This package will detect exploits of CVE-2022-21907
https://corelight.com/blog/detecting-cve-2022-21907
- HTTP
- HTTP data must be >= 1750 bytes, and
- The
HTTP/1.1
is not observed at the end of the exploit HTTP request.
$ zeek -Cr your.pcap packages
$ cat notice.log
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path notice
#open 2022-01-12-06-58-39
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude
#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double
1641934050.661549 C3zB9u3LtTMmn7XGab 192.168.88.1 55193 192.168.88.149 80 - - - tcp CVE_2022_21907::CVE_2022_21907_EXPLOIT_ATTEMPT Possible CVE_2022_21907 exploit over HTTP, multiple sprays followed by the triggering malformed request get_current_packet data=\x00\x0c)\x9a\x86\xd9\xa6\x83\xe7\xba\xc9g\x08\x00E\x00\x00\xd4\x00\x00@\x00@\x06\x00\x00\xc0\xa8X\x01\xc0\xa8X\x95\xd7\x99\x00P\xdf\xfbo\xde\xb8Y\x1d\x01\x80\x18\x08\x002\xae\x00\x00\x01\x01\x08\x0a\xf5\x16\x9c\xb8\x00*\xddvGET / HTTP/1.1\x0aHost: 192.168.88.149:80\x0aCache-Control: no-cache\x0a\x0aGET /l;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\x0a\x0a 192.168.88.1 192.168.88.149 80 - - Notice::ACTION_LOG (empty)3600.000000 - - - - -
#close 2022-01-12-06-58-44