""ET EXPLOIT Possible Apache log4j RCE Attempt - HTTP URI Obfuscation (CVE-2021-44228) (Outbound)""
SID: 2037047
Revision: 1
Class Type: attempted-admin
Metadata: affected_product HTTP_Server, attack_target Server, created_at 2022_06_21, cve CVE_2021_44228, deployment Perimeter, signature_severity Major, updated_at 2022_06_21
Reference:
-
cve
-
2021-44228
Protocol: tcp
Source Network: $HOME_NET
Source Port: any
Destination Network: any
Destination Port: any
Flow: established,to_server
Contents:
-
Value: "GET|20 2f|" Depth: 5
-
Value: "|28 27 24 7b 24 7b|env|3a|"
-
Value: "|3a 2d|j|7d|ndi|24 7b|env|3a|"
-
Value: "|2f|TomcatBypass|2f|Command|2f|Base64|2f|"
Within:
PCRE:
Special Options:
- fast_pattern