Advanced Suricata signature modifications for Log4shell
Mark Durrett
SELKS Community:
I am writing to bring your attention to a new blog article posted today by Stamus Networks co-founder and Suricata guru, Éric Leblond.
tl;dr
In the article, Éric outlines an advanced Suricata signature technique that can dramatically simplify the evidence collection for a particularly complex attack mechanism used by Log4shell scanners.
You can read the article here >> https://www.stamus-networks.com/blog/suricata-to-the-log4j-rescue
Note: while this article focuses on the benefit to Suricata users, this also applies to users of SELKS as well as Stamus ND and Stamus NDR which are built using the underlying Suricata engine.
More details:
While today’s today's Suricata signatures do a great job of detecting attempts to exploit the recently discovered Log4j vulnerability, they do not expose the IP addresses of the remote code execution (RCE) servers used in successful attacks. This is due to the complex attack mechanisms used.
The good news is there is an elegant solution to this which takes advantage of the network flow and protocol transaction data generated by the Suricata engine.
In order to share this immediately, we have re-written several of the ET signatures in a way that includes the IP address of any RCE servers that have been used in successful attacks in the alert. Armed with this information, users can then review any and all communications with these RCE servers, and more quickly begin remediation.
A link to the rules is included in the blog article.
Regards
Team Stamus
D Mark Durrett, CMO