Log4j Scanner detected in user agent or referrer

Classification:

attack

Tactic:

TA0043-reconnaissance

Technique:

T1595-active-scanning

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

This rule detects if your Apache or NGINX web servers are being scanned for the log4j vulnerability. The initial vulnerability was identified as CVE-2021-44228.

Strategy

This signal evaluated that jndi:(ldap OR rmi OR dns) has been detected in the HTTP header fields user agent and referrer or referer.

Triage and response

  1. Ensure you servers have the most recent version of log4j installed.
  2. Check if the Base64 was detected in an http.user_agent or http.referrer rule was also triggered and follow the Triage and response steps in that rule.

Note: Datadog’s The Monitor blog has an article published about “The Log4j Logshell vulnerability: Overview, detection, and remediation”.

PREVIEWING: aliciascott/DOCS-9725-Cloudcraft