[Zeek] zeek drops requests with large harders

Thu Oct 17 16:47:59 PDT 2019

Is that request not on port 80?  You are probably hitting
https://github.com/zeek/zeek/issues/343  Does the problem go away if you
set dpd_buffer_size to 4096 ?

On Thu, Oct 17, 2019 at 5:51 PM Yi Zhu <yizhu at shapesecurity.com> wrote:

> Hi,
>
> We are using zeek 3.0.0.
> We found that zeek drops requests with large harders.
> Is it possible to make zeek catch such requests?
> For example,
>
> curl -k -i -vv -X GET http://test/login \
>
> -H 'User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1;
> Trident/4.0; YPC 3.2.0; SearchSystem6829992239; SearchSystem9616306563;
> SearchSystem6017393645; SearchSystem5219240075; SearchSystem2768350104;
> SearchSystem6919669052; SearchSystem1986739074; SearchSystem1555480186;
> SearchSystem3376893470; SearchSystem9530642569; SearchSystem4877790286;
> SearchSystem8104932799; SearchSystem2313134663; SearchSystem1545325372;
> SearchSystem7742471461; SearchSystem9092363703; SearchSystem6992236221;
> SearchSystem3507700306; SearchSystem1129983453; SearchSystem1077927937;
> SearchSystem2297142691; SearchSystem7813572891; SearchSystem5668754497;
> SearchSystem6220295595; SearchSystem4157940963; SearchSystem7656671655;
> SearchSystem2865656762; SearchSystem6520604676; SearchSystem4960161466;
> .NET CLR 1.1.4322; .NET CLR 2.0.50727; Hotbar 10.2.232.0;
> SearchSystem9616306563; SearchSystem6017393645; SearchSystem5219240075;
> SearchSystem2768350104; SearchSystem6919669052; SearchSystem1986739074;
> SearchSystem1555480186; SearchSystem3376893470; SearchSystem9530642569;
> SearchSystem4877790286; SearchSystem8104932799; SearchSystem2313134663;
> SearchSystem1545325372; SearchSystem7742471461; SearchSystem9092363703;
> SearchSystem6992236221; SearchSystem3507700306; SearchSystem1129983453;
> SearchSystem1077927937; SearchSystem2297142691; SearchSystem7813572891;
> SearchSystem5668754497; SearchSystem6220295595; SearchSystem4157940963;
> SearchSystem7656671655; SearchSystem2865656762; SearchSystem6520604676;
> SearchSystem4960161466; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)' \
>
> -H 'Accept:
> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' \
>
> -H 'Accept-Language: en-US,en;q=0.5' --compressed \
>
> -H 'Content-Type: application/x-www-form-urlencoded' \
>
> -H 'Connection: keep-alive' \
>
> -H 'Upgrade-Insecure-Requests: 1' \
>
> -H 'Pragma: no-cache' \
>
> -H 'Cache-Control: no-cache' \
>
> -H 'True-Client-Ip: 2.18.114.25' \
>
> --data 'user=dasD
>
>
> After I reduced the header size, zeek can catch it.
>
> For example,
>
> curl -k -i -vv -X GET http://test/login \
> -H 'User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1;
> Trident/4.0; YPC 3.2.0; SearchSystem6829992239; SearchSystem9616306563;
> SearchSystem6017393645; SearchSystem5219240075; SearchSystem2768350104;
> SearchSystem6919669052; SearchSystem1986739074; SearchSystem1555480186;
> SearchSystem3376893470; SearchSystem9530642569; SearchSystem4877790286;
> SearchSystem8104932799; SearchSystem2313134663; SearchSystem1545325373;
> SearchSystem7742471461;
> SearchSystem2313134663; SearchSystem1545325372; SearchSystem7742471462;
> SearchSystem2313134663; SearchSystem1545325372; SearchSystem7742471461;
> SearchSystem2313134663;x)' \
> -H 'Accept:
> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' \
> -H 'Accept-Language: en-US,en;q=0.5' --compressed \
> -H 'Content-Type: application/x-www-form-urlencoded' \
> -H 'Connection: keep-alive' \
> -H 'Upgrade-Insecure-Requests: 1' \
> -H 'Pragma: no-cache' \
> -H 'Cache-Control: no-cache' \
> -H 'True-Client-Ip: 2.18.114.25' \
> --data 'user=dasD'
>
>
> Thanks,
>
> Yi
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek

-- 
Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20191017/477329fd/attachment.html 