Skip to content

Commit 265a582

Browse files
cweibelcweibel
committed
Add blocking of traffic caused by snort rule 58741
1 parent 4a9e496 commit 265a582

File tree

2 files changed

+6
-0
lines changed

2 files changed

+6
-0
lines changed

logsearch-jobs.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -41,6 +41,9 @@ instance_groups:
4141
- 'suppress gen_id 1, sig_id 57907, track by_src, ip 127.0.0.1'
4242
- 'suppress gen_id 1, sig_id 26275, track by_src, ip 127.0.0.1'
4343
- 'suppress gen_id 1, sig_id 41495, track by_src, ip 127.0.0.1'
44+
- 'suppress gen_id 1, sig_id 58741'
45+
- 'drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Apache Log4j logging remote code execution attempt"; flow:to_server,established; content:"${"; fast_pattern:only; http_client_body; pcre:"/\x24\x7b.{0,200}(%(25)?24|\x24)(%(25)?7b|\x7b).{0,200}(%(25)?3a|\x3a)(%(25)?(27|2d|5c|22)|[\x27\x2d\x5c\x22])*([jndi\x7d\x3a\x2d]|(%(25)?(7d|3a|2d))|(%(25)?5c|\x5c)u00[a-f0-9]{2}){1,4}(%(25)?(22|27)|[\x22\x27])?(%(25)?(3a|7d)|[\x3a\x7djndi])/Pi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2021-44228; reference:cve,2021-44832; reference:cve,2021-45046; reference:cve,2021-45105; classtype:attempted-user; sid:58741000; rev:6;)'
46+
4447
persistent_disk_type: logsearch_es_master
4548
stemcell: default
4649
azs: [z1]

logsearch-platform-jobs.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -39,6 +39,9 @@ instance_groups:
3939
- 'suppress gen_id 1, sig_id 57907, track by_src, ip 127.0.0.1'
4040
- 'suppress gen_id 1, sig_id 26275, track by_src, ip 127.0.0.1'
4141
- 'suppress gen_id 1, sig_id 41495, track by_src, ip 127.0.0.1'
42+
- 'suppress gen_id 1, sig_id 58741'
43+
- 'drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Apache Log4j logging remote code execution attempt"; flow:to_server,established; content:"${"; fast_pattern:only; http_client_body; pcre:"/\x24\x7b.{0,200}(%(25)?24|\x24)(%(25)?7b|\x7b).{0,200}(%(25)?3a|\x3a)(%(25)?(27|2d|5c|22)|[\x27\x2d\x5c\x22])*([jndi\x7d\x3a\x2d]|(%(25)?(7d|3a|2d))|(%(25)?5c|\x5c)u00[a-f0-9]{2}){1,4}(%(25)?(22|27)|[\x22\x27])?(%(25)?(3a|7d)|[\x3a\x7djndi])/Pi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2021-44228; reference:cve,2021-44832; reference:cve,2021-45046; reference:cve,2021-45105; classtype:attempted-user; sid:58741000; rev:6;)'
44+
4245
vm_type: logsearch_es_master
4346
persistent_disk_type: logsearch_es_master
4447
stemcell: default

0 commit comments

Comments
 (0)