[Oisf-users] Eve logging and http headers

Christophe Vandeplas christophe at vandeplas.com
Tue Jul 29 07:08:44 UTC 2014


Hi Cooper,

On Tue, Jul 29, 2014 at 3:51 AM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:
> This is why indexed full-packet capture is so important.  Very often you
> will find you don't know what you should be looking for until after you
> are already compromised.

We do agree. Unfortunately sometimes FPC is a little further away than
you'd/I'd like :-)

> If disk space is an issue consider using a dedicated BTRFS partition
> with lzop compression enabled for storage.  Headers compress very well!

I'll see what I can do once our new IDS hardware arrives. (?end of the year?)

Thanks for the feedback.

Christophe


>
> - -Coop
>
> On 7/25/2014 1:26 AM, Christophe Vandeplas wrote:
>>
>> However from experience of some malware, it's sometimes interesting to
>> see/log headers that are NOT usual. There would be two ways to log
>> this,
>> 1/ either log the full header, however that's a lot of data.
>> 2/ log all headers, except a certain list. This way you would also
>> have the unknown headers logged.
>>
>> What is your opinion about this?
>> Have you seen malicious headers using a non-standard-name?
>> Is this idea just unfeasible as normal traffic generates so many
>> different headers.
>>
>> Curious what you think about this idea.
>>
>> Kind regards
>> Christophe
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> OISF: http://www.openinfosecfoundation.org/
>>
>
>
> - --
> Cooper Nelson
> Network Security Analyst
> UCSD ACT Security Team
> cnelson at ucsd.edu x41042



More information about the Oisf-users mailing list