Skip to content

This module detects HTTP requests that are non RFC compliant and used for smuggling

License

Notifications You must be signed in to change notification settings

precurse/zeek-httpattacks

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

18 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

zeek-httpattacks

Build Status

Description

This module detects HTTP requests that are non RFC compliant requests including:

  • Multiple HTTP Host headers
  • GET requests with a body
  • Both Content-Length and Transfer-Encoding present
  • Multiple of Content-Length and/or Transfer-Encoding headers

When any of these are detected, an HTTP_Smuggling notice will be added to notice.log.

Installation

  • Install via Zeek package manager:

    $ zkg install zeek-httpattacks
  • Download the files to $PREFIX/zeek/share/zeek/site/zeek-httpattacks and add the following to your local.zeek:

    @load ./zeek-httpattacks

Configuration

There are currently no configuration flags that can be used with this module. If you would like a new feature, please create a pull request.

notice.log Examples

HTTPATTACKS::HTTP_Smuggling	Multiple HTTP Host headers detected
HTTPATTACKS::HTTP_Smuggling	More than one CL or TE header detected
HTTPATTACKS::HTTP_Smuggling	CL and TE headers detected
HTTPATTACKS::HTTP_Smuggling	HTTP GET request with body detected

Automated Testing

Travis CI is used to run automated tests on each and every commit.

Created By

Andrew Klaus (@precurse)

About

This module detects HTTP requests that are non RFC compliant and used for smuggling

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published