--- /dev/null
+Test
+====
+
+Test and exemplify multi-eve-log instances.
+
+Pcap
+====
+
+Pcap from GitHub repo for a PoC on Log4j exploit:
+https://github.com/cyberxml/log4j-poc/tree/main/data
--- /dev/null
+%YAML 1.1
+---
+
+vars:
+ address-groups:
+ HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+ EXTERNAL_NET: "!$HOME_NET"
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filename: eve-ips.json
+ types:
+ - alert
+ - drop
+
+ - eve-log:
+ enabled: yes
+ filename: eve-nsm.json
+ types:
+ - http
+ - flow
+ - eve-log:
+ enabled: yes
+ filename: eve-stats.json
+ types:
+ - stats
+
+exception-policy: ignore
--- /dev/null
+alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt - lower/upper TCP Bypass M1 (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"%7bjndi%3a"; nocase; fast_pattern; pcre:"/^(l|r|d|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(l|r|d)(\x7d|%7d))(d|n|m|(\x24|%24)(\x7b|%24)(lower|upper)(\x3a|%3a)(d|n|m)(\x7d|%7d))(a|i|s|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(a|i|s)(\x7d|%7d))(p|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)p(\x7d|%7d))/Ri"; reference:cve,2021-44228; classtype:attempted-admin; sid:2034781; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
+drop http $HOME_NET any -> any any (msg:"ET INFO Python SimpleHTTP ServerBanner"; flow:established; http.server; content:"SimpleHTTP/"; startswith; content:"Python/"; distance:0; reference:url,wiki.python.org/moin/BaseHttpServer; classtype:misc-activity; sid:2034636; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_08, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2021_12_08;)
+
projects / thirdparty / suricata-verify.git / commitdiff
