[Oisf-users] EXTERNAL: Eve logging and http headers

Gofran, Paul paul.gofran at lmco.com
Fri Jul 25 14:07:36 UTC 2014


Does the file based HTTP logging with customformat support what you need?  If so, I submitted https://redmine.openinfosecfoundation.org/issues/1191 to integrate that functionality with the HTTP EVE logging.

Referring to this section in the YAML:
# a line based log of HTTP requests (no alerts)
  - http-log:
      enabled: yes
      custom: yes       # enabled the custom logging format (defined by customformat)
      customformat: [your custom format here]


-----Original Message-----
From: oisf-users-bounces at lists.openinfosecfoundation.org [mailto:oisf-users-bounces at lists.openinfosecfoundation.org] On Behalf Of Christophe Vandeplas
Sent: Friday, July 25, 2014 4:27 AM
To: oisf-users at openinfosecfoundation.org
Subject: EXTERNAL: [Oisf-users] Eve logging and http headers

Hello list,

I'm wondering about your opinion about a specific idea concerning the Eve logging of Suricata.

Today the configuration options are:
        - http:
            extended: yes     # enable this for extended logging information
            # custom allows additional http fields to be included in eve-log
            # the example below adds three additional fields when uncommented
            custom: [Accept-Encoding, Accept-Language, Authorization]

This means you can choose to add additional HTTP headers.

However from experience of some malware, it's sometimes interesting to see/log headers that are NOT usual. There would be two ways to log this, 1/ either log the full header, however that's a lot of data.
2/ log all headers, except a certain list. This way you would also have the unknown headers logged.

What is your opinion about this?
Have you seen malicious headers using a non-standard-name?
Is this idea just unfeasible as normal traffic generates so many different headers.

Curious what you think about this idea.

Kind regards
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
OISF: http://www.openinfosecfoundation.org/

More information about the Oisf-users mailing list