EXPLOIT_Apache_log4j_RCE_Attempt-http_ldap description "ET EXPLOIT Apache log4j RCE Attempt (http ldap)" sig "content:\"|24 7b|jndi|3a|ldap|3a 2f 2f|\";nocase;" id 2034647 protocol {tcp} reference-links "https://community.rsa.com/t5/netwitness-blog/apache-log4j-log4shell-background-and-detection-rules/ba-p/660546?attachment-id=32926" references "RSA SOC Prime Team authored these signatures. CVE-2021-44228" service http direction to-server attack-type attempted-admin documentation "https://www.f5.com/company/blog/protection-against-apache-log4j2-vulnerability https://lunasec.io/docs/blog/log4j-zero-day/ "
create ET_EXPLOIT_Apache_log4j_RCE_Attempt-http_rmi description "ET EXPLOIT Apache log4j RCE Attempt (http rmi)" sig "content:\"|24 7b|jndi|3a|rmi|3a 2f 2f|\"; nocase;" id 2034648 protocol {tcp} reference-links "https://community.rsa.com/t5/netwitness-blog/apache-log4j-log4shell-background-and-detection-rules/ba-p/660546?attachment-id=32926" references "RSA SOC Prime Team authored these signatures. CVE-2021-44228" service http direction to-server attack-type attempted-admin documentation "https://www.f5.com/company/blog/protection-against-apache-log4j2-vulnerability https://lunasec.io/docs/blog/log4j-zero-day/ "
create ET_EXPLOIT_Apache_log4j_RCE_Attempt-tcp_ldap description "ET EXPLOIT Apache log4j RCE Attempt (tcp ldap)" sig "content:\"|24 7b|jndi|3a|ldap|3a 2f 2f|\"; nocase;" id 2034649 protocol {tcp} reference-links "https://community.rsa.com/t5/netwitness-blog/apache-log4j-log4shell-background-and-detection-rules/ba-p/660546?attachment-id=32926" references "RSA SOC Prime Team authored these signatures. CVE-2021-44228" service http direction to-server attack-type attempted-admin documentation "https://www.f5.com/company/blog/protection-against-apache-log4j2-vulnerability https://lunasec.io/docs/blog/log4j-zero-day/ "
create ET_EXPLOIT_Apache_log4j_RCE_Attempt-tcp_rmi description "ET EXPLOIT Apache log4j RCE Attempt (tcp rmi)" sig "content:\"|24 7b|jndi|3a|rmi|3a 2f 2f|\"; nocase;" id 2034650 protocol {tcp} reference-links "https://community.rsa.com/t5/netwitness-blog/apache-log4j-log4shell-background-and-detection-rules/ba-p/660546?attachment-id=32926" references "RSA SOC Prime Team authored these signatures. CVE-2021-44228" service http direction to-server attack-type attempted-admin documentation "https://www.f5.com/company/blog/protection-against-apache-log4j2-vulnerability https://lunasec.io/docs/blog/log4j-zero-day/ "
create ET_EXPLOIT_Apache_log4j_RCE_Attempt-udp_ldap description "ET EXPLOIT Apache log4j RCE Attempt (udp ldap)" sig "content:\"|24 7b|jndi|3a|ldap|3a 2f 2f|\"; nocase;" id 2034651 protocol {udp} reference-links "https://community.rsa.com/t5/netwitness-blog/apache-log4j-log4shell-background-and-detection-rules/ba-p/660546?attachment-id=32926" references "RSA SOC Prime Team authored these signatures. CVE-2021-44228" service http direction to-server attack-type attempted-admin documentation "https://www.f5.com/company/blog/protection-against-apache-log4j2-vulnerability https://lunasec.io/docs/blog/log4j-zero-day/ "
create ET_EXPLOIT_Apache_log4j_RCE_Attempt-udp_rmi description "ET EXPLOIT Apache log4j RCE Attempt (udp rmi)" sig "content:\"|24 7b|jndi|3a|rmi|3a 2f 2f|\"; nocase;" id 2034652 protocol {udp} reference-links "https://community.rsa.com/t5/netwitness-blog/apache-log4j-log4shell-background-and-detection-rules/ba-p/660546?attachment-id=32926" references "RSA SOC Prime Team authored these signatures. CVE-2021-44228" service http direction to-server attack-type attempted-admin documentation "https://www.f5.com/company/blog/protection-against-apache-log4j2-vulnerability https://lunasec.io/docs/blog/log4j-zero-day/ "
create ET_EXPLOIT_Apache_log4j_RCE_Attempt-udp_dns description "ET EXPLOIT Apache log4j RCE Attempt (udp dns)" sig "content:\"|24 7b|jndi|3a|dns|3a 2f 2f|\"; nocase;" id 2034662 protocol {udp} reference-links "https://community.rsa.com/t5/netwitness-blog/apache-log4j-log4shell-background-and-detection-rules/ba-p/660546?attachment-id=32926" references "RSA SOC Prime Team authored these signatures. CVE-2021-44228" service http direction to-server attack-type attempted-admin documentation "https://www.f5.com/company/blog/protection-against-apache-log4j2-vulnerability https://lunasec.io/docs/blog/log4j-zero-day/ "
create ET_EXPLOIT_Apache_log4j_RCE_Attempt-tcp_dns description "ET EXPLOIT Apache log4j RCE Attempt (tcp dns)" sig "content:\"|24 7b|jndi|3a|dns|3a 2f 2f|\"; nocase;" id 2034660 protocol {tcp} reference-links "https://community.rsa.com/t5/netwitness-blog/apache-log4j-log4shell-background-and-detection-rules/ba-p/660546?attachment-id=32926" references "RSA SOC Prime Team authored these signatures. CVE-2021-44228" service http direction to-server attack-type attempted-admin documentation "https://www.f5.com/company/blog/protection-against-apache-log4j2-vulnerability https://lunasec.io/docs/blog/log4j-zero-day/ "
create ET_EXPLOIT_Apache_log4j_RCE_Attempt-http_dns description "ET EXPLOIT Apache log4j RCE Attempt (http dns)" sig "content:\"|24 7b|jndi|3a|dns|3a 2f 2f|\"; nocase;" id 2034657 protocol {tcp} reference-links "https://community.rsa.com/t5/netwitness-blog/apache-log4j-log4shell-background-and-detection-rules/ba-p/660546?attachment-id=32926" references "RSA SOC Prime Team authored these signatures. CVE-2021-44228" service http direction to-server attack-type attempted-admin documentation "https://www.f5.com/company/blog/protection-against-apache-log4j2-vulnerability https://lunasec.io/docs/blog/log4j-zero-day/ "
create ET_EXPLOIT_Apache_log4j_RCE_Attempt-udp_ldaps description "ET EXPLOIT Apache log4j RCE Attempt (udp ldaps)" sig "content:\"|24 7b|jndi|3a|ldaps|3a 2f 2f|\"; nocase;" id 2034672 protocol {udp} reference-links "https://community.rsa.com/t5/netwitness-blog/apache-log4j-log4shell-background-and-detection-rules/ba-p/660546?attachment-id=32926" references "RSA SOC Prime Team authored these signatures. CVE-2021-44228" service http direction to-server attack-type attempted-admin documentation "https://www.f5.com/company/blog/protection-against-apache-log4j2-vulnerability https://lunasec.io/docs/blog/log4j-zero-day/ "
create ET_EXPLOIT_Apache_log4j_RCE_Attempt-tcp_ldaps description "ET EXPLOIT Apache log4j RCE Attempt (tcp ldaps)" sig "content:\"|24 7b|jndi|3a|ldaps|3a 2f 2f|\"; nocase;" id 2034670 protocol {tcp} reference-links "https://community.rsa.com/t5/netwitness-blog/apache-log4j-log4shell-background-and-detection-rules/ba-p/660546?attachment-id=32926" references "RSA SOC Prime Team authored these signatures. CVE-2021-44228" service http direction to-server attack-type attempted-admin documentation "https://www.f5.com/company/blog/protection-against-apache-log4j2-vulnerability https://lunasec.io/docs/blog/log4j-zero-day/ "
create ET_EXPLOIT_Apache_log4j_RCE_Attempt-http_ldaps description "ET EXPLOIT Apache log4j RCE Attempt (http ldaps)" sig "content:\"|24 7b|jndi|3a|ldaps|3a 2f 2f|\"; nocase;" id 2034667 protocol {tcp} reference-links "https://community.rsa.com/t5/netwitness-blog/apache-log4j-log4shell-background-and-detection-rules/ba-p/660546?attachment-id=32926" references "RSA SOC Prime Team authored these signatures. CVE-2021-44228" service http direction to-server attack-type attempted-admin documentation "https://www.f5.com/company/blog/protection-against-apache-log4j2-vulnerability https://lunasec.io/docs/blog/log4j-zero-day/ "
My thanks to RSA for providing these signatures.
- Brandon_Employee
Great timely article James. It should be noted that the protocol inspection signatures have been updated for those who have the subscription.
It is great! Thanks James 🙂