Feature #4398
Updated by Victor Julien about 3 years ago
if we want to detect java jndi injection such as fastjson rce: tcp payload content: @ldap://192.168.204.1:888@ `ldap://192.168.204.1:888` or @rmi://192.168.204.1:888@ `rmi://192.168.204.1:888` flow rules just only detect the first steps of jndi injection: @alert `alert tcp any any -> any any (msg:"TCP_LDAP_Injection";pcre:"/(ldap:\/\/([\S]{2,256}):(\d{2,5})\/)/,flow:ldap,flow:ldap_url,flow:ldap_port";sid:10001;rev:1;@ (msg:"TCP_LDAP_Injection";pcre:"/(ldap:\/\/([\S]{2,256}):(\d{2,5})\/)/,flow:ldap,flow:ldap_url,flow:ldap_port";sid:10001;rev:1;` we can found flowvars ldapăldap_url and ldap_port in eve.json: <pre><code class="javascript"> ``` {"timestamp":"2021-01-12T14:10:04.520436+0800","flow_id":60042522718452,"pcap_cnt":3,"event_type":"alert","src_ip":"192.168.204.130","src_port":20,"dest_ip":"192.168.204.128","dest_port":80,"proto":"TCP","metadata":{"flowvars":[{"ldap":"ldap://192.168.204.1:888/"},{"ldap_url":"192.168.204.1"},{"ldap_port":"888"}]},"alert":{"action":"allowed","gid":1,"signature_id":10001,"rev":1,"signature":"TCP_LDAP_Injection","category":"","severity":3},"flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":84,"bytes_toclient":0,"start":"2021-01-12T14:10:04.520436+0800"},"payload":"R0VUIC9sZGFwOi8vMTkyLjE2OC4yMDQuMTo4ODgv","payload_printable":"GET /ldap://192.168.204.1:888/","stream":0} </code></pre> ``` but ,we can't detect the hackers ladp server : @192.168.204.1@ `192.168.204.1` connection . if we suricata support use regex match and flowvars as keywords value .we can creat rules like this: @alert `alert tcp any any -> any any (msg:"TCP_LDAP_Injection_steps1";pcre:"/(ldap:\/\/([\S]{2,256}):(\d{2,5})\/)/,flow:ldap,flow:ldap_url,flow:ldap_port";noalert;sid:10001;rev:1;)@ (msg:"TCP_LDAP_Injection_steps1";pcre:"/(ldap:\/\/([\S]{2,256}):(\d{2,5})\/)/,flow:ldap,flow:ldap_url,flow:ldap_port";noalert;sid:10001;rev:1;)` @alert `alert tcp any any -> $ldap_url $ldap_port (msg:"TCP_LDAP_Injection_success";sid:10002;rev:1;)@ (msg:"TCP_LDAP_Injection_success";sid:10002;rev:1;)` maby also with xbits work great more. --------------------------------------------------------------------------------------------------- have any other ways to detect jndi injection ? thanks you !