⚠️ WARNING THIS IS A EXPERIMENTAL DETECTION

We have not been able to test, simulate or build datasets for it, use at your own risk!

Try in Splunk Security Cloud

Description

This search looks for unusually long strings in the Content-Type http header that the client sends the server.

  • Type: Anomaly
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • Last Updated: 2017-10-13
  • Author: Bhavin Patel, Splunk
  • ID: 57a0a2bf-353f-40c1-84dc-29293f3c35b7
`stream_http` 
| eval cs_content_type_length = len(cs_content_type) 
| where cs_content_type_length > 100 
| table endtime src_ip dest_ip cs_content_type_length cs_content_type url 
| `unusually_long_content_type_length_filter`

Associated Analytic Story

How To Implement

This particular search leverages data extracted from Stream:HTTP. You must configure the http stream using the Splunk Stream App on your Splunk Stream deployment server to extract the cs_content_type field.

Required field

  • _time
  • cs_content_type
  • endtime
  • src_ip
  • dest_ip
  • url

Kill Chain Phase

  • Delivery

Known False Positives

Very few legitimate Content-Type fields will have a length greater than 100 characters.

Reference

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1