[Zeek] zeek drops requests with large harders

[Yi Zhu]

Hi,

We are using zeek 3.0.0.
We found that zeek drops requests with large harders.
Is it possible to make zeek catch such requests?
For example,

curl -k -i -vv -X GET http://test/login \

-H 'User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1;
Trident/4.0; YPC 3.2.0; SearchSystem6829992239; SearchSystem9616306563;
SearchSystem6017393645; SearchSystem5219240075; SearchSystem2768350104;
SearchSystem6919669052; SearchSystem1986739074; SearchSystem1555480186;
SearchSystem3376893470; SearchSystem9530642569; SearchSystem4877790286;
SearchSystem8104932799; SearchSystem2313134663; SearchSystem1545325372;
SearchSystem7742471461; SearchSystem9092363703; SearchSystem6992236221;
SearchSystem3507700306; SearchSystem1129983453; SearchSystem1077927937;
SearchSystem2297142691; SearchSystem7813572891; SearchSystem5668754497;
SearchSystem6220295595; SearchSystem4157940963; SearchSystem7656671655;
SearchSystem2865656762; SearchSystem6520604676; SearchSystem4960161466;
.NET CLR 1.1.4322; .NET CLR 2.0.50727; Hotbar 10.2.232.0;
SearchSystem9616306563; SearchSystem6017393645; SearchSystem5219240075;
SearchSystem2768350104; SearchSystem6919669052; SearchSystem1986739074;
SearchSystem1555480186; SearchSystem3376893470; SearchSystem9530642569;
SearchSystem4877790286; SearchSystem8104932799; SearchSystem2313134663;
SearchSystem1545325372; SearchSystem7742471461; SearchSystem9092363703;
SearchSystem6992236221; SearchSystem3507700306; SearchSystem1129983453;
SearchSystem1077927937; SearchSystem2297142691; SearchSystem7813572891;
SearchSystem5668754497; SearchSystem6220295595; SearchSystem4157940963;
SearchSystem7656671655; SearchSystem2865656762; SearchSystem6520604676;
SearchSystem4960161466; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)' \

-H 'Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' \

-H 'Accept-Language: en-US,en;q=0.5' --compressed \

-H 'Content-Type: application/x-www-form-urlencoded' \

-H 'Connection: keep-alive' \

-H 'Upgrade-Insecure-Requests: 1' \

-H 'Pragma: no-cache' \

-H 'Cache-Control: no-cache' \

-H 'True-Client-Ip: 2.18.114.25' \

--data 'user=dasD


After I reduced the header size, zeek can catch it.

For example,

curl -k -i -vv -X GET http://test/login \
-H 'User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1;
Trident/4.0; YPC 3.2.0; SearchSystem6829992239; SearchSystem9616306563;
SearchSystem6017393645; SearchSystem5219240075; SearchSystem2768350104;
SearchSystem6919669052; SearchSystem1986739074; SearchSystem1555480186;
SearchSystem3376893470; SearchSystem9530642569; SearchSystem4877790286;
SearchSystem8104932799; SearchSystem2313134663; SearchSystem1545325373;
SearchSystem7742471461;
SearchSystem2313134663; SearchSystem1545325372; SearchSystem7742471462;
SearchSystem2313134663; SearchSystem1545325372; SearchSystem7742471461;
SearchSystem2313134663;x)' \
-H 'Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' \
-H 'Accept-Language: en-US,en;q=0.5' --compressed \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Connection: keep-alive' \
-H 'Upgrade-Insecure-Requests: 1' \
-H 'Pragma: no-cache' \
-H 'Cache-Control: no-cache' \
-H 'True-Client-Ip: 2.18.114.25' \
--data 'user=dasD'


Thanks,

Yi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20191017/5fbacfcd/attachment.html