Merge pull request #49 from corelight/develop

Bugfix for missing usser agent field
corelight · Feb 11, 2022 · 546d538 · 546d538
2 parents ce75538 + 30e3491
commit 546d538
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/scripts/CVE_2021_44228_java_GET.zeek b/scripts/CVE_2021_44228_java_GET.zeek
@@ -60,12 +60,16 @@ event http_message_done (c: connection, is_orig: bool, stat: http_message_stat)
     local resp_mime_types_string = join_string_vec(c$http$resp_mime_types, ",");
     if (java_mime_pattern_sniffed in resp_mime_types_string)
         {
+        local user_agent: string = "";
+        if (c$http?$user_agent)
+            user_agent = c$http$user_agent;
+
         add c$http$tags[LOG4J_RCE];
         NOTICE([$note=LOG4J_JAVA_CLASS_DOWNLOAD,
                 $conn=c,
                 $identifier=cat(c$id$orig_h,c$id$orig_p,c$id$resp_h,c$id$resp_p),
                 # $suppress_for=3600sec,
                 $msg=fmt("Possible Log4j CVE-2021-44228 exploit, Java has downloaded a Java class over HTTP indicating a potential second stage, after the primary LDAP request. Refer to sub field for user_agent and resp_mime_types"),
-                $sub=fmt("user_agent='%s', resp_mime_types='%s'", c$http$user_agent, resp_mime_types_string)]);
+                $sub=fmt("user_agent='%s', resp_mime_types='%s'", user_agent, resp_mime_types_string)]);
         }
     }