Adds XDR Custom Rule to Block Log4j Exploit

May require manually removing the xdr custom ruleset first.

submodules/wafv2/blocklist.tf

@@ -3,6 +3,7 @@ locals {
     "172.16.0.0/12",
     "192.168.0.0/16",
     "169.254.0.0/16",
-    "127.0.0.0/8"
+    "127.0.0.0/8",
+    "45.155.205.233/32" # 2021-12-10 russian log4j attacker
   ]
 }

submodules/wafv2/waf.tf

@@ -40,9 +40,9 @@ resource "aws_wafv2_ip_set" "allowed" {
 }
 
 resource "aws_wafv2_rule_group" "xdr_custom_rules" {
-  name = "${local.waf_name}_xdr_custom_rules"
+  name = "${local.waf_name}_xdr_custom_rules_rev2" # update name when updating
   scope    = "REGIONAL"
-  capacity = 1
+  capacity = 50
 
   # Note, there is visibilty config for the group and for the rule
   visibility_config {
@@ -78,8 +78,79 @@ resource "aws_wafv2_rule_group" "xdr_custom_rules" {
       metric_name                = "Block_Nonpermitted_Countries"
       sampled_requests_enabled   = true
     }
+
+#    rule_label {
+#      name = "xdr_custom:nonpermittedcountry"
+#    }
   }
 
+  rule {
+    name = "Block_log4j_Exploit_20211210"
+    action {
+      block {}
+    }
+    priority = 110
+
+    #rule_label {
+    #  name = "xdr_custom:log4j"
+    #}
+
+    visibility_config {
+      cloudwatch_metrics_enabled = true
+      metric_name                = "Block_Log4j_exploit_20211210"
+      sampled_requests_enabled   = true
+    }
+
+    statement {
+      or_statement {
+        statement {
+          byte_match_statement {
+            field_to_match {
+              single_header {
+                name = "user-agent"
+              }
+            }
+            positional_constraint = "STARTS_WITH"
+            search_string = "$${jndi:ldap://"
+            text_transformation {
+              priority = 2
+              type     = "LOWERCASE"
+            }
+          }
+        }
+        statement {
+          byte_match_statement {
+            field_to_match {
+              single_header {
+                name = "user-agent"
+              }
+            }
+            positional_constraint = "STARTS_WITH"
+            search_string = "$${jndi:rmi:"
+            text_transformation {
+              priority = 2
+              type     = "LOWERCASE"
+            }
+          }
+        }
+        statement {
+          byte_match_statement {
+            field_to_match {
+              single_header {
+                name = "user-agent"
+              }
+            }
+            positional_constraint = "STARTS_WITH"
+            search_string = "$${jndi:dns:"
+            text_transformation {
+              priority = 2
+              type     = "LOWERCASE"
+            }
+          }
+        }
+      }  
+    }
+  }
   # Add additional custom rules here
 
   lifecycle {
@@ -183,6 +254,8 @@ module "wafv2" {
       "priority": 560
     }
   ]
+
+  depends_on = [ aws_wafv2_rule_group.xdr_custom_rules ]
   tags = var.tags
 }