Techniques
Sample rules
Unusually Long Content-Type Length
- source: splunk
- technicques:
Description
The following analytic identifies unusually long strings in the Content-Type HTTP header sent by the client to the server. It uses data from the Stream:HTTP source, specifically evaluating the length of the cs_content_type field. This activity is significant because excessively long Content-Type headers can indicate attempts to exploit vulnerabilities or evade detection mechanisms. If confirmed malicious, this behavior could allow attackers to execute code, manipulate data, or bypass security controls, potentially leading to unauthorized access or data breaches.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web by Web.src Web.dest Web.url Web.http_user_agent Web.http_content_type
| `drop_dm_object_name("Web")`
| eval http_content_type_length = len(http_content_type)
| where http_content_type_length > 100
| table firstTime lastTime src dest http_content_type_length http_content_type url http_user_agent
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `unusually_long_content_type_length_filter`