This module detects HTTP requests that are non RFC compliant requests including:

• Multiple HTTP Host headers
• GET requests with a body
• Both Content-Length and Transfer-Encoding present
• Multiple of Content-Length and/or Transfer-Encoding headers

When any of these are detected, an HTTP_Smuggling notice will be added to notice.log.

• Install via Zeek package manager:

  $ zkg install zeek-httpattacks

• Download the files to $PREFIX/zeek/share/zeek/site/zeek-httpattacks and add the following to your local.zeek:

  @load ./zeek-httpattacks

There are currently no configuration flags that can be used with this module. If you would like a new feature, please create a pull request.

HTTPATTACKS::HTTP_Smuggling	Multiple HTTP Host headers detected
HTTPATTACKS::HTTP_Smuggling	More than one CL or TE header detected
HTTPATTACKS::HTTP_Smuggling	CL and TE headers detected
HTTPATTACKS::HTTP_Smuggling	HTTP GET request with body detected

Travis CI is used to run automated tests on each and every commit.

Andrew Klaus (@precurse)