This page contains an overview of any detection software regarding the Log4j vulnerability. On this page NCSC-NL will maintain a list of all known rules to detect Log4j presence or (suspected) Exploitation. Futhermore any references will contain specific information regarding detection.
NCSC-NL has not verified the rules and detection software listed below and therefore cannot guarantee the validity of said rules. However NCSC-NL strives to provide rules and detection software from reliable sources.
\${(\${(.*?:|.*?:.*?:-)('|"|`)*(?1)}*|[jndi:lapsrm]('|"|`)*}*){9,11}
- Please note that due to nested resolution of
${...}and multiple available obfuscation methods, this regular expression may not detect all forms of exploitation. It is impossible to write exhaustive regular expression. - This regular expression only works on URL-decoded logs. URL encoding is a popular second layer of obfuscation currently in use by attackers.
- This regular expression searches for the original strings supplied by the attacker. These only remain in their original, unresolved form in the logs of non-vulnerable applications, such as WAF or reverse proxy with ability to log before the vulnerable code is executed. They are not present in the logs of a vulnerable application.
This detection regex would not have matches in a log of vulnerable application, because only the result of ${...} resolution is stored instead of the original pattern. Presence of any of these signatures is a strong sign of successful exploitation in these applications:
com.sun.jndi.
com.sun.jndi.dns.DnsContext
com.sun.jndi.ldap.LdapCtx
Error looking up JNDI resource
| Source | Notes | Links |
|---|---|---|
| NCC Group / Fox-IT | Log4Shell: Reconnaissance and post exploitation network detection | source |
Snort and Suricata rules:
| Note | Rule-range | Rule |
|---|---|---|
| These are ET Open free community detections to alert on current exploit activity. | SID range 2034647-2034652. | source |
| Web-server | Source | Notes | Links |
|---|---|---|---|
| Nginx | Infiniroot | Block requests with known patterns in URI and headers using LUA | Github |
| Source | Notes | Links |
|---|---|---|
| Neo23x0 | Florian Roth Grep and YARA rule for log4j2 exploitation | https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b |
| Neo23x0 | Florian Roth Detects exploitation attempt against log4j RCE vulnerability fields (Sigma rule) | https://github.com/SigmaHQ/sigma/blob/master/rules/web/web_cve_2021_44228_log4j_fields.yml |
| Neo23x0 | Florian Roth Detects exploitation attempt against log4j RCE vulnerability (Sigma rule) | https://github.com/SigmaHQ/sigma/blob/master/rules/web/web_cve_2021_44228_log4j.yml |
| Neo23x0 | Florian Roth Fenrir Simple IOC scanner bash script | https://github.com/Neo23x0/Fenrir |