Issue
- Import detection rules into ESET Inspect On-Prem to detect the Log4j 2 vulnerability
Solution
The two Log4Shell rules below are designed to detect the log4j2 exploit. The rules use an experimental feature not fully supported by ESET Inspect On-Prem, so detection may not work each time. For example, if a detection has already been reported on the network layer, ESET Inspect On-Prem will not detect the exploit again. ESET recommends executing the two rules below as a task using the Rerun task option.
- Possible Log4Shell (CVE-2021-44228) exploitation [D0532a]
- Possible Log4Shell (CVE-2021-44228) exploitation [D0532b]
The two rules below are for the general exploitation of Java Runtime, for example, CVE-2021-44228. These general rules may generate some false positives for legitimate Java applications.
- Potential Java Runtime exploitation [E0461]
- Java Runtime executing suspicious script/command interpreter [E0462]
Import rules into ESET Inspect On-Prem
- Download and unzip the detection rules file.
- Open ESET Inspect On-Prem.
- Click Admin.
- Click Detection Rules.
- Click Import to select the import file.
- Select the file and click Open.
- Repeat steps 5-6 for each file.