zeek drops requests with large harders

Hi,

We are using zeek 3.0.0.
We found that zeek drops requests with large harders.
Is it possible to make zeek catch such requests?
For example,

curl -k -i -vv -X GET http://test/login \

-H ‘User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; YPC 3.2.0; SearchSystem6829992239; SearchSystem9616306563; SearchSystem6017393645; SearchSystem5219240075; SearchSystem2768350104; SearchSystem6919669052; SearchSystem1986739074; SearchSystem1555480186; SearchSystem3376893470; SearchSystem9530642569; SearchSystem4877790286; SearchSystem8104932799; SearchSystem2313134663; SearchSystem1545325372; SearchSystem7742471461; SearchSystem9092363703; SearchSystem6992236221; SearchSystem3507700306; SearchSystem1129983453; SearchSystem1077927937; SearchSystem2297142691; SearchSystem7813572891; SearchSystem5668754497; SearchSystem6220295595; SearchSystem4157940963; SearchSystem7656671655; SearchSystem2865656762; SearchSystem6520604676; SearchSystem4960161466; .NET CLR 1.1.4322; .NET CLR 2.0.50727; Hotbar 10.2.232.0; SearchSystem9616306563; SearchSystem6017393645; SearchSystem5219240075; SearchSystem2768350104; SearchSystem6919669052; SearchSystem1986739074; SearchSystem1555480186; SearchSystem3376893470; SearchSystem9530642569; SearchSystem4877790286; SearchSystem8104932799; SearchSystem2313134663; SearchSystem1545325372; SearchSystem7742471461; SearchSystem9092363703; SearchSystem6992236221; SearchSystem3507700306; SearchSystem1129983453; SearchSystem1077927937; SearchSystem2297142691; SearchSystem7813572891; SearchSystem5668754497; SearchSystem6220295595; SearchSystem4157940963; SearchSystem7656671655; SearchSystem2865656762; SearchSystem6520604676; SearchSystem4960161466; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)’ \

-H ‘Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8’ \

-H ‘Accept-Language: en-US,en;q=0.5’ --compressed \

-H ‘Content-Type: application/x-www-form-urlencoded’ \

-H ‘Connection: keep-alive’ \

-H ‘Upgrade-Insecure-Requests: 1’ \

-H ‘Pragma: no-cache’ \

-H ‘Cache-Control: no-cache’ \

-H ‘True-Client-Ip: 2.18.114.25’ \

–data 'user=dasD

After I reduced the header size, zeek can catch it.

For example,

curl -k -i -vv -X GET http://test/login
-H ‘User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; YPC 3.2.0; SearchSystem6829992239; SearchSystem9616306563; SearchSystem6017393645; SearchSystem5219240075; SearchSystem2768350104; SearchSystem6919669052; SearchSystem1986739074; SearchSystem1555480186; SearchSystem3376893470; SearchSystem9530642569; SearchSystem4877790286; SearchSystem8104932799; SearchSystem2313134663; SearchSystem1545325373; SearchSystem7742471461;
SearchSystem2313134663; SearchSystem1545325372; SearchSystem7742471462;
SearchSystem2313134663; SearchSystem1545325372; SearchSystem7742471461;
SearchSystem2313134663;x)’
-H ‘Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8’
-H ‘Accept-Language: en-US,en;q=0.5’ --compressed
-H ‘Content-Type: application/x-www-form-urlencoded’
-H ‘Connection: keep-alive’
-H ‘Upgrade-Insecure-Requests: 1’
-H ‘Pragma: no-cache’
-H ‘Cache-Control: no-cache’
-H ‘True-Client-Ip: 2.18.114.25’
–data ‘user=dasD’

Thanks,

Yi

Is that request not on port 80? You are probably hitting https://github.com/zeek/zeek/issues/343 Does the problem go away if you set dpd_buffer_size to 4096 ?

Seems to capture fine when I do it on my instance of Zeek 3.0. Perhaps you’re not capturing the full packet?

https://blog.securityonion.net/2011/10/when-is-full-packet-capture-not-full.html

I took a closer look at those 2 commands, the first one sends 1900 bytes or so while the 2nd one is just under 1024. The default dpd buffer size would definitely explain this issue if you were sending that request to a port other than 80 or 8080 or one of the other default http ports.