Log4Shell Pattern Match?
eric.burke
Newbie
Anyone have a solid instruction for doing this via a match rule? Can't seem to get the syntax right. See the Palo Alto example in this linked article. Does anyone know if SW has added their own protection yet?
Category: Firewall Security Services
0
Best Answer
-
CORRECT ANSWER
Nat
Newbie
If you really want to tailor IDP signature, app rule is great for it.
Think about what pattern you want to block. Here I use: '${jndi:ldap://' convert to hex '24 7b 6a 6e 64 69 3a 6c 64 61 70 3a 2f 2f'
cyberchef make your life eaiser:
https://gchq.github.io/CyberChef/#recipe=To_Hex('Space',0)&input=JHtqbmRpOmxkYXA6Ly8
Above also drop everything with ${jndi:ldap://
2
Answers
I have logged a call for this exact question as well, as well as to understand if the NSA range and SMA range are impacted by (CVE-2021-44228).
Please can SonicWALL provide a quick response to this suspected severity 10 CVE
security advisories fro sonicwall are now released
For anyone who is not familiar with PSIRT:
--Michael@BWC
Thanks all. Saw the advisories. More interested in the protections for customer environments via detections/mitigations via App Control, IDS/IPS, etc. In the interim, was hoping to see if anyone was able to build their own mitigations based on the Palo Alto example and confirm that it works?
Huntress Labs has provided a tool to help you identify instances:
We’ve created a tool to help you test whether your applications are vulnerable to CVE-2021-44228. You can access the tool here: https://log4shell.huntress.com/
Click here to learn more—and huge thanks to Jason Slagle and our own Caleb Stewart and John Hammond for leading this effort.
Hope that helps those who are interested.
Great tool @Larry! Thanks for sharing that. Still trying to figure out how to build an appropriate match object to detect and reset/drop if this is seen. Not sure if I'm looking to do a partial match on HTTP Requestor Custom Header or some other object type. If anyone knows, please share. I feel like this would be a good lesson on leveraging App Rules for 0-day and the number of examples out there are limited.
@eric.burke SonicWALL IPS already got signature for it. But as a tech person, you need to know ssl traffic is not capturing unless you have DPI-SSL client/server running.
And the signature seems working on http.
Refer to larry link. A simple curl http test.
Firewall IDP drop.
@Nat, thanks for the details. We use TLSI everywhere we can convince folks to do it! I just wasn't sure of the proper way to create the match object. Much appreciated!
A bit off topic but the new gen7 admin guide also teach you how to block reverse shell and create custom signatures by using app rules.
I think its good to have an idea on it.
First time I've seen that reference TBH (not sure how that's possible, been a SW guy for a really, really long time). Great stuff. Thanks again!
so its also working on http, since some sonicwalls dont have dpi-ssl yet enabled.
if i unerstand right, we shall set sig id 2307 to block if we want the sonicwall to block this right?
They have more than 1 signatures now, please check.
As a best practise, you should always have those security services(GAV,IDP) enable.