problem with option

[jvirot]

hello
i try a lot of this to perfom syslog option but i don't understand how to write this

Microsoft Windows [version 6.3.9600]
(c) 2013 Microsoft Corporation. Tous droits réservés.

c:\temp>log4j2-scan --all-drives
Logpresso CVE-2021-44228 Vulnerability Scanner 1.3.2 (2021-12-15)
Scan drives: C:,D:
^C
c:\temp>log4j2-scan --all-drives --syslog-udp
Logpresso CVE-2021-44228 Vulnerability Scanner 1.3.2 (2021-12-15)
Scan drives: C:,D:
^C
c:\temp>log4j2-scan --all-drives --syslog-udp 192.168.9.80:5544.
Error: unsupported option: --syslog-udp

c:\temp>
c:\temp>log4j2-scan --all-drives --syslog-udp [192.168.9.80:5544]
Error: unsupported option: --syslog-udp

c:\temp>

c:\temp>log4j2-scan --all-drives --syslog-udp[192.168.9.80:5544]
Logpresso CVE-2021-44228 Vulnerability Scanner 1.3.2 (2021-12-15)
Scan drives: C:,D:\

Scanned 67767 directories and 320512 files
Found 0 vulnerable files
Completed in 80.81 seconds

c:\temp>

[Jwalker107]

Since you appear to be running on Windows, I'll mention that using 'syslog' on Windows systems is uncommon and not default - this is not for writing to the System Event Log, but for sending events to a 'syslog' server, much more common in Linux and UNIX deployments.

In that case, the option your last example is almost correct, except one would not use the square brackets in the actual command line, but only for illustrating the example syntax. If you actually had a Syslog server on the 192.168.9.80 address, listening on UDP port 5544, you would use
log4j2-scan --all-drives --syslog-udp 192.168.9.80:5544

[jvirot]

ok.
i had try this before but the result is :

Microsoft Windows [version 6.3.9600]
(c) 2013 Microsoft Corporation. Tous droits réservés.

C:\Users\administrateur>cd c:\temp

c:\temp>log4j2-scan --all-drives --syslog-udp 192.168.9.80:5544
Error: unsupported option: --syslog-udp

c:\temp>

[xeraph]

@jvirot You should use latest version (v2.6.2). --syslog-udp option is supported since v2.5.0.

[jvirot]

ok,
thanks it's seem to be work with 2.6.2

last questions, i have 0 vulnerability after scan. i supose no log was sent to my syslog because i reveive nothing, do i hae an option to send syslog with or without vulnerability?

i don't understand this option, it's a numberf?
what the difference alert info and debug for the parameters [level] ?
--syslog-level [level]
Send reports only if report is higher or equal to specified level.
Specify alert for vulnerable and potentially vulnerable reports.
Specify info for vulnerable, potentially vulnerable, and mitigated reports.
Specify debug for vulnerable, potentially vulnerable, mitigated, and error reports.

[xeraph]

@jvirot Would you open a new enhancement issue?

[jvirot]

just want to know if it's normal or not to not have syslog report iwth 0 vulnérability and how to send with 0 vulnerability

[xeraph]

@jvirot Scanner doesn't send any report if no vulnerable log4j found. (it's normal). You cannot send syslog for 0 vulnerability. thus needs new issue.

[jvirot]

i try a scan with log4j1 option ans i have vulnerability... but i don't receive syslog ( i have a nagios syslog) and no problem with firewall i check with portqry and the result is listening

c:\temp>log4j2-scan.exe --all-drives --syslog-udp 192.168.9.80:5544 --syslog-level alert --scan-log4j1 --scan-logback
Logpresso CVE-2021-44228 Vulnerability Scanner 2.6.2 (2021-12-26)
Scanning drives: C:, D:\

Running scan (10s): scanned 349 directories, 6253 files, last visit: C:\Program
Files\Java\jdk1.8.0_251\lib\visualvm\visualvm\modules
...
...

Scanned 67209 directories and 320812 files
Found 0 vulnerable files
Found 8 potentially vulnerable files
Found 0 mitigated files
Completed in 128.74 seconds

c:\temp>

[xeraph]

Check outgoing syslog packets using wireshark first. icmp response can be filtered when you are checking udp port using portqry.

[jvirot]

I just check my packets with wireshark and on my firewall and nothing was sending

[xeraph]

@jvirot My test output on v2.6.3 (expected output)

D:\github\CVE-2021-44228-Scanner>log4j2-scan --syslog-udp 104.21.94.49:5544 --syslog-level alert --scan-log4j1 --scan-logback d:\tmp\verify
Logpresso CVE-2021-44228 Vulnerability Scanner 2.6.3 (2021-12-27)
Scanning directory: d:\tmp\verify
[?] Found CVE-2021-4104  (log4j 1.2) vulnerability in d:\tmp\verify\bookitboot.jar, log4j N/A
[?] Found CVE-2021-4104  (log4j 1.2) vulnerability in d:\tmp\verify\log4j-1.2.17.jar, log4j 1.2.17
[*] Found CVE-2021-44228 (log4j 2.x) vulnerability in d:\tmp\verify\log4j-core-2.13.1.jar, log4j 2.13.1
[*] Found CVE-2021-44228 (log4j 2.x) vulnerability in d:\tmp\verify\log4j-core-2.14.1.jar, log4j 2.14.1 (mitigated)
[*] Found CVE-2021-45105 (log4j 2.x) vulnerability in d:\tmp\verify\log4j-core-2.16.0.jar, log4j 2.16.0

Scanned 139 directories and 1760 files
Found 2 vulnerable files
Found 2 potentially vulnerable files
Found 1 mitigated files
Completed in 0.46 seconds

If scanner cannot send syslog, it should print error message like this:

Error: Cannot send syslog to 192.168.9.80:5544 - Cause message

[jvirot]

it's ok, i receive syslog now... after a reboot of the 2012R2 machine.... windows bug ! ;-)

Found 8 potentially vulnerable files, but in my syslog i have only one entrie.... the last one

Microsoft Windows [version 6.3.9600]
(c) 2013 Microsoft Corporation. Tous droits réservés.

C:\Users\administrateur>cd c:\temp\log4j2

c:\temp\log4j2>log4j2-scan --all-drives --syslog-udp 192.168.9.80:5544 --syslog-
level debug --scan-log4j1 --scan-logback
Logpresso CVE-2021-44228 Vulnerability Scanner 2.6.2 (2021-12-26)
Scanning drives: C:, D:\

Running scan (10s): scanned 345 directories, 6367 files, last visit: C:\Program
Files\Java\jdk1.8.0_251\lib\visualvm\profiler\modules\locale
Running scan (20s): scanned 7783 directories, 30052 files, last visit: C:\Progra
m Files (x86)\SAP BusinessObjects\InstallData\InstallCache\platform.sdk.boe.com-
4.0-sv-32
[?] Found CVE-2021-4104 (log4j 1.2) vulnerability in C:\Program Files (x86)\SAP
BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\classes\log4j.jar, log4j
N/A
[?] Found CVE-2021-4104 (log4j 1.2) vulnerability in C:\Program Files (x86)\SAP
BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\java\lib\bundles\com.busi
nessobjects.axis2.jar (lib/log4j-1.2.15.jar), log4j 1.2.15
[?] Found CVE-2021-4104 (log4j 1.2) vulnerability in C:\Program Files (x86)\SAP
BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\java\lib\bundles\com.busi
nessobjects.log4j.jar (lib/log4j.jar), log4j N/A
[?] Found CVE-2021-4104 (log4j 1.2) vulnerability in C:\Program Files (x86)\SAP
BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\java\lib\external\axis2\1
.6.2\log4j-1.2.15.jar, log4j 1.2.15
Running scan (30s): scanned 8652 directories, 33746 files, last visit: C:\Progra
m Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\java\lib
\external\axis2\1.6.2\modules
[?] Found CVE-2021-4104 (log4j 1.2) vulnerability in C:\Program Files (x86)\SAP
BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\java\lib\external\log4j.j
ar, log4j N/A
[?] Found CVE-2021-4104 (log4j 1.2) vulnerability in C:\Program Files (x86)\SAP
BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\java\lib\log4j.jar, log4j
N/A
[?] Found CVE-2021-4104 (log4j 1.2) vulnerability in C:\Program Files (x86)\SAP
BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\warfiles\webapps\BOE\WEB-
INF\jars\lib\log4j.jar, log4j N/A
Running scan (40s): scanned 12699 directories, 53447 files, last visit: C:\Windo
ws\assembly\GAC_MSIL\system.io.log.resources\3.0.0.0_fr_b03f5f7f11d50a3a
Running scan (68s): scanned 17073 directories, 67665 files, last visit: C:\Windo
ws\servicing\Packages
Running scan (78s): scanned 33342 directories, 146615 files, last visit: C:\Wind
ows\WinSxS\amd64_ndiscap.inf_31bf3856ad364e35_6.3.9600.16384_none_9be097d765f0d8
73
Running scan (88s): scanned 43962 directories, 243429 files, last visit: C:\Wind
ows\WinSxS\Temp\InFlight\3ef42cd8948ed60110060000940a6405\amd64_microsoft-window
s-ra-mgmt-wmiv2provider_31bf3856ad364e35_6.3.9600.18738_none_31585de8d1f2dae7
[?] Found CVE-2021-42550 (logback 1.2.7) vulnerability in D:\eclipse\plugins\ch.
qos.logback.classic_1.0.7.v20121108-1250.jar, logback N/A
Running scan (98s): scanned 60095 directories, 267422 files, last visit: D:\ecli
pse\plugins
Running scan (108s): scanned 60188 directories, 268422 files, last visit: D:\ecl
ipse\plugins\org.eclipse.ui.intro.universal_3.2.701.v20150204-1123\themes\slate
graphics\icons\ctool
Running scan (127s): scanned 60555 directories, 269422 files, last visit: D:\Ins
tallation\SQL server 2014\1036_FRA_LP\redist\VisualStudioShell\SQLSysClrTypes

Scanned 67261 directories and 321409 files
Found 0 vulnerable files
Found 8 potentially vulnerable files
Found 0 mitigated files
Completed in 130.57 seconds

c:\temp\log4j2>

[jvirot]

if i delete the last option --scan-logback, i find 7 potentially vulnerable files, it's logic, and if i have i look in my syslog i find just one alert the last files that log4j find on CVE-2101-4104 this time

[xeraph]

@jvirot Finally.. You did it! Maybe last screenshot means unexpected syslog drops.. Some open source daemons cannot receive all syslog packets due to garbage collection stall. If you have more time, wait HTTPS POST logging feature (maybe.. next week)