Attacker manipulates or iterates parameter values (e.g., id=1,2,3) to discover unauthorized data access, hidden functionality, or injection points
Hunting
Statistics → Conversations → IPv4
Statistics → Endpoints → IPv4
Statistics → Protocol Hierarchy
Statistics → IO Graph
Red Flags
/user?id=/account//order//download?file=/invoice/
If you see id=1 → id=2 → id=3 → id=4 = enumeration.
Filters
# Generic param fuzzing filter (correlate timing through HTTP stream)
http.request.uri matches "=[0-9]+"
# File download enumeration
http.request.uri matches "(file|download|path|doc|invoice)="
# Login bruteforce
http.request.uri contains "login"
# Upload abuse
http.request.method == "POST" and http.content_type contains "multipart"
# SQLi attempts
http.request.uri matches "('|%27|--|%23|%3D|%3B)"
# LFI attempts
http.request.uri contains "../"
http.request.uri matches "\\.\\./"
# Target requests with param
http.request.uri contains "PARAM_NAME="
# Isolate the source (look for sequential values/enumeration in milliseconds)
http.request.uri contains "PARAM_NAME=" and ip.src == X.X.X.X
# Numeric parameter enumeration (Regex)
http.request.uri matches "PARAM_NAME=[0-9]+"