Hi,
We are using zeek 3.0.0.
We found that zeek drops requests with large harders.
Is it possible to make zeek catch such requests?
For example,
curl -k -i -vv -X GET http://test/login \
-H ‘User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; YPC 3.2.0; SearchSystem6829992239; SearchSystem9616306563; SearchSystem6017393645; SearchSystem5219240075; SearchSystem2768350104; SearchSystem6919669052; SearchSystem1986739074; SearchSystem1555480186; SearchSystem3376893470; SearchSystem9530642569; SearchSystem4877790286; SearchSystem8104932799; SearchSystem2313134663; SearchSystem1545325372; SearchSystem7742471461; SearchSystem9092363703; SearchSystem6992236221; SearchSystem3507700306; SearchSystem1129983453; SearchSystem1077927937; SearchSystem2297142691; SearchSystem7813572891; SearchSystem5668754497; SearchSystem6220295595; SearchSystem4157940963; SearchSystem7656671655; SearchSystem2865656762; SearchSystem6520604676; SearchSystem4960161466; .NET CLR 1.1.4322; .NET CLR 2.0.50727; Hotbar 10.2.232.0; SearchSystem9616306563; SearchSystem6017393645; SearchSystem5219240075; SearchSystem2768350104; SearchSystem6919669052; SearchSystem1986739074; SearchSystem1555480186; SearchSystem3376893470; SearchSystem9530642569; SearchSystem4877790286; SearchSystem8104932799; SearchSystem2313134663; SearchSystem1545325372; SearchSystem7742471461; SearchSystem9092363703; SearchSystem6992236221; SearchSystem3507700306; SearchSystem1129983453; SearchSystem1077927937; SearchSystem2297142691; SearchSystem7813572891; SearchSystem5668754497; SearchSystem6220295595; SearchSystem4157940963; SearchSystem7656671655; SearchSystem2865656762; SearchSystem6520604676; SearchSystem4960161466; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)’ \
-H ‘Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8’ \
-H ‘Accept-Language: en-US,en;q=0.5’ --compressed \
-H ‘Content-Type: application/x-www-form-urlencoded’ \
-H ‘Connection: keep-alive’ \
-H ‘Upgrade-Insecure-Requests: 1’ \
-H ‘Pragma: no-cache’ \
-H ‘Cache-Control: no-cache’ \
-H ‘True-Client-Ip: 2.18.114.25’ \
–data 'user=dasD
After I reduced the header size, zeek can catch it.
For example,
curl -k -i -vv -X GET http://test/login
-H ‘User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; YPC 3.2.0; SearchSystem6829992239; SearchSystem9616306563; SearchSystem6017393645; SearchSystem5219240075; SearchSystem2768350104; SearchSystem6919669052; SearchSystem1986739074; SearchSystem1555480186; SearchSystem3376893470; SearchSystem9530642569; SearchSystem4877790286; SearchSystem8104932799; SearchSystem2313134663; SearchSystem1545325373; SearchSystem7742471461;
SearchSystem2313134663; SearchSystem1545325372; SearchSystem7742471462;
SearchSystem2313134663; SearchSystem1545325372; SearchSystem7742471461;
SearchSystem2313134663;x)’
-H ‘Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8’
-H ‘Accept-Language: en-US,en;q=0.5’ --compressed
-H ‘Content-Type: application/x-www-form-urlencoded’
-H ‘Connection: keep-alive’
-H ‘Upgrade-Insecure-Requests: 1’
-H ‘Pragma: no-cache’
-H ‘Cache-Control: no-cache’
-H ‘True-Client-Ip: 2.18.114.25’
–data ‘user=dasD’
Thanks,
Yi