Please note that archived apps on Splunkbase are not supported, and as such do not receive updates. Splunk performs a match against each JNDI protocol one letter at-a-time with any number of other characters in between each protocol letter.This security advisory specifically pertains to Apps/Add-ons (i.e. The current final filtering step searches raw events that use one or more of the protocol signatures shared on the Internet. This would be any proprietary or other business or industry-specific based search commands. Next, we kept events containing only these 12 identified “text signatures” from the Team’s analysis. Using the same logic and analysis from Step 2 we removed events for sourcetype=syslog. As a separate search on just these logs, no log4j patterns were discovered. We filtered out events from these logs because it has determined these logs do not capture events pertaining to log4j activity. After the first $ an attacker may attempt to obfuscate one or more of the several protocols used by JNDI to grant lookups. However, we have designed a search that looks for the presence of a $ in ingested logs, as, in our analysis, at least one unencrypted dollar sign must appear in each log event where the JNDI is being called/used. This reply describes the steps taken in the SPL in the original post.ĭue to log4j’s use of regular expressions, it is near impossible to write a set of search strings, let alone a single search string, to detect all of these variations. ![]() Appears that Splunk was assuming my code was an attack. There are screenshots below of some of the regex with explanations. I have had difficulty posting this for the past two days. Together, let's find, stop this vulnerability. Also, any new text signatures discovered other than those in Step 2. Please let me, and the rest of our Splunk community, know if there are any issues with this search. We have found events also substituting URL Encoded characters for jndi. | table _time, index, host, source, status, base64, dnsscan, exploit, nessus, interact, kryptos, exfilsite, secrettask, billdemirk, burpcollab, leakix, _raw, http_user_agent, Note: A future search is being designed to find where URL Encoding repalces any/all of the letters within each JNDI protocol string.``` This "hopefully" will catch any/all possible variations used by attackers. These matches look for the first letter used for each protocol (j), followed by anything, then the next letter (n), etc. ```These are the known protocols where log4j attacks have been seen. | eval burpcollab=if(match(_raw,"mburpcollab"),"X","") ![]() | eval billdemirk=if(match(_raw,"billdemirkapi"),"X","") ![]() | eval secrettask=if(match(_raw,"secresponstaskfrce"),"X","") | eval kryptos=if(match(_raw,"kryptoslogic"),"X","") | eval interact=if(match(_raw,"interact") or match(_raw,"interactsh"),"X","") ```Flags/Indicators to match the different strings above.``` ```These 12 strings have been found in events with different variations of the log4j string.```ĪND ((Basic AND Base64) OR "/securityscan" OR "/callback" OR exploit OR "/nessus" OR (interact OR interactsh) OR kryptoslogic OR "" OR secresponstaskfrce OR billdemirkapi OR mburpcollab OR leakix) Therefore, these logs are excluded.```ĪND NOT source IN (/var/adm/messages, /var/adm/sulog, /var/adm/syslog*, /var/log/authlog, /var/log/messages, /var/log/secure, /var/log/syslog, /var/log/sudo.log, bandwidth, cpu, interfaces, iostat, netstat, openPorts, protocol, ps, top, vmstat, nfsiostat) ```No evidence (thus far) has been shown that these logs would contain log4j-type strings. Therefore, we are only reporting those types of events.``` ```All sites discussing log4j examples containing at least one dollar sign. However, there is a good possibility of some false positives. We came up with this SPL, which has been very successful. As we know, trying to create an all-encompassing search for the log4j is a very difficult task because of the infinite number of possibilities for entering the letters jndi and any of the possible protocols ex.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |