Project

General

Profile

Feature #4398

Updated by Victor Julien over 3 years ago

if we want to detect java jndi injection such as fastjson rce: 
 tcp payload content: 
 @ldap://192.168.204.1:888@ `ldap://192.168.204.1:888` or @rmi://192.168.204.1:888@ `rmi://192.168.204.1:888` 
 flow rules just only detect the first steps of jndi injection: 
 @alert `alert tcp any any -> any any (msg:"TCP_LDAP_Injection";pcre:"/(ldap:\/\/([\S]{2,256}):(\d{2,5})\/)/,flow:ldap,flow:ldap_url,flow:ldap_port";sid:10001;rev:1;@ 
 (msg:"TCP_LDAP_Injection";pcre:"/(ldap:\/\/([\S]{2,256}):(\d{2,5})\/)/,flow:ldap,flow:ldap_url,flow:ldap_port";sid:10001;rev:1;`  
 we can found flowvars ldap、ldap_url and ldap_port in eve.json: 

 <pre><code class="javascript"> 
 ``` 
 {"timestamp":"2021-01-12T14:10:04.520436+0800","flow_id":60042522718452,"pcap_cnt":3,"event_type":"alert","src_ip":"192.168.204.130","src_port":20,"dest_ip":"192.168.204.128","dest_port":80,"proto":"TCP","metadata":{"flowvars":[{"ldap":"ldap://192.168.204.1:888/"},{"ldap_url":"192.168.204.1"},{"ldap_port":"888"}]},"alert":{"action":"allowed","gid":1,"signature_id":10001,"rev":1,"signature":"TCP_LDAP_Injection","category":"","severity":3},"flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":84,"bytes_toclient":0,"start":"2021-01-12T14:10:04.520436+0800"},"payload":"R0VUIC9sZGFwOi8vMTkyLjE2OC4yMDQuMTo4ODgv","payload_printable":"GET /ldap://192.168.204.1:888/","stream":0} 
 </code></pre> 

 ``` 
 but ,we can't detect the hackers ladp server : @192.168.204.1@ `192.168.204.1` connection . 
 if we suricata support use regex match and flowvars as keywords value .we can creat rules like this: 
 @alert `alert tcp any any -> any any (msg:"TCP_LDAP_Injection_steps1";pcre:"/(ldap:\/\/([\S]{2,256}):(\d{2,5})\/)/,flow:ldap,flow:ldap_url,flow:ldap_port";noalert;sid:10001;rev:1;)@ (msg:"TCP_LDAP_Injection_steps1";pcre:"/(ldap:\/\/([\S]{2,256}):(\d{2,5})\/)/,flow:ldap,flow:ldap_url,flow:ldap_port";noalert;sid:10001;rev:1;)` 
 @alert `alert tcp any any -> $ldap_url $ldap_port (msg:"TCP_LDAP_Injection_success";sid:10002;rev:1;)@ (msg:"TCP_LDAP_Injection_success";sid:10002;rev:1;)` 
 maby also with xbits work great more. 
 --------------------------------------------------------------------------------------------------- 
 have any other ways to detect jndi injection ? 
 thanks you !

Back