[Oisf-users] Eve logging and http headers

[Cooper F. Nelson]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This is why indexed full-packet capture is so important.  Very often you
will find you don't know what you should be looking for until after you
are already compromised.

If disk space is an issue consider using a dedicated BTRFS partition
with lzop compression enabled for storage.  Headers compress very well!

- -Coop

On 7/25/2014 1:26 AM, Christophe Vandeplas wrote:
> 
> However from experience of some malware, it's sometimes interesting to
> see/log headers that are NOT usual. There would be two ways to log
> this,
> 1/ either log the full header, however that's a lot of data.
> 2/ log all headers, except a certain list. This way you would also
> have the unknown headers logged.
> 
> What is your opinion about this?
> Have you seen malicious headers using a non-standard-name?
> Is this idea just unfeasible as normal traffic generates so many
> different headers.
> 
> Curious what you think about this idea.
> 
> Kind regards
> Christophe
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
> 


- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJT1v4rAAoJEKIFRYQsa8FWdT4IALVNnhclYlImocZCeexHDwBn
5jNHB4oJN6pEB1fD3hwT8/QJnrAoWd4nklvoiLwxkP8ajFyx7nOH3RB2cpveySc9
EDthK987l2L+85XsaNPtlzs7K0IbtQ+U/QhbxR2nPPOWZ9YWixA1FxY7IuDzpkLf
24q0LLVlzOf5DAQkfbCJeCBem6YCrqxCKcMz2ZNHJHR/EOK82tGLka2hFTFsKWN3
Wtknih9DBTqMJhd9UlmM0plJeBaAXbt5HPhHf3z36wZhf8ZWGIJJ0QlhqkpNkGFP
fQJL75FEzUWL/6i4RON7+8qQDTEX0+vCqzNiX/IIxTon7+50tjZ/PsHg9VKZSVc=
=BxTp
-----END PGP SIGNATURE-----