Operator On The Wire
← Back to Knowledge Base
BLUE TEAM / SOC / FILTERING / ATTACKS / APPLICATION LAYER / HTTP / SCANNING

VHOST Fuzzing

Attacker fuzzes the Host: header:

Host: admin.target.local  
Host: dev.target.local  
Host: test.target.local

Hunting

Statistics → Conversations → IPv4
Statistics → Endpoints → IPv4
Statistics → Protocol Hierarchy
Statistics → IO Graph


Red Flags

  • Same destination IP
  • Changing Host: header rapidly
  • Many 400 / 404 / 200 variations
  • No DNS lookup beforehand (huge red flag)

Filters

# Check DNS and source
dns and ip.src == X.X.X.X

# Check Host header change
http.request and ip.src == X.X.X.X

# If destination IP not like DNS resolved IP
http.host and ip.dst == <SERVER_IP>

# Show requests with wrong Host header (expecting SERVER_IP)
http.request and http.host != "SERVER_IP"

# Domain Based
http.request and http.host != "SERVER.COM"