Attacker fuzzes the Host: header:
Host: admin.target.local
Host: dev.target.local
Host: test.target.local
Hunting
Statistics → Conversations → IPv4
Statistics → Endpoints → IPv4
Statistics → Protocol Hierarchy
Statistics → IO Graph
Red Flags
- Same destination IP
- Changing
Host:header rapidly - Many 400 / 404 / 200 variations
- No DNS lookup beforehand (huge red flag)
Filters
# Check DNS and source
dns and ip.src == X.X.X.X
# Check Host header change
http.request and ip.src == X.X.X.X
# If destination IP not like DNS resolved IP
http.host and ip.dst == <SERVER_IP>
# Show requests with wrong Host header (expecting SERVER_IP)
http.request and http.host != "SERVER_IP"
# Domain Based
http.request and http.host != "SERVER.COM"