boa-detector
This Zeek package detects the Boa web server string in HTTP headers. All Boa versions are considered vulnerable:
When the /^Boa\/.*/ server string is observed, this package will raise
a notice BoaDetector::Vulnerable_Boa_Web_Server for the connection's c$id$resp_h.
notice.log
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path notice
#open 2022-11-28-16-56-57
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude
#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double
1669216431.624776 CHhAvVGS1DHFjwGM9 127.0.0.1 59213 127.0.0.1 80 - - - tcp BoaDetector::Vulnerable_Boa_Web_Server Vulnerable Boa web server header observed: Boa/0.94.14rc21 See https://www.microsoft.com/en-us/security/blog/2022/11/22/vulnerable-sdk-components-lead-to-supply-chain-risks-in-iot-and-ot-environments/ for more info. 127.0.0.1 127.0.0.1 80 - - Notice::ACTION_LOG (empty) 3600.000000 - - - - -
1669216442.169350 ClEkJM2Vm5giqnMf4h ::1 60096 ::1 80 - - - tcp BoaDetector::Vulnerable_Boa_Web_Server Vulnerable Boa web server header observed: Boa/0.94.14rc21 See https://www.microsoft.com/en-us/security/blog/2022/11/22/vulnerable-sdk-components-lead-to-supply-chain-risks-in-iot-and-ot-environments/ for more info. ::1 ::1 80 - - Notice::ACTION_LOG (empty) 3600.000000 - - - - -
#close 2022-11-28-16-56-57