Log4Shell regex

gistfile1.txt

(\$|%(25)*24)(\{|%(25)*7B)(((\$|%(25)*24)(\{|%(25)*7B)[^}]+(j|%[46]a)(n|%[46]e)?(d|%[46]4)?(i|%[46]9)?(%(25)*7(d|%[46]4)|\})|(j|%[46]a)(n|%[46]e)?(d|%[46]4)?(i|%[46]9)?)((\$|%(25)*24)(\{|%(25)*7B)[^}]+(j|%[46]a)?(n|%[46]e)(d|%[46]4)?(i|%[46]9)?(%(25)*7(d|%[46]4)|\})|(j|%[46]a)?(n|%[46]e)(d|%[46]4)?(i|%[46]9)?)((\$|%(25)*24)(\{|%(25)*7B)[^}]+(j|%[46]a)?(n|%[46]e)?(d|%[46]4)(i|%[46]9)?(%(25)*7(d|%[46]4)|\})|(j|%[46]a)?(n|%[46]e)?(d|%[46]4)(i|%[46]9)?)((\$|%(25)*24)(\{|%(25)*7B)[^}]+(j|%[46]a)?(n|%[46]e)?(d|%[46]4)?(i|%[46]9)(%(25)*7(d|%[46]4)|\})|(j|%[46]a)?(n|%[46]e)?(d|%[46]4)?(i|%[46]9))|((\$|%(25)*24)(\{|%(25)*7B)[^}]+(j|%[46]a)?(n|%[46]e)?(d|%[46]4)?(i|%[46]9)?(%(25)*7(d|%[46]4)|\})|(j|%[46]a|n|%[46]e|d|%[46]4|i|%[46]9)+)+)

@Mario-Lugi There are ways to shorten the regex:

First, to enforce case sensitivity of the regex, I added all upper and lower case characters like: "/...[Aa].../". You could replace that with "/...a.../i" to save a few characters. Of course, this wouldn't work for encoded stuff.

Second, you might want to remove the base64 encoded option. I also plan to remove this option, as I realized that base64 is implemented for Log4j, but has not made it into a release yet. So the benefit of supporting base64 encoding may be small and the detection of base64 encoding is rudimentary. Log4ShellRex="${dollar}${curly_open}${sp}${plain}

Third, you can shift the tradeoff between the length of the regex and the false positive rate a bit by matching only the "${jndi:" part. To generate the RegEx for this, simply set: plain="${jndi}${sp}${colon}" in RegEx_Generator.sh.

Question: Where do you face length restrictions of a regular expression?