[Zeek] zeek drops requests with large harders

ericooi at gmail.com ericooi at gmail.com
Thu Oct 17 18:44:27 PDT 2019


Seems to capture fine when I do it on my instance of Zeek 3.0.  Perhaps you’re not capturing the full packet?

https://blog.securityonion.net/2011/10/when-is-full-packet-capture-not-full.html <https://blog.securityonion.net/2011/10/when-is-full-packet-capture-not-full.html>


> On Oct 17, 2019, at 6:47 PM, Justin Azoff <justin at corelight.com> wrote:
> 
> Is that request not on port 80?  You are probably hitting https://github.com/zeek/zeek/issues/343 <https://github.com/zeek/zeek/issues/343>  Does the problem go away if you set dpd_buffer_size to 4096 ?
> 
> On Thu, Oct 17, 2019 at 5:51 PM Yi Zhu <yizhu at shapesecurity.com <mailto:yizhu at shapesecurity.com>> wrote:
> Hi,
> 
> We are using zeek 3.0.0.
> We found that zeek drops requests with large harders.
> Is it possible to make zeek catch such requests?
> For example,
> curl -k -i -vv -X GET http://test/login <http://test/login> \
> -H 'User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; YPC 3.2.0; SearchSystem6829992239; SearchSystem9616306563; SearchSystem6017393645; SearchSystem5219240075; SearchSystem2768350104; SearchSystem6919669052; SearchSystem1986739074; SearchSystem1555480186; SearchSystem3376893470; SearchSystem9530642569; SearchSystem4877790286; SearchSystem8104932799; SearchSystem2313134663; SearchSystem1545325372; SearchSystem7742471461; SearchSystem9092363703; SearchSystem6992236221; SearchSystem3507700306; SearchSystem1129983453; SearchSystem1077927937; SearchSystem2297142691; SearchSystem7813572891; SearchSystem5668754497; SearchSystem6220295595; SearchSystem4157940963; SearchSystem7656671655; SearchSystem2865656762; SearchSystem6520604676; SearchSystem4960161466; .NET CLR 1.1.4322; .NET CLR 2.0.50727; Hotbar 10.2.232.0; SearchSystem9616306563; SearchSystem6017393645; SearchSystem5219240075; SearchSystem2768350104; SearchSystem6919669052; SearchSystem1986739074; SearchSystem1555480186; SearchSystem3376893470; SearchSystem9530642569; SearchSystem4877790286; SearchSystem8104932799; SearchSystem2313134663; SearchSystem1545325372; SearchSystem7742471461; SearchSystem9092363703; SearchSystem6992236221; SearchSystem3507700306; SearchSystem1129983453; SearchSystem1077927937; SearchSystem2297142691; SearchSystem7813572891; SearchSystem5668754497; SearchSystem6220295595; SearchSystem4157940963; SearchSystem7656671655; SearchSystem2865656762; SearchSystem6520604676; SearchSystem4960161466; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)' \
> -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' \
> -H 'Accept-Language: en-US,en;q=0.5' --compressed \
> -H 'Content-Type: application/x-www-form-urlencoded' \
> -H 'Connection: keep-alive' \
> -H 'Upgrade-Insecure-Requests: 1' \
> -H 'Pragma: no-cache' \
> -H 'Cache-Control: no-cache' \
> -H 'True-Client-Ip: 2.18.114.25' \
> --data 'user=dasD
> 
> After I reduced the header size, zeek can catch it.
> For example,
> curl -k -i -vv -X GET http://test/login <http://test/login> \
> -H 'User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; YPC 3.2.0; SearchSystem6829992239; SearchSystem9616306563; SearchSystem6017393645; SearchSystem5219240075; SearchSystem2768350104; SearchSystem6919669052; SearchSystem1986739074; SearchSystem1555480186; SearchSystem3376893470; SearchSystem9530642569; SearchSystem4877790286; SearchSystem8104932799; SearchSystem2313134663; SearchSystem1545325373; SearchSystem7742471461;
> SearchSystem2313134663; SearchSystem1545325372; SearchSystem7742471462;
> SearchSystem2313134663; SearchSystem1545325372; SearchSystem7742471461;
> SearchSystem2313134663;x)' \
> -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' \
> -H 'Accept-Language: en-US,en;q=0.5' --compressed \
> -H 'Content-Type: application/x-www-form-urlencoded' \
> -H 'Connection: keep-alive' \
> -H 'Upgrade-Insecure-Requests: 1' \
> -H 'Pragma: no-cache' \
> -H 'Cache-Control: no-cache' \
> -H 'True-Client-Ip: 2.18.114.25' \
> --data 'user=dasD'
> 
> Thanks,
> Yi
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org <mailto:zeek at zeek.org>
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek <http://mailman.icsi.berkeley.edu/mailman/listinfo/zeek>
> 
> -- 
> Justin
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20191017/1ad88a80/attachment.html 


More information about the Zeek mailing list