[Oisf-users] Eve logging and http headers

Christophe Vandeplas christophe at vandeplas.com
Fri Jul 25 08:26:44 UTC 2014

Hello list,

I'm wondering about your opinion about a specific idea concerning the
Eve logging of Suricata.

Today the configuration options are:
        - http:
            extended: yes     # enable this for extended logging information
            # custom allows additional http fields to be included in eve-log
            # the example below adds three additional fields when uncommented
            custom: [Accept-Encoding, Accept-Language, Authorization]

This means you can choose to add additional HTTP headers.

However from experience of some malware, it's sometimes interesting to
see/log headers that are NOT usual. There would be two ways to log
1/ either log the full header, however that's a lot of data.
2/ log all headers, except a certain list. This way you would also
have the unknown headers logged.

What is your opinion about this?
Have you seen malicious headers using a non-standard-name?
Is this idea just unfeasible as normal traffic generates so many
different headers.

Curious what you think about this idea.

Kind regards

More information about the Oisf-users mailing list