[Oisf-users] Eve logging and http headers
Christophe Vandeplas
christophe at vandeplas.com
Tue Jul 29 07:08:44 UTC 2014
Hi Cooper,
On Tue, Jul 29, 2014 at 3:51 AM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:
> This is why indexed full-packet capture is so important. Very often you
> will find you don't know what you should be looking for until after you
> are already compromised.
We do agree. Unfortunately sometimes FPC is a little further away than
you'd/I'd like :-)
> If disk space is an issue consider using a dedicated BTRFS partition
> with lzop compression enabled for storage. Headers compress very well!
I'll see what I can do once our new IDS hardware arrives. (?end of the year?)
Thanks for the feedback.
Christophe
>
> - -Coop
>
> On 7/25/2014 1:26 AM, Christophe Vandeplas wrote:
>>
>> However from experience of some malware, it's sometimes interesting to
>> see/log headers that are NOT usual. There would be two ways to log
>> this,
>> 1/ either log the full header, however that's a lot of data.
>> 2/ log all headers, except a certain list. This way you would also
>> have the unknown headers logged.
>>
>> What is your opinion about this?
>> Have you seen malicious headers using a non-standard-name?
>> Is this idea just unfeasible as normal traffic generates so many
>> different headers.
>>
>> Curious what you think about this idea.
>>
>> Kind regards
>> Christophe
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> OISF: http://www.openinfosecfoundation.org/
>>
>
>
> - --
> Cooper Nelson
> Network Security Analyst
> UCSD ACT Security Team
> cnelson at ucsd.edu x41042
More information about the Oisf-users
mailing list