[Oisf-users] Eve logging and http headers
Christophe Vandeplas
christophe at vandeplas.com
Fri Jul 25 08:26:44 UTC 2014
Hello list,
I'm wondering about your opinion about a specific idea concerning the
Eve logging of Suricata.
Today the configuration options are:
- http:
extended: yes # enable this for extended logging information
# custom allows additional http fields to be included in eve-log
# the example below adds three additional fields when uncommented
custom: [Accept-Encoding, Accept-Language, Authorization]
This means you can choose to add additional HTTP headers.
However from experience of some malware, it's sometimes interesting to
see/log headers that are NOT usual. There would be two ways to log
this,
1/ either log the full header, however that's a lot of data.
2/ log all headers, except a certain list. This way you would also
have the unknown headers logged.
What is your opinion about this?
Have you seen malicious headers using a non-standard-name?
Is this idea just unfeasible as normal traffic generates so many
different headers.
Curious what you think about this idea.
Kind regards
Christophe
More information about the Oisf-users
mailing list