< Back to rules search
Base64 was detected in an http.user_agent or http.referrer
This rule detects if your Apache or NGINX web servers are being exploited using the log4j vulnerability. The initial vulnerability was identified as CVE-2021-44228.
This signal evaluated that
Base64 has been detected in the HTTP header fields
user agent and
Triage and response
- Ensure you servers have the most recent version of log4j installed.
- If you are not patched, decode the base64 string and look for any successful traffic to the malicious server.
- If a connection was successful to the malicious server, begin your company’s IR procedures to remediate.
The Monitor blog has an article published about “The Log4j Logshell vulnerability: Overview, detection, and remediation”.