This reply describes the steps taken in the SPL in the original post.ĭue to log4j’s use of regular expressions, it is near impossible to write a set of search strings, let alone a single search string, to detect all of these variations.
#Splunk log4j code
Appears that Splunk was assuming my code was an attack. There are screenshots below of some of the regex with explanations. I have had difficulty posting this for the past two days. Together, let's find, stop this vulnerability. Also, any new text signatures discovered other than those in Step 2. Please let me, and the rest of our Splunk community, know if there are any issues with this search. We have found events also substituting URL Encoded characters for jndi. | table _time, index, host, source, status, base64, dnsscan, exploit, nessus, interact, kryptos, exfilsite, secrettask, billdemirk, burpcollab, leakix, _raw, http_user_agent,
Note: A future search is being designed to find where URL Encoding repalces any/all of the letters within each JNDI protocol string.``` This "hopefully" will catch any/all possible variations used by attackers. These matches look for the first letter used for each protocol (j), followed by anything, then the next letter (n), etc. ```These are the known protocols where log4j attacks have been seen. | eval burpcollab=if(match(_raw,"mburpcollab"),"X","") | eval billdemirk=if(match(_raw,"billdemirkapi"),"X","") | eval secrettask=if(match(_raw,"secresponstaskfrce"),"X","") | eval kryptos=if(match(_raw,"kryptoslogic"),"X","") | eval interact=if(match(_raw,"interact") or match(_raw,"interactsh"),"X","") ```Flags/Indicators to match the different strings above.``` ```These 12 strings have been found in events with different variations of the log4j string.```ĪND ((Basic AND Base64) OR "/securityscan" OR "/callback" OR exploit OR "/nessus" OR (interact OR interactsh) OR kryptoslogic OR "" OR secresponstaskfrce OR billdemirkapi OR mburpcollab OR leakix) Therefore, these logs are excluded.```ĪND NOT source IN (/var/adm/messages, /var/adm/sulog, /var/adm/syslog*, /var/log/authlog, /var/log/messages, /var/log/secure, /var/log/syslog, /var/log/sudo.log, bandwidth, cpu, interfaces, iostat, netstat, openPorts, protocol, ps, top, vmstat, nfsiostat)
```No evidence (thus far) has been shown that these logs would contain log4j-type strings.
Therefore, we are only reporting those types of events.``` ```All sites discussing log4j examples containing at least one dollar sign. However, there is a good possibility of some false positives. We came up with this SPL, which has been very successful. As we know, trying to create an all-encompassing search for the log4j is a very difficult task because of the infinite number of possibilities for entering the letters jndi and any of the possible protocols ex.
0 kommentar(er)
