Detecting Client Library Using HTTP Headers

cross post at: https://www.perched.io/blog/2019/5/6/detecting-client-library-using-http-headers

This post describes a way passively, using Zeek(Bro) + the Elastic Stack within RockNSM, to detect the library used to make a web request using HTTP headers.

However, when it comes to HTTP the main focus has always been on using the layer 7 application details of the HTTP User-Agent header. Although this may be true, these can be spoofed and typically are replaced with any User-Agent of choice.

Using the described method has positive and negative implications for both Blue Teams (defenders) and Red Teams (attackers).