cve-2021-44228 icon indicating copy to clipboard operation
cve-2021-44228 copied to clipboard

Published 20 hours ago verified publisher icon corelight

1) Updated the PayloadParts to have host as addr and port_ as port in…

Open initconf opened this issue 3 years ago • 6 comments

…stead

of string.

This will be useful for callback detections!

  1. Updated the parse_payload function to account for DNS name in the callback URL.

eg: jndi:ldap://baddomain.xyz:1289/exploit

This will be useful for callback detection preperation.

initconf avatar Dec 21 '21 21:12 initconf

I am going to submit next round of changes which will then allow for watching the callbacks as well as acting on callback IPs!

I checked your tests run fine except for log4j.notice but I think its a minor mismatch on notice.log (because host and port changed types)

initconf avatar Dec 21 '21 21:12 initconf

Cool stuff, thanks for the PR! Let me know when it's ready, but I'll make some comments on things I'd like to see changed before a merge.

ynadji avatar Dec 21 '21 23:12 ynadji

OK I think I have more commits in place for you!

initconf avatar Dec 21 '21 23:12 initconf

OK try now!

I also really want to move your notices out of event HTTP::http_header - since matched(name) and matched(value) essentially has same code snippet in it.

I can do it simpler way without loosing IR content of the notice but loosing some info such as is_orig etc or I can do it complicated but that would be unoptimal - I am still thinking about that one so not pushing any chances for it yet!

Meanwhile, I try to make sure your tests run ( You may need to update Baseline for two tests

[ 33%] log4j.ignore-target ... failed [ 66%] log4j.notice ... failed

These fail only because baseline might need updates.

Do let me know about other commits !

initconf avatar Dec 22 '21 03:12 initconf

Howdy @initconf I'm back from vacation so I can get back to this. I wanted to add some additional tests first to ensure we don't inadvertently break things. Now that that PR is up, I'll do my best to get this merged this week. Thanks again for the contribution!

ynadji avatar Jan 10 '22 22:01 ynadji

Howdy @initconf I'm back from vacation so I can get back to this. I wanted to add some additional tests first to ensure we don't inadvertently break things. Now that that PR is up, I'll do my best to get this merged this week. Thanks again for the contribution!

Hello ynadji: NO worries and hurries! the scare of log4j has somewhat passed per se! I apologize that I made a whole lot of changes but primarily they boil down to a very few fundamental things - primarily host and port as addr and port types so that we can build a bunch of secondary heuristics on top of that.

initconf avatar Jan 12 '22 17:01 initconf