CONTACT US
forrester wave report 2023

Forrester rates Corelight a strong performer

GET THE REPORT

ad-nav-crowdstrike

Corelight now powers CrowdStrike solutions and services

READ MORE

ad-images-nav_0013_IDS

Alerts, meet evidence.

LEARN MORE ABOUT OUR IDS SOLUTION

ad-images-nav_white-paper

5 Ways Corelight Data Helps Investigators Win

READ WHITE PAPER

glossary-icon

10 Considerations for Implementing an XDR Strategy

READ NOW

ad-images-nav_0006_Blog

Don't trust. Verify with evidence

READ BLOG

ad-nav-NDR-for-dummies

NDR for Dummies

GET THE WHITE PAPER

video

The Power of Open-Source Tools for Network Detection and Response

WATCH THE WEBCAST

ad-nav-ESG

The Evolving Role of NDR

DOWNLOAD THE REPORT

ad-images-nav_0006_Blog

Detecting 5 Current APTs without heavy lifting

READ BLOG

g2-medal-best-support-ndr-winter-2024

Network Detection and Response

SUPPORT OVERVIEW

 

Detecting Log4j via Zeek & LDAP traffic

We recently discussed some methods for detecting the Log4j exploit, and we’ve now developed another method that everyone running Zeek® or a Corelight sensor can use. Our new approach is based on the rarity of legitimate downloads of Java via LDAP. Zeek does not currently have a native LDAP protocol analyzer (though one is available if you are running Spicy). This will not stop you from detecting this exploit downloading Java over LDAP, though. To see how, read on.

First, you can see what we are going to detect if you open the following PCAP in Wireshark:

https://github.com/cyberxml/log4j-poc/blob/main/data/log4j-webapp.pcap

wireshark

Wireshark decodes the LDAP search response as Java!  You can also see “javaClassName” in the bytes.  But you may still be asking how we can detect this without a Zeek LDAP protocol analyzer?  We will do it with Zeek’s signature framework.  With the signature framework, we are able to search the raw bytes for phrases like “javaClassName” inside a valid LDAP connection signature:

sigs

Once the signatures are detected, we will fire a notice for them:

signature-detection-notice

An example log for the PCAP introduced previously looks like this:

https://github.com/corelight/cve-2021-44228/blob/master/testing/Baseline/log4j.ldap_java/notice.log

Note that the malicious payload shows up in the sub field of the notice.log, making some instances of incident response triage quick work:

notice-payload

For Suricata users, or those running Corelight sensors with Suricata, the same detection method can be achieved with this pair of Suricata signatures:

alert tcp $HOME_NET any -> any any (msg:"CORELIGHT LDAP Bind Request"; flow:established,to_server; content:"|30 0c 02 01 01 60|"; depth:6; flowbits:set,ldap.bind; flowbits:noalert; classtype:protocol-command-decode; metadata:created_at 2021_12_16, updated_at 2021_12_16; sid:3000015; rev:1;)

alert tcp any any -> $HOME_NET any (msg:"CORELIGHT Java class download over LDAP (CVE-2021-44228)"; flow:established,to_client; flowbits:isset,ldap.bind; content:"javaClassName"; nocase; reference:cve,2021-44228; metadata:created_at 2021_12_16, updated_at 2021_12_16; classtype:attempted-admin; sid:3000016; rev:1;)

If you have suggestions for additional detection methods, or see false positives, please file an issue here with your ideas.

 

By Corelight Labs Team

Recent Posts