EXPLORE
Sign In
← Back to Explore
splunk_escuAnomaly

Unusually Long Content-Type Length

The following analytic identifies unusually long strings in the Content-Type HTTP header sent by the client to the server. It uses data from the Stream:HTTP source, specifically evaluating the length of the `cs_content_type` field. This activity is significant because excessively long Content-Type headers can indicate attempts to exploit vulnerabilities or evade detection mechanisms. If confirmed malicious, this behavior could allow attackers to execute code, manipulate data, or bypass security controls, potentially leading to unauthorized access or data breaches.

Detection Query

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web by Web.src Web.dest Web.url Web.http_user_agent Web.http_content_type | `drop_dm_object_name("Web")`  | eval http_content_type_length = len(http_content_type)  | where http_content_type_length > 100 | table firstTime lastTime src dest http_content_type_length http_content_type url http_user_agent | `security_content_ctime(firstTime)`  | `security_content_ctime(lastTime)`  | `unusually_long_content_type_length_filter`

Author

Bhavin Patel, Splunk

Created

2026-03-10

Tags

Apache Struts Vulnerability
Raw Content
name: Unusually Long Content-Type Length
id: 57a0a2bf-353f-40c1-84dc-29293f3c35b7
version: 6
date: '2026-03-10'
author: Bhavin Patel, Splunk
status: experimental
type: Anomaly
description: The following analytic identifies unusually long strings in the Content-Type HTTP header sent by the client to the server. It uses data from the Stream:HTTP source, specifically evaluating the length of the `cs_content_type` field. This activity is significant because excessively long Content-Type headers can indicate attempts to exploit vulnerabilities or evade detection mechanisms. If confirmed malicious, this behavior could allow attackers to execute code, manipulate data, or bypass security controls, potentially leading to unauthorized access or data breaches.
data_source: []
search: >-
    | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
    as lastTime from datamodel=Web by Web.src Web.dest Web.url Web.http_user_agent Web.http_content_type
    | `drop_dm_object_name("Web")`  | eval http_content_type_length = len(http_content_type)  |
    where http_content_type_length > 100
    | table firstTime lastTime src dest http_content_type_length http_content_type url
    http_user_agent
    | `security_content_ctime(firstTime)`  | `security_content_ctime(lastTime)`  | `unusually_long_content_type_length_filter`
how_to_implement: This particular search leverages data extracted from Stream:HTTP. You must configure the http stream using the Splunk Stream App on your Splunk Stream deployment server to extract the cs_content_type field.
known_false_positives: Very few legitimate Content-Type fields will have a length greater than 100 characters.
references: []
rba:
    message: Unusually Long Content-Type Length ($http_content_type_length$ characters) In Web Request from $src$
    risk_objects:
        - field: dest
          type: system
          score: 20
        - field: src
          type: system
          score: 20
    threat_objects: []
tags:
    analytic_story:
        - Apache Struts Vulnerability
    asset_type: Web Server
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: network