Corelight Labs downloaded and installed the last version of Boa in a lab environment and observed the following string returned in the HTTP server header:
The string above can be detected in the HTTP server header when someone visits a Boa server on your network using this simple Zeek code block:
The resulting notices are:
Corelight Labs released a Zeek package with the code above so you can quickly begin to identify which machines are running a vulnerable Boa web server if someone connects to it on your network today. This package will help check off the “utilize device discovery and classification” remediation recommendation in Microsoft’s research findings.
Note that if you installed the following open source package, all HTTP headers will be logged to http.log:
Since publishing this blog we discovered two additional methods for detecting vulnerable Boa web servers. If you have included your networks in Sites::local_nets, Zeek’s software.log will contain web server versions of devices in those networks. You can search unparsed_version for Boa vulnerable web servers with the following LogScale query:
If you are running Corelight sensors and enabled the Entity package, you can also search the known_services.log software column with the following LogScale query: