# SIDs for these rules start from 1357000 which is within the local use range.
# See http://doc.emergingthreats.net/bin/view/Main/SidAllocation, and change them if they conflict with yours.

# JNDI - IIOP request - Connection attempt over GIOP with JNDI markers (versions 1.0 to 1.2)
alert tcp any any -> any any (msg:"JNDI IIOP - NamingContext"; content:"GIOP|01|"; pcre:"/GIOP\x01[\x00-\x02].\x00/"; content: "NEO|00|"; content:"IDL:omg.org/SendingContext/CodeBase:1.0"; content:"IDL:omg.org/CosNaming/NamingContext:1.0"; target: src_ip; classtype: bad-unknown; sid: 1357000; rev: 1;)

# JNDI - RFC 2713 - Java serialized stream in LDAP searchResponse which can be used to deliver payloads.
# Variant 1: Matching the LDAP representation of the "javaSerializedData" attribute name followed by the Java serialization magic (ACED0005).
alert tcp any any -> any any (msg:"JNDI LDAP - Java Serialized stream in searchResult - javaSerializedData"; content:"|04 12|javaSerializedData"; nocase; content:"|AC ED 00 05|"; target: src_ip; classtype: bad-unknown; sid: 1357003; rev: 1;)
# Variant 2: Matching the LDAP representation of the "javaReferenceAddress" attribute name followed by the Base64-encoding of the Java serialization magic (rO0AB*) in a way which tolerates whitespace (MIME decoder)
alert tcp any any -> any any (msg:"JNDI LDAP - Java Serialized stream in searchResult - javaReferenceAddress"; content:"|04 14|javaReferenceAddress"; nocase; pcre:"/r\s*O\s*0\s*A\s*B/"; target: src_ip; classtype: bad-unknown; sid: 1357004; rev: 1;)

# JRMI - Java RMI stream protocol v2 followed by Java RMI request
alert tcp any any -> any any (msg:"JRMI - Java RMI request"; content:"JRMI|00 02 4B|"; content:"|50 AC ED 00 05|"; target: src_ip; classtype: bad-unknown; sid: 1357007; rev: 1;)

# JNDI - RFC 2713 - Java attributes in LDAP which may lead to payload delivery.
# Matching the RFC 2713 mandatory attributes as they are represented in LDAP protocol.
alert tcp any any -> any any (msg:"JNDI LDAP - Java attributes - javaClassName"; content:"|04 0D|javaClassName"; nocase; target: src_ip; classtype: bad-unknown; sid: 1357010; rev: 1;)
alert tcp any any -> any any (msg:"JNDI LDAP - Java attributes - javaObject"; content:"|04 0A|javaObject"; nocase; target: src_ip; classtype: bad-unknown; sid: 1357011; rev: 1;)
alert tcp any any -> any any (msg:"JNDI LDAP - Java attributes - javaSerializedObject"; content:"|04 14|javaSerializedObject"; nocase; target: src_ip; classtype: bad-unknown; sid: 1357012; rev: 1;)
alert tcp any any -> any any (msg:"JNDI LDAP - Java attributes - javaMarshalledObject"; content:"|04 14|javaMarshalledObject"; nocase; target: src_ip; classtype: bad-unknown; sid: 1357013; rev: 1;)
alert tcp any any -> any any (msg:"JNDI LDAP - Java attributes - javaNamingReference"; content:"|04 13|javaNamingReference"; nocase; target: src_ip; classtype: bad-unknown; sid: 1357014; rev: 1;)

# CVE-2021-44228 - JNDI injection - Matching plain ${jndi: over various protocols
alert tcp any any -> any any (msg:"CVE-2021-44228 injection - Plain TCP"; content:"|24 7B|jndi:"; target: dest_ip; classtype: string-detect; sid: 1357020; rev: 1;)
alert udp any any -> any any (msg:"CVE-2021-44228 injection - Plain UDP"; content:"|24 7B|jndi:"; target: dest_ip; classtype: string-detect; sid: 1357021; rev: 1;)
alert http any any -> any any (msg:"CVE-2021-44228 injection - Plain HTTP URI"; content:"|24 7B|jndi:"; http_uri; target: dest_ip; classtype: string-detect; sid: 1357022; rev: 1;)
alert http any any -> any any (msg:"CVE-2021-44228 injection - Plain HTTP Header"; content:"|24 7B|jndi:"; http_header; target: dest_ip; classtype: string-detect; sid: 1357023; rev: 1;)
alert http any any -> any any (msg:"CVE-2021-44228 injection - Plain HTTP Request Body"; content:"|24 7B|jndi:"; http_client_body; target: dest_ip; classtype: string-detect; sid: 1357024; rev: 1;)

# CVE-2021-44228 - Use of lookup in injection - Matching the most widespread lookup names
alert tcp any any -> any any (msg:"CVE-2021-44228 injection - Use of lookups TCP"; content:"|24 7B|"; pcre:"/\$\{(?:lower|upper|sd|main|jvmrunargs|date|ctx|sys|bundle|marker|java|event|env|log4j|web|docker|kubernetes|spring|base64|:):/"; target: dest_ip; classtype: string-detect; sid: 1357030; rev: 1;)
alert udp any any -> any any (msg:"CVE-2021-44228 injection - Use of lookups UDP"; content:"|24 7B|"; pcre:"/\$\{(?:lower|upper|sd|main|jvmrunargs|date|ctx|sys|bundle|marker|java|event|env|log4j|web|docker|kubernetes|spring|base64|:):/"; target: dest_ip; classtype: string-detect; sid: 1357031; rev: 1;)
alert http any any -> any any (msg:"CVE-2021-44228 injection - Use of lookups HTTP URI"; http.uri; content:"|24 7B|"; pcre:"/\$\{(?:lower|upper|sd|main|jvmrunargs|date|ctx|sys|bundle|marker|java|event|env|log4j|web|docker|kubernetes|spring|base64|:):/"; target: dest_ip; classtype: string-detect; sid: 1357032; rev: 1;)
alert http any any -> any any (msg:"CVE-2021-44228 injection - Use of lookups HTTP Header"; http.header; content:"|24 7B|"; pcre:"/\$\{(?:lower|upper|sd|main|jvmrunargs|date|ctx|sys|bundle|marker|java|event|env|log4j|web|docker|kubernetes|spring|base64|:):/"; target: dest_ip; classtype: string-detect; sid: 1357033; rev: 1;)
alert http any any -> any any (msg:"CVE-2021-44228 injection - Use of lookups HTTP Request Body"; http.request_body; content:"|24 7B|"; pcre:"/\$\{(?:lower|upper|sd|main|jvmrunargs|date|ctx|sys|bundle|marker|java|event|env|log4j|web|docker|kubernetes|spring|base64|:):/"; target: dest_ip; classtype: string-detect; sid: 1357034; rev: 1;)

# CVE-2021-44228 - Obfuscated injection - Matching the recursive ${..${ sequences
alert tcp any any -> any any (msg:"CVE-2021-44228 injection - Obfuscated TCP"; content:"|24 7B|"; pcre:"/\$\{[ -|~]*\$\{/"; target: dest_ip; classtype: string-detect; sid: 1357040; rev: 1;)
alert udp any any -> any any (msg:"CVE-2021-44228 injection - Obfuscated UDP"; content:"|24 7B|"; pcre:"/\$\{[ -|~]*\$\{/"; target: dest_ip; classtype: string-detect; sid: 1357041; rev: 1;)
alert http any any -> any any (msg:"CVE-2021-44228 injection - Obfuscated HTTP URI"; http.uri; content:"|24 7B|"; pcre:"/\$\{[ -|~]*\$\{/"; target: dest_ip; classtype: string-detect; sid: 1357042; rev: 1;)
alert http any any -> any any (msg:"CVE-2021-44228 injection - Obfuscated HTTP Header"; http.header; content:"|24 7B|"; pcre:"/\$\{[ -|~]*\$\{/"; target: dest_ip; classtype: string-detect; sid: 1357043; rev: 1;)
alert http any any -> any any (msg:"CVE-2021-44228 injection - Obfuscated HTTP Request Body"; http.request_body; content:"|24 7B|"; pcre:"/\$\{[ -|~]*\$\{/"; target: dest_ip; classtype: string-detect; sid: 1357044; rev: 1;)