Skip to content

eLogJ Configuration

Jump to bottom
GuilhermePereira edited this page Feb 22, 2023 · 1 revision

eLogJ is configured using a YAML file, the base configuration is:

log_type: file
jndi_payload_header: X-Api-Version

Scheme: 

   log_type            -   "file"
   jndi_payload_header -   string

Both parameters are essential for eLogJ since they control the type of logging (local/remote) and where our SpringBoot (Log4J) instance will log explicit requests (HTTP header --> X-Api-Version field), respectively.

eLogJ's interpolation features can be configured using the block field:

block:
  - traffic_type: Outbound
    medium: TCP
    block_type: All

Scheme:

   traffic_type       -   "Inbound"                   "Outbound"
   medium             -   "JNDI" / "JNDI:LDAP"        "TCP" / "HTTP" / "LDAP"
   block_type         -   "lookup" / "request"        "All"

With this configuration we are able to define multiple interpolation phases. The traffic_type field represents the type of traffic that will be interpolated, the medium field represents at what layer interpolation occurs and the field block_type is used to define what mechanism will be blocked.
      For "Inbound" traffic we are able to block JNDI Lookup mechanisms or the explicit request that will trigger this same lookup (**1). eLogJ is able to differentiate the types of JNDI lookups since the Traffic Control (TC) component, actively inspects received requests (shallow-packet inspection). "Outbound" traffic is block-able due to our eXpress Data Path (XDP) component which essentially identifies the type of transport in the forth layer of the OSI model (i.e Transport Layer) on a packet per packet basis (deep-packet inspection).

TODO: eLogJ Rule-sets & Confidence levels

**1 - Assumed that eLogJ is running in an environment where there are only Log4J (Spring Boot) / LDAP connections, thus there are no margins for false-positives / true-negatives, unless we consider obfuscated payloads.

Ref:
[1][JNDI-Lookup] => https://logging.apache.org/log4j/log4j-2.3/manual/lookups.html#JndiLookup
[2][OSI Model] => https://www.cloudflare.com/en-gb/learning/ddos/glossary/open-systems-interconnection-model-osi/
Clone this wiki locally