[Oisf-users] Eve logging and http headers

Victor Julien lists at inliniac.net
Tue Jul 29 12:03:40 UTC 2014 

On 07/25/2014 10:26 AM, Christophe Vandeplas wrote:
> Hello list,
> 
> 
> I'm wondering about your opinion about a specific idea concerning the
> Eve logging of Suricata.
> 
> Today the configuration options are:
>         - http:
>             extended: yes     # enable this for extended logging information
>             # custom allows additional http fields to be included in eve-log
>             # the example below adds three additional fields when uncommented
>             custom: [Accept-Encoding, Accept-Language, Authorization]
> 
> This means you can choose to add additional HTTP headers.
> 
> However from experience of some malware, it's sometimes interesting to
> see/log headers that are NOT usual. There would be two ways to log
> this,
> 1/ either log the full header, however that's a lot of data.
> 2/ log all headers, except a certain list. This way you would also
> have the unknown headers logged.
> 
> What is your opinion about this?
> Have you seen malicious headers using a non-standard-name?
> Is this idea just unfeasible as normal traffic generates so many
> different headers.
> 
> Curious what you think about this idea.

On a related topic, you could try my Lua output branch [1], and then run
a script like at [2]

What it generates is output like:

Request Headers:
11131   Accept
5391    Accept-Encoding
6845    Accept-Language
6       Authorization
828     Cache-Control
18      Cache-control
11102   Connection
234     Content-Length
1       Content-Transfer-Encoding
165     Content-Type
40      Content-type
3856    Cookie
7       HOST
2       HoST
12746   Host
310     If-Modified-Since
136     If-None-Match
6       If-Range
422     Pragma
6       Proxy-Connection
10      Range
7384    Referer
2       UA-CPU
6       Unless-Modified-Since
2       UsER-AgENt
12179   User-Agent
2       X-Request-Kind-Code
2       translate
513     x-flash-version
28      x-requested-with

In the script, the 'log' function is called for each HTTP transaction,
so you can do direct logging of headers from there as well. It wouldn't
be hard to check a white list first to exclude stuff you don't care about.

Cheers,
Victor


[1] https://github.com/inliniac/suricata/pull/1062
[2] https://gist.github.com/inliniac/f0ecc5cc37433576b9af

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-users mailing list