HTTP Request Smuggling (#3731)

* HTTP Request Smuggling

* Updates from PR comments

---------

Co-authored-by: Bhavin Patel <[email protected]>

Author: RavenTait

detections/web/http_duplicated_header.yml

@@ -0,0 +1,79 @@
+name: HTTP Duplicated Header
+id: 1606cc5b-fd5f-4865-9fe3-0ed1eaec2df6
+version: 1
+date: '2025-10-15'
+author: Raven Tait, Splunk
+status: production
+type: Anomaly
+description: Detects when a request has more than one of the same header. This is commonly used 
+  in request smuggling and other web based attacks. HTTP Request Smuggling exploits inconsistencies in how front-end 
+  and back-end servers parse HTTP requests by using ambiguous or malformed headers to hide malicious 
+  requests within legitimate ones. Attackers leverage duplicate headers, particularly Content-Length
+  and Transfer-Encoding, to cause different servers in the chain to disagree on where one request
+  ends and another begins. RFC7230 states that a sender MUST NOT generate multiple header fields with the same field
+  name in a message unless either the entire field value for that header field is defined as a comma-separated 
+  list or the header field is a well-known exception.
+data_source:
+- Suricata
+search: '`suricata` http.request_headers{}.name="*"
+  | rename dest_ip as dest
+  | spath path=http.request_headers{}.name output=header_names
+  | mvexpand header_names
+  | where lower(header_names) != "set-cookie"
+  | stats count by _raw, header_names, src_ip, dest
+  | where count > 1
+  | stats values(header_names) as duplicate_headers by _raw, count, src_ip, dest
+  | `http_duplicated_header_filter`'
+how_to_implement: This detection requires the Web datamodel
+  to be populated from a supported Technology Add-On like Suricata, Splunk for Apache,
+  Splunk for Nginx, or Splunk for Palo Alto. Some of these will need to have all headers
+  dumped to contain the necessary fields.
+known_false_positives: False positives are not expected, however, monitor, filter,
+  and tune as needed based on organization log sources.
+references:
+  - https://portswigger.net/web-security/request-smuggling#what-is-http-request-smuggling
+  - https://portswigger.net/research/http1-must-die
+  - https://www.vaadata.com/blog/what-is-http-request-smuggling-exploitations-and-security-best-practices/
+  - https://www.securityweek.com/new-http-request-smuggling-attacks-impacted-cdns-major-orgs-millions-of-websites/
+drilldown_searches:
+- name: View the detection results for - "$dest$"
+  search: '%original_detection_search% | search  dest = "$dest$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$dest$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
+    starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
+    values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
+    as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
+    as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: Duplicated headers within a web request was detected.
+    The source IP is $src_ip$ and the destination is $dest$.
+  risk_objects:
+  - field: dest
+    type: system
+    score: 51
+  threat_objects:
+  - field: src_ip
+    type: ip_address
+tags:
+  analytic_story:
+  - HTTP Request Smuggling
+  asset_type: Network
+  mitre_attack_id:
+  - T1071.001
+  - T1190
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: network
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/request_smuggling/suricata_request_smuggling.log
+    sourcetype: suricata
+    source: suricata

detections/web/http_possible_request_smuggling.yml

@@ -0,0 +1,78 @@
+name: HTTP Possible Request Smuggling
+id: 97d85f98-9d15-41a0-8682-7030454875e7
+version: 1
+date: '2025-10-06'
+author: Raven Tait, Splunk
+status: production
+type: TTP
+description: HTTP request smuggling is a technique for interfering with the way a web site processes sequences
+ of HTTP requests that are received from one or more users. Request smuggling vulnerabilities are often
+ critical in nature, allowing an attacker to bypass security controls, gain unauthorized access to 
+ sensitive data, and directly compromise other application users. This detection identifies a common request
+ smuggling technique of using both Content-Length and Transfer-Encoding headers to cause a parsing confusion
+ between the frontend and backend.
+data_source:
+- Suricata
+search: '`suricata` (http.request_headers{}.name="*Content-Length*" http.request_headers{}.name="*Transfer-Encoding*") 
+  OR (http.request_headers{}.name="*Content-Length*" http.request_headers{}.value="*Transfer-Encoding*") 
+  OR (http.request_headers{}.value="*Content-Length*" http.request_headers{}.name="*Transfer-Encoding*")
+  OR (http.request_headers{}.name="*Content-Length*" http.request_headers{}.value="0")
+  | rename dest_ip as dest
+  | rex field=_raw "request_headers.:\[(?<headers>.*)\]"
+  | stats count min(_time) as firstTime max(_time) as lastTime by dest, dest_port, src_ip, http.url, 
+    http.http_method, http.http_user_agent, http.protocol, http.status, headers
+  | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)`
+  | `http_possible_request_smuggling_filter`'
+how_to_implement: This detection requires the Web datamodel
+  to be populated from a supported Technology Add-On like Suricata, Splunk for Apache,
+  Splunk for Nginx, or Splunk for Palo Alto. Some of these will need to have all headers
+  dumped to contain the necessary fields.
+known_false_positives: False positives are not expected, however, monitor, filter,
+  and tune as needed based on organization log sources.
+references:
+  - https://portswigger.net/web-security/request-smuggling#what-is-http-request-smuggling
+  - https://portswigger.net/research/http1-must-die
+  - https://www.vaadata.com/blog/what-is-http-request-smuggling-exploitations-and-security-best-practices/
+  - https://www.securityweek.com/new-http-request-smuggling-attacks-impacted-cdns-major-orgs-millions-of-websites/
+drilldown_searches:
+- name: View the detection results for - "$dest$"
+  search: '%original_detection_search% | search  dest = "$dest$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$dest$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
+    starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
+    values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
+    as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
+    as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: Possible request smuggling against a web request was detected.
+    The source IP is $src_ip$ and the destination is $dest$.
+  risk_objects:
+  - field: dest
+    type: system
+    score: 60
+  threat_objects:
+  - field: src_ip
+    type: ip_address
+tags:
+  analytic_story:
+  - HTTP Request Smuggling
+  asset_type: Network
+  mitre_attack_id:
+  - T1071.001
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: network
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/request_smuggling/suricata_request_smuggling.log
+    sourcetype: suricata
+    source: suricata

detections/web/http_rapid_post_with_mixed_status_codes.yml

@@ -0,0 +1,73 @@
+name: HTTP Rapid POST with Mixed Status Codes
+id: c8c987d6-3a1a-4555-9a52-eea0741b6113
+version: 1
+date: '2025-10-14'
+author: Raven Tait, Splunk
+status: production
+type: Anomaly
+description: This detection identifies rapid-fire POST request attacks where an attacker 
+  sends more than 20 POST requests within a 5-second window, potentially attempting to 
+  exploit race conditions or overwhelm request handling. The pattern is particularly 
+  suspicious when responses vary in size or status codes, indicating successful 
+  exploitation attempts or probing for vulnerable endpoints.
+data_source:
+- Nginx Access
+search: '`nginx_access_logs` http_method="POST"| bin _time span=5s
+  | rename dest_ip as dest
+  | stats count, values(status) as status_codes, values(bytes_out) as bytes_out, values(uri_path) as uris by _time, src_ip, dest, http_user_agent
+  | where count>20
+  | table _time, dest, src_ip, count, status_codes, bytes_out, http_user_agent
+  | `http_rapid_post_with_mixed_status_codes_filter`'
+how_to_implement: This analytic necessitates the collection of web data, which can
+  be achieved through Splunk Stream or by utilizing the Splunk Add-on for Apache Web
+  Server. No additional configuration is required for this analytic.
+known_false_positives: False positives may be present if the activity is part of diagnostics
+  or testing. Filter as needed.
+references:
+  - https://portswigger.net/web-security/request-smuggling#what-is-http-request-smuggling
+  - https://portswigger.net/research/http1-must-die
+  - https://www.vaadata.com/blog/what-is-http-request-smuggling-exploitations-and-security-best-practices/
+  - https://www.securityweek.com/new-http-request-smuggling-attacks-impacted-cdns-major-orgs-millions-of-websites/
+drilldown_searches:
+- name: View the detection results for - "$dest$"
+  search: '%original_detection_search% | search  dest = "$dest$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$dest$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
+    starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
+    values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
+    as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
+    as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: A potential attempt to perform request smuggling against a web server was detected.
+    The source IP is $src_ip$ and the destination is $dest$.
+  risk_objects:
+  - field: dest
+    type: system
+    score: 40
+  threat_objects:
+  - field: src_ip
+    type: ip_address
+tags:
+  analytic_story:
+  - HTTP Request Smuggling
+  asset_type: Web Server
+  mitre_attack_id:
+  - T1071.001
+  - T1190
+  - T1595
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: network
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/request_smuggling/nginx_request_smuggling.log
+    source: nginx:plus:kv
+    sourcetype: nginx:plus:kv

detections/web/http_request_to_reserved_name_on_iis_server.yml

@@ -0,0 +1,79 @@
+name: HTTP Request to Reserved Name on IIS Server
+id: 1e45e6a8-110b-4886-b815-8d69cf35bf0a
+version: 1
+date: '2025-10-17'
+author: Raven Tait, Splunk
+status: production
+type: TTP
+description: Detects attempts to exploit a request smuggling technique against IIS that leverages
+ a Windows quirk where requests for reserved Windows device names such as "/con" trigger an early
+ server response before the request body is received. When combined with a Content-Length desynchronization,
+ this behavior can lead to a parsing confusion between frontend and backend.
+data_source:
+- Suricata
+search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web
+  where Web.url IN ("/con", "/prn", "/aux", "/nul", "/com1","/com2","/com3","/com4",
+  "/com5","/com6","/com7") by Web.src, Web.dest, Web.http_user_agent, Web.url, Web.status, 
+  Web.http_method 
+  | `drop_dm_object_name("Web")`
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)`
+  | `http_request_to_reserved_name_on_iis_server_filter`'
+how_to_implement: To implement this analytic, ensure proper logging is occurring with
+  IIS, Apache, or a Proxy server and that these logs are being ingested into Splunk.
+  The analytic was written against Suricata. The proper TA will need to be enabled
+  and should be mapped to CIM and the Web datamodel. Ingestion of the data source
+  is required to utilize this detection. In addition, if it is not mapped to the datamodel,
+  modify the query for your application logs to look for requests the same URI and
+  investigate further.
+known_false_positives: False positives are not expected on IIS servers, as the detection is based
+  on the presence of web requests to reserved names, which is not a common
+  page to be accessed by legitimate users. Modify the query as needed to
+  reduce false positives or hunt for additional indicators of compromise.
+references:
+  - https://portswigger.net/web-security/request-smuggling#what-is-http-request-smuggling
+  - https://portswigger.net/research/http1-must-die
+  - https://www.vaadata.com/blog/what-is-http-request-smuggling-exploitations-and-security-best-practices/
+  - https://www.securityweek.com/new-http-request-smuggling-attacks-impacted-cdns-major-orgs-millions-of-websites/
+drilldown_searches:
+- name: View the detection results for - "$dest$"
+  search: '%original_detection_search% | search  dest = "$dest$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$dest$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
+    starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
+    values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
+    as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
+    as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: Known scripting tool was used against a web request.
+    The source IP is $src$ and the destination is $dest$.
+  risk_objects:
+  - field: dest
+    type: system
+    score: 31
+  threat_objects:
+  - field: src
+    type: ip_address
+tags:
+  analytic_story:
+  - HTTP Request Smuggling
+  asset_type: Network
+  mitre_attack_id:
+  - T1071.001
+  - T1190
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: network
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/request_smuggling/suricata_reserved_names.log
+    sourcetype: suricata
+    source: suricata

detections/web/http_suspicious_tool_user_agent.yml

@@ -0,0 +1,77 @@
+name: HTTP Suspicious Tool User Agent
+id: 1ca76190-4997-4d19-b5bc-9e220b70c7d3
+version: 1
+date: '2025-10-09'
+author: Raven Tait, Splunk
+status: production
+type: Anomaly
+description: This Splunk query analyzes web access logs to identify and categorize 
+  non-browser user agents, detecting various types of security tools, scripting languages,
+  automation frameworks, and suspicious patterns. This activity can signify malicious actors
+  attempting to interact with web endpoints in non-standard ways.
+data_source:
+- Nginx Access
+search: '`nginx_access_logs`
+  | eval http_user_agent = lower(http_user_agent)
+  | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)`
+  | `drop_dm_object_name(Web)`
+  | lookup scripting_tools_user_agents tool_user_agent AS http_user_agent OUTPUT tool
+  | where isnotnull(tool)
+  | rename dest_ip as dest
+  | stats count min(firstTime) as first_seen max(lastTime) as last_seen values(tool) as tool 
+  by http_user_agent dest src_ip status
+  | `http_suspicious_tool_user_agent_filter`'
+how_to_implement: This analytic necessitates the collection of web data, which can
+  be achieved through Splunk Stream or by utilizing the Splunk Add-on for Apache Web
+  Server. No additional configuration is required for this analytic.
+known_false_positives: False positives may be present if the activity is part of diagnostics
+  or testing. Filter as needed.
+references:
+  - https://portswigger.net/web-security/request-smuggling#what-is-http-request-smuggling
+  - https://portswigger.net/research/http1-must-die
+  - https://www.vaadata.com/blog/what-is-http-request-smuggling-exploitations-and-security-best-practices/
+  - https://www.securityweek.com/new-http-request-smuggling-attacks-impacted-cdns-major-orgs-millions-of-websites/
+  - https://github.com/SigmaHQ/sigma/blob/master/rules/web/proxy_generic/proxy_ua_hacktool.yml
+  - https://help.aikido.dev/zen-firewall/miscellaneous/bot-protection-details
+drilldown_searches:
+- name: View the detection results for - "$dest$"
+  search: '%original_detection_search% | search  dest = "$dest$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$dest$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
+    starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
+    values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
+    as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
+    as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: Known scripting tool was used against a web request.
+    The source IP is $src_ip$ and the destination is $dest$.
+  risk_objects:
+  - field: dest
+    type: system
+    score: 31
+  threat_objects:
+  - field: src_ip
+    type: ip_address
+tags:
+  analytic_story:
+  - HTTP Request Smuggling
+  asset_type: Network
+  mitre_attack_id:
+  - T1071.001
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: network
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/request_smuggling/nginx_scripting_tools.log
+    source: nginx:plus:kv
+    sourcetype: nginx:plus:kv