vRealize Network Insight

Detecting Log4j Bad Actor Connections with vRealize Network Insight

Recently (Dec 9, 2021), a critical vulnerability in the most used Apache Log4j logging library was found. This vulnerability can give an attacker full control of any impacted system. Please read here to know more about the vulnerability and here to know about VMware’s response.

While there are several efforts(such as patch, identifying the applications using log4j, etc) in progress to mitigate the risk, in the interim it is critical to protect the data center from attackers. In this blog post, we will see how to find Log4j attackers using vRealize network insight.

Overview:

Using the crowdsourced list of attackers’ IPs, we will check if there are any attempts to connect to the data center

Requirements:

  • vRealize Network Insight / Cloud (Flows enabled)
  • vRealize Network Insight Python SDK
  • Script by Martijn SmitDownload

Usage:

Here’s how to run the script against an on-premises vRealize Network Insight:

# export PYTHONPATH=/your/path/tp/network-insight-sdk-python/swagger_client-py2.7.egg
# python3 vrni-log4j-flow-check.py --platform_ip yourvRNIPlatformIP --username yourUsername --password yourPassword

It’s also possible to run it against vRealize Network Insight Cloud with a Cloud Services Portal API token, check out the help section to find the right parameters:

# python3 vrni-log4j-flow-check.py --help

Next Steps:

If you find any connections from the attacker’s IP, terminate the connections immediately.

References: