zeek-httpattacks

Description

This module detects HTTP requests that are non RFC compliant requests including:

Multiple HTTP Host headers
GET requests with a body
Both Content-Length and Transfer-Encoding present
Multiple of Content-Length and/or Transfer-Encoding headers

When any of these are detected, an HTTP_Smuggling notice will be added to notice.log.

Installation

Install via Zeek package manager:
```
$ zkg install zeek-httpattacks
```
Download the files to $PREFIX/zeek/share/zeek/site/zeek-httpattacks and add the following to your local.zeek:
```
@load ./zeek-httpattacks
```

Configuration

There are currently no configuration flags that can be used with this module. If you would like a new feature, please create a pull request.

notice.log Examples

HTTPATTACKS::HTTP_Smuggling	Multiple HTTP Host headers detected
HTTPATTACKS::HTTP_Smuggling	More than one CL or TE header detected
HTTPATTACKS::HTTP_Smuggling	CL and TE headers detected
HTTPATTACKS::HTTP_Smuggling	HTTP GET request with body detected

Automated Testing

Travis CI is used to run automated tests on each and every commit.

Created By

Andrew Klaus (@precurse)

Name		Name	Last commit message	Last commit date
Latest commit History 18 Commits
scripts		scripts
tests		tests
.travis.yml		.travis.yml
LICENSE		LICENSE
README.md		README.md
zkg.meta		zkg.meta

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

zeek-httpattacks

Description

Installation

Configuration

notice.log Examples

Automated Testing

Created By

About

Releases

Packages

Contributors 3

Languages

License

precurse/zeek-httpattacks

Folders and files

Latest commit

History

Repository files navigation

zeek-httpattacks

Description

Installation

Configuration

notice.log Examples

Automated Testing

Created By

About

Resources

License

Stars

Watchers

Forks

Releases

Packages 0

Contributors 3

Languages

Packages