Last active
December 20, 2021 16:02
-
-
Save haproxytechblog/931c6ca0327bc1cbc17cd55dc68e376a to your computer and use it in GitHub Desktop.
Log4Shell Protection
frontend myfrontend | |
option http-buffer-request | |
acl log4shell url,url_dec -i -m reg (?:\${[^}]{0,4}\${|\${(?:jndi|ctx)) | |
acl log4shell req.hdrs -i -m reg (?:\${[^}]{0,4}\${|\${(?:jndi|ctx)) | |
acl log4shell_form req.body,url_dec -i -m reg (?:\${[^}]{0,4}\${|\${(?:jndi|ctx)) | |
http-request deny if log4shell | |
http-request deny if { req.fhdr(content-type) -m str application/x-www-form-urlencoded } log4shell_form |
SecRule REQUEST_LINE|ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS|XML://*|XML://@* "@rx (?:\${[^}]{0,4}\${|\${(?:jndi|ctx))" \ | |
"id:1005,\ | |
phase:2,\ | |
block,\ | |
t:none,t:urlDecodeUni,t:cmdline,\ | |
log,\ | |
msg:'Potential Remote Command Execution: Log4j CVE-2021-44228', \ | |
logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ | |
tag:'application-multi',\ | |
tag:'language-java',\ | |
tag:'platform-multi',\ | |
tag:'attack-rce',\ | |
tag:'OWASP_CRS',\ | |
tag:'capec/1000/152/137/6',\ | |
tag:'PCI/6.5.2',\ | |
tag:'paranoia-level/1',\ | |
ver:'OWASP_CRS/3.4.0-dev',\ | |
severity:'CRITICAL',\ | |
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ | |
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" |
$ curl 'localhost/?foo=%24%7B%24%7Blower%3A%24%7Blower%3Ajndi%7D%7D%3A%24%7Blower%3Armi%7D%3A%2F%2F127.0.0.1%2Fpoc' |
Include /etc/hapee-2.4/modsec.rules.d/crs-setup.conf |
Include modsecurity/crs-setup.conf |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment