[Zeek] zeek drops requests with large harders
Justin Azoff
justin at corelight.com
Fri Oct 18 06:55:28 PDT 2019
I took a closer look at those 2 commands, the first one sends 1900 bytes
or so while the 2nd one is just under 1024. The default dpd buffer size
would definitely explain this issue if you were sending that request to a
port other than 80 or 8080 or one of the other default http ports.
On Thu, Oct 17, 2019 at 7:47 PM Justin Azoff <justin at corelight.com> wrote:
> Is that request not on port 80? You are probably hitting
> https://github.com/zeek/zeek/issues/343 Does the problem go away if you
> set dpd_buffer_size to 4096 ?
>
> On Thu, Oct 17, 2019 at 5:51 PM Yi Zhu <yizhu at shapesecurity.com> wrote:
>
>> Hi,
>>
>> We are using zeek 3.0.0.
>> We found that zeek drops requests with large harders.
>> Is it possible to make zeek catch such requests?
>> For example,
>>
>> curl -k -i -vv -X GET http://test/login \
>>
>> -H 'User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1;
>> Trident/4.0; YPC 3.2.0; SearchSystem6829992239; SearchSystem9616306563;
>> SearchSystem6017393645; SearchSystem5219240075; SearchSystem2768350104;
>> SearchSystem6919669052; SearchSystem1986739074; SearchSystem1555480186;
>> SearchSystem3376893470; SearchSystem9530642569; SearchSystem4877790286;
>> SearchSystem8104932799; SearchSystem2313134663; SearchSystem1545325372;
>> SearchSystem7742471461; SearchSystem9092363703; SearchSystem6992236221;
>> SearchSystem3507700306; SearchSystem1129983453; SearchSystem1077927937;
>> SearchSystem2297142691; SearchSystem7813572891; SearchSystem5668754497;
>> SearchSystem6220295595; SearchSystem4157940963; SearchSystem7656671655;
>> SearchSystem2865656762; SearchSystem6520604676; SearchSystem4960161466;
>> .NET CLR 1.1.4322; .NET CLR 2.0.50727; Hotbar 10.2.232.0;
>> SearchSystem9616306563; SearchSystem6017393645; SearchSystem5219240075;
>> SearchSystem2768350104; SearchSystem6919669052; SearchSystem1986739074;
>> SearchSystem1555480186; SearchSystem3376893470; SearchSystem9530642569;
>> SearchSystem4877790286; SearchSystem8104932799; SearchSystem2313134663;
>> SearchSystem1545325372; SearchSystem7742471461; SearchSystem9092363703;
>> SearchSystem6992236221; SearchSystem3507700306; SearchSystem1129983453;
>> SearchSystem1077927937; SearchSystem2297142691; SearchSystem7813572891;
>> SearchSystem5668754497; SearchSystem6220295595; SearchSystem4157940963;
>> SearchSystem7656671655; SearchSystem2865656762; SearchSystem6520604676;
>> SearchSystem4960161466; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)' \
>>
>> -H 'Accept:
>> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' \
>>
>> -H 'Accept-Language: en-US,en;q=0.5' --compressed \
>>
>> -H 'Content-Type: application/x-www-form-urlencoded' \
>>
>> -H 'Connection: keep-alive' \
>>
>> -H 'Upgrade-Insecure-Requests: 1' \
>>
>> -H 'Pragma: no-cache' \
>>
>> -H 'Cache-Control: no-cache' \
>>
>> -H 'True-Client-Ip: 2.18.114.25' \
>>
>> --data 'user=dasD
>>
>>
>> After I reduced the header size, zeek can catch it.
>>
>> For example,
>>
>> curl -k -i -vv -X GET http://test/login \
>> -H 'User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1;
>> Trident/4.0; YPC 3.2.0; SearchSystem6829992239; SearchSystem9616306563;
>> SearchSystem6017393645; SearchSystem5219240075; SearchSystem2768350104;
>> SearchSystem6919669052; SearchSystem1986739074; SearchSystem1555480186;
>> SearchSystem3376893470; SearchSystem9530642569; SearchSystem4877790286;
>> SearchSystem8104932799; SearchSystem2313134663; SearchSystem1545325373;
>> SearchSystem7742471461;
>> SearchSystem2313134663; SearchSystem1545325372; SearchSystem7742471462;
>> SearchSystem2313134663; SearchSystem1545325372; SearchSystem7742471461;
>> SearchSystem2313134663;x)' \
>> -H 'Accept:
>> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' \
>> -H 'Accept-Language: en-US,en;q=0.5' --compressed \
>> -H 'Content-Type: application/x-www-form-urlencoded' \
>> -H 'Connection: keep-alive' \
>> -H 'Upgrade-Insecure-Requests: 1' \
>> -H 'Pragma: no-cache' \
>> -H 'Cache-Control: no-cache' \
>> -H 'True-Client-Ip: 2.18.114.25' \
>> --data 'user=dasD'
>>
>>
>> Thanks,
>>
>> Yi
>> _______________________________________________
>> Zeek mailing list
>> zeek at zeek.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
>
>
> --
> Justin
>
--
Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20191018/41c994b1/attachment-0001.html
More information about the Zeek
mailing list