We recently discussed some methods for detecting the Log4j exploit, and we’ve now developed another method that everyone running Zeek® or a Corelight sensor can use. Our new approach is based on the rarity of legitimate downloads of Java via LDAP. Zeek does not currently have a native LDAP protocol analyzer (though one is available if you are running Spicy). This will not stop you from detecting this exploit downloading Java over LDAP, though. To see how, read on.
First, you can see what we are going to detect if you open the following PCAP in Wireshark:
Wireshark decodes the LDAP search response as Java! You can also see “javaClassName” in the bytes. But you may still be asking how we can detect this without a Zeek LDAP protocol analyzer? We will do it with Zeek’s signature framework. With the signature framework, we are able to search the raw bytes for phrases like “javaClassName” inside a valid LDAP connection signature:
Once the signatures are detected, we will fire a notice for them:
An example log for the PCAP introduced previously looks like this: