log4j vulnerability detection

[fwRookie]

It is possible to detect and block the log4j hacking attempts with the OPNSense firewall (or other parts) rules?
I know other firewalls already have rules available to detect and block possible attempts, like https://cloud.google.com/blog/products/identity-security/cloud-armor-waf-rule-to-help-address-apache-log4j-vulnerability

[Space]

Hi, I am not sure if this will help at all ... google states:

The Cloud Armor WAF rules use a variety of techniques to detect attempted obfuscations and bypasses within attempted exploits of CVE-2021-44228.

But there are probably just way to many ways to obfuscate that simple string ... good enough to catch the script kiddies.

Best regards,

    Space

[fwRookie]

https://rules.emergingthreatspro.com/open/suricata-5.0/
Suricata seems to have updated their rules set to detect this.

[XeroX]

Snort Rules in server-web and server-other detect Log4j aswell. As long as traffic is not end to end encrypted.

https://www.snort.org/advisories/talos-rules-2021-12-11

[Julien]

Snort Rules in server-web and server-other detect Log4j aswell. As long as traffic is not end to end encrypted.

https://www.snort.org/advisories/talos-rules-2021-12-11

are you using Snort on Opns? i am having issues with Suricata.

[fabian]

nginx has naxsi which may be used for blocking as well.

[XeroX]

Snort Rules in server-web and server-other detect Log4j aswell. As long as traffic is not end to end encrypted.

https://www.snort.org/advisories/talos-rules-2021-12-11

are you using Snort on Opns? i am having issues with Suricata.

No I'm using suricata with additional Snort Rules. Use 29190. Don't use 3.x rules.

[dennis_u]

It is possible to detect and block the log4j hacking attempts with the OPNSense firewall (or other parts) rules?

Yes, it does. It even blocks my internal researches about the vulnerability (e.g. internal requests based und CSRF). Update your ET rules and test it.

But a more general question from my side: our OPNsense even blocks the "IPS blocks Log4Shell" logs to our SIEM, since they match the Log4shell patterns:

Code: [Select]

[Drop] [1:2034672:1] ET EXPLOIT Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed M1 (CVE-2021-44228) [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {UDP} 10.10.x.1:51488 -> 10.10.x.69:516
The interface 10.10.x.1 points to valuable IT assets and I do not want to disable IPS here. Can I whitelist the OPNsense from IPS?

[koushun]

What dennis_u said!  Having the same issue.

[Julien]

Snort Rules in server-web and server-other detect Log4j aswell. As long as traffic is not end to end encrypted.

https://www.snort.org/advisories/talos-rules-2021-12-11

are you using Snort on Opns? i am having issues with Suricata.

3.x rules what are those?

Thank you

No I'm using suricata with additional Snort Rules. Use 29190. Don't use 3.x rules.