Following the 10-December-2021 announcement of (CVE-2021-44228), Log4shell scanners have begun to appear everywhere. Proofpoint’s Emerging Threats (ET) group has done an amazing job providing timely Suricata signatures that detect these scanners on enterprise networks. Sadly though, because of the nature of Log4shell, these signatures can only detect attempts to exploit, and more work is necessary to find out if the attacks have been successful.
In this article, we outline an advanced Suricata signature technique that can dramatically simplify the evidence collection for what is a particularly simple attack with complex consequences.