2019-05-08

Detecting Client Library Using HTTP Headers

cross post at: https://drive.google.com/file/d/1iX-ZMhtkBJrl_PR1-b33044diA_MTXwG/view?usp=sharing

This post describes a way passively, using Zeek(Bro) + the Elastic Stack within RockNSM, to detect the library used to make a web request using HTTP headers.

However, when it comes to HTTP the main focus has always been on using the layer 7 application details of the HTTP User-Agent header. Although this may be true, these can be spoofed and typically are replaced with any User-Agent of choice.

Using the described method has positive and negative implications for both Blue Teams (defenders) and Red Teams (attackers).