Log4Shell attack strings which include iiop:// can result in Internet Interop-Orb-Protocol (IIOP) connection requests.
The signatures detailed below attempt to detection this IIOP traffic.
A pcap of non-malicious IIOP traffic can be found on Cloudshark
Details of the protocol can be found via Oracle documentation
Network detection for IIOP, which is largely GIOP (General Inter-ORB Protocol) over TCP/IP focuses on alerting of an Outbound request followed by a valid GIOP message from the server.
| sid | msg | Notes | Detection Screenshot |
|---|---|---|---|
| 2034730 | ET POLICY GIOP/IIOP Request Outbound | sets flowbit | 2034730 |
| sid | msg | Notes | Detection Screenshot |
|---|---|---|---|
| 2034731 | ET POLICY Successful GIOP/IIOP Request Outbound | depends on 2034730 |
2034731 |
