log4shell detection

[cerberus10748]

Hey Yall,
I recently read an article about people using Wazuh for log4shell detection. Has anyone here used security onion yet , either staff or community, to detect log4shell on your network?

[weslambert]

There are a few different ways to do this, which we don't necessarily go into too much detail around, but here are a few examples:

• The ET Open rules are updated daily in Security Onion, and should contain some NIDS-based detection for use with Suricata: https://twitter.com/ET_Labs/status/1470889087431233540?s=20
• Florian Roth maintains Sigma rules (keep in mind, Playbook mappings may need to be updated, as well as log source/product field names)
  Ex. https://github.com/SigmaHQ/sigma/blob/master/rules/web/web_cve_2021_44228_log4j_fields.yml
• The Corelight team maintains some Zeek scripts, which you could implement as a custom script/solution: https://github.com/corelight/cve-2021-44228/tree/master)
• With Wazuh (as you mentioned -- as custom rules, etc): https://wazuh.com/blog/detecting-log4shell-with-wazuh/

Keep in mind, you'll want to focus on particular behaviors and activity as opposed to static indicators when dealing with exploitation attempts. For example, performing groupbys and stacking within Hunt (ex. user agent, suspicious outbound frequency/protocols, etc)