<div dir="ltr">Is that request not on port 80?  You are probably hitting <a href="https://github.com/zeek/zeek/issues/343">https://github.com/zeek/zeek/issues/343</a>  Does the problem go away if you set dpd_buffer_size to 4096 ?</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Oct 17, 2019 at 5:51 PM Yi Zhu &lt;<a href="mailto:yizhu@shapesecurity.com">yizhu@shapesecurity.com</a>&gt; wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Hi,<div><br></div><div>We are using zeek 3.0.0.</div><div>We found that zeek drops requests with large harders.</div><div>Is it possible to make zeek catch such requests?</div><div>For example,</div><div><p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:&quot;Helvetica Neue&quot;">curl -k -i -vv -X GET <a href="http://test/login" target="_blank">http://test/login</a> \</p><p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:&quot;Helvetica Neue&quot;">-H &#39;User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; YPC 3.2.0; SearchSystem6829992239; SearchSystem9616306563; SearchSystem6017393645; SearchSystem5219240075; SearchSystem2768350104; SearchSystem6919669052; SearchSystem1986739074; SearchSystem1555480186; SearchSystem3376893470; SearchSystem9530642569; SearchSystem4877790286; SearchSystem8104932799; SearchSystem2313134663; SearchSystem1545325372; SearchSystem7742471461; SearchSystem9092363703; SearchSystem6992236221; SearchSystem3507700306; SearchSystem1129983453; SearchSystem1077927937; SearchSystem2297142691; SearchSystem7813572891; SearchSystem5668754497; SearchSystem6220295595; SearchSystem4157940963; SearchSystem7656671655; SearchSystem2865656762; SearchSystem6520604676; SearchSystem4960161466; .NET CLR 1.1.4322; .NET CLR 2.0.50727; Hotbar 10.2.232.0; SearchSystem9616306563; SearchSystem6017393645; SearchSystem5219240075; SearchSystem2768350104; SearchSystem6919669052; SearchSystem1986739074; SearchSystem1555480186; SearchSystem3376893470; SearchSystem9530642569; SearchSystem4877790286; SearchSystem8104932799; SearchSystem2313134663; SearchSystem1545325372; SearchSystem7742471461; SearchSystem9092363703; SearchSystem6992236221; SearchSystem3507700306; SearchSystem1129983453; SearchSystem1077927937; SearchSystem2297142691; SearchSystem7813572891; SearchSystem5668754497; SearchSystem6220295595; SearchSystem4157940963; SearchSystem7656671655; SearchSystem2865656762; SearchSystem6520604676; SearchSystem4960161466; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)&#39; \</p><p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:&quot;Helvetica Neue&quot;">-H &#39;Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8&#39; \</p><p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:&quot;Helvetica Neue&quot;">-H &#39;Accept-Language: en-US,en;q=0.5&#39; --compressed \</p><p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:&quot;Helvetica Neue&quot;">-H &#39;Content-Type: application/x-www-form-urlencoded&#39; \</p><p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:&quot;Helvetica Neue&quot;">-H &#39;Connection: keep-alive&#39; \</p><p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:&quot;Helvetica Neue&quot;">-H &#39;Upgrade-Insecure-Requests: 1&#39; \</p><p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:&quot;Helvetica Neue&quot;">-H &#39;Pragma: no-cache&#39; \</p><p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:&quot;Helvetica Neue&quot;">-H &#39;Cache-Control: no-cache&#39; \</p><p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:&quot;Helvetica Neue&quot;">-H &#39;True-Client-Ip: 2.18.114.25&#39; \</p><p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:&quot;Helvetica Neue&quot;">--data &#39;user=dasD</p><p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:&quot;Helvetica Neue&quot;"><br></p><p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:&quot;Helvetica Neue&quot;">After I reduced the header size, zeek can catch it.</p><p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:&quot;Helvetica Neue&quot;">For example,</p><p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:&quot;Helvetica Neue&quot;">curl -k -i -vv -X GET <a href="http://test/login" target="_blank">http://test/login</a> \<br>-H &#39;User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; YPC 3.2.0; SearchSystem6829992239; SearchSystem9616306563; SearchSystem6017393645; SearchSystem5219240075; SearchSystem2768350104; SearchSystem6919669052; SearchSystem1986739074; SearchSystem1555480186; SearchSystem3376893470; SearchSystem9530642569; SearchSystem4877790286; SearchSystem8104932799; SearchSystem2313134663; SearchSystem1545325373; SearchSystem7742471461;<br>SearchSystem2313134663; SearchSystem1545325372; SearchSystem7742471462;<br>SearchSystem2313134663; SearchSystem1545325372; SearchSystem7742471461;<br>SearchSystem2313134663;x)&#39; \<br>-H &#39;Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8&#39; \<br>-H &#39;Accept-Language: en-US,en;q=0.5&#39; --compressed \<br>-H &#39;Content-Type: application/x-www-form-urlencoded&#39; \<br>-H &#39;Connection: keep-alive&#39; \<br>-H &#39;Upgrade-Insecure-Requests: 1&#39; \<br>-H &#39;Pragma: no-cache&#39; \<br>-H &#39;Cache-Control: no-cache&#39; \<br>-H &#39;True-Client-Ip: 2.18.114.25&#39; \<br>--data &#39;user=dasD&#39;<br></p><p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:&quot;Helvetica Neue&quot;"><br></p><p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:&quot;Helvetica Neue&quot;">Thanks,</p><p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:&quot;Helvetica Neue&quot;">Yi</p></div></div>
_______________________________________________<br>
Zeek mailing list<br>
<a href="mailto:zeek@zeek.org" target="_blank">zeek@zeek.org</a><br>
<a href="http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek" rel="noreferrer" target="_blank">http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek</a></blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr">Justin</div></div>