Add pattern '${base64:JHtqbmRp'

[baonq-me]

I request to add pattern ${base64:JHtqbmRp which is evaluated to ${jndi. I think with the current algorithm, the detector can not detect these kind of patterns.

Ref
https://github.com/SigmaHQ/sigma/blob/master/rules/web/web_cve_2021_44228_log4j_fields.yml#L40

[Neo23x0]

Oh, yes - from my own rule ... thanks

[Neo23x0]

Oh, no, it's already in there : https://github.com/Neo23x0/log4shell-detector/blob/main/log4shell-detector.py#L35

[JasonKeirstead]

Can i suggest that instead of looking for the string outright... a more foolproof way to handle the base64 is to actually do the decode. Because the issue is you can base64 encode any subset of the URI and combine it with other chars. So to handle this you could find all of the ${base64:} instances first, decode them, then run back through the detection.

[Neo23x0]

Could you explain why we would need more coverage with an example?
Which use isn't covered by ${base64:JHtqbmRp?

[JasonKeirstead]

You can do this as an example.. encode only "di"

${jn${base64:JZGk}://}

or this ... encode just the "d"

${jn${base64:ZA}i://}

or... any number of combinations of things that are part of the string

I have a PR #25 that adds the decoding

[Neo23x0]

Ah, I see - yes, good to cover that as well

[karanlyons]

FYI, base64 isn't actually in a release yet, just in master, so these payloads shouldn’t work unless the target has chosen to add the lookup themselves.