Comments (2)
One thought is to look at splitting the payload from the right to left. eg if we split on the last '/' in /Exploit and take the second to last element in the vector, this would give the correct 10.0.16.1:1389 in both cases. Although it depends on there being that trailing / (and only one of them...) .
Need to way up the risk of introducing FN's at the expense of an edge case that could be post processed in SIEM. note I'm not even sure that the single / in ldap:/10.0.16.1:1389/Exploit constitutes a working exploit.
from cve-2021-44228.
Another thought is to use a split on a regex that caters for working exploits and the potentially not working edge case, something like:
local tmp = split_string(s, ///|:/[0-9]{0,3}.[0-9]{0,3}.[0-9]{0,3}.[0-9]{0,3}/);
Again, depends how big a pain point this is.
from cve-2021-44228.
Related Issues (20)
- Remove FPs associated with use of ${ indicator
- Env vars in URL
- LOG4J_RCE tag is added to all http log entries
- README updates to explain DPD sig work HOT 1
- Add history field to the notice and/or log4j HOT 1
- DNS exfil regexes
- LDAPS fingerprinting
- Improve parsing test coverage
- add id_orig_h and id_resp_h to log4j.log HOT 2
- log4j.log field naming considerations HOT 1
- Add links to accompanying blogs that explain the detection algorithms
- Add pcaps to btest for diverse checking
- sniffed mime-type not populated in time, results in edge-case FN
- Need a check on c$http$user_agent HOT 1
- Sensitive_Signature notices should be surprressed
- Cater for payload obfuscation tags
- Watch for a DNS lookup when domain name is used in payload
- Detect activity to payload IP:port, indicating exploit was successfull
- whitelist known-good scanners
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cve-2021-44228.