[KB8192] Add detection rules in ESET Inspect On-Prem for Log4j 2 vulnerability

Issue

• Import detection rules into ESET Inspect On-Prem to detect the Log4j 2 vulnerability

Solution

The two Log4Shell rules below are designed to detect the log4j2 exploit. The rules use an experimental feature not fully supported by ESET Inspect On-Prem, so detection may not work each time. For example, if a detection has already been reported on the network layer, ESET Inspect On-Prem will not detect the exploit again. ESET recommends executing the two rules below as a task using the Rerun task option.

• Possible Log4Shell (CVE-2021-44228) exploitation [D0532a]
• Possible Log4Shell (CVE-2021-44228) exploitation [D0532b]

The two rules below are for the general exploitation of Java Runtime, for example, CVE-2021-44228. These general rules may generate some false positives for legitimate Java applications.

• Potential Java Runtime exploitation [E0461]
• Java Runtime executing suspicious script/command interpreter [E0462]

Import rules into ESET Inspect On-Prem

1. Download and unzip the detection rules file.
   
   
2. Open ESET Inspect On-Prem.
   
   
3. Click Admin.
   
   
4. Click Detection Rules.
   
   
5. Click Import to select the import file.
   
   
6. Select the file and click Open.
   
   
7. Repeat steps 5-6 for each file.