ID | Technique | Tactic |
---|
Detection: Unusually Long Content-Type Length
EXPERIMENTAL DETECTION
This detection status is set to experimental. The Splunk Threat Research team has not yet fully tested, simulated, or built comprehensive datasets for this detection. As such, this analytic is not officially supported. If you have any questions or concerns, please reach out to us at research@splunk.com.
Description
The following analytic identifies unusually long strings in the Content-Type HTTP header sent by the client to the server. It uses data from the Stream:HTTP source, specifically evaluating the length of the cs_content_type
field. This activity is significant because excessively long Content-Type headers can indicate attempts to exploit vulnerabilities or evade detection mechanisms. If confirmed malicious, this behavior could allow attackers to execute code, manipulate data, or bypass security controls, potentially leading to unauthorized access or data breaches.
Search
1`stream_http`
2| eval cs_content_type_length = len(cs_content_type)
3| where cs_content_type_length > 100
4| table endtime src_ip dest_ip cs_content_type_length cs_content_type url
5| `unusually_long_content_type_length_filter`
Data Source
Name | Platform | Sourcetype | Source | Supported App |
---|---|---|---|---|
N/A | N/A | N/A | N/A | N/A |
Macros Used
Name | Value |
---|---|
stream_http | sourcetype=stream:http |
unusually_long_content_type_length_filter | search * |
unusually_long_content_type_length_filter
is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
Setting | Value |
---|---|
Enabled | true |
Cron Schedule | 0 * * * * |
Earliest Time | -70m@m |
Latest Time | -10m@m |
Schedule Window | auto |
Risk Based Alerting | True |
Implementation
This particular search leverages data extracted from Stream:HTTP. You must configure the http stream using the Splunk Stream App on your Splunk Stream deployment server to extract the cs_content_type field.
Known False Positives
Very few legitimate Content-Type fields will have a length greater than 100 characters.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message | Risk Score | Impact | Confidence |
---|---|---|---|
tbd | 25 | 50 | 50 |
Detection Testing
Test Type | Status | Dataset | Source | Sourcetype |
---|---|---|---|---|
Validation | Not Applicable | N/A | N/A | N/A |
Unit | ❌ Failing | N/A | N/A |
N/A |
Integration | ❌ Failing | N/A | N/A |
N/A |
Replay any dataset to Splunk Enterprise by using our replay.py
tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 2