[Oisf-users] Eve logging and http headers

Christophe Vandeplas christophe at vandeplas.com
Tue Jul 29 12:27:18 UTC 2014 

On Tue, Jul 29, 2014 at 2:03 PM, Victor Julien <lists at inliniac.net> wrote:
> On 07/25/2014 10:26 AM, Christophe Vandeplas wrote:
>> Hello list,
>>
>>
>> I'm wondering about your opinion about a specific idea concerning the
>> Eve logging of Suricata.
>>
>> Today the configuration options are:
>>         - http:
>>             extended: yes     # enable this for extended logging information
>>             # custom allows additional http fields to be included in eve-log
>>             # the example below adds three additional fields when uncommented
>>             custom: [Accept-Encoding, Accept-Language, Authorization]
>>
>> This means you can choose to add additional HTTP headers.
>>
>> However from experience of some malware, it's sometimes interesting to
>> see/log headers that are NOT usual. There would be two ways to log
>> this,
>> 1/ either log the full header, however that's a lot of data.
>> 2/ log all headers, except a certain list. This way you would also
>> have the unknown headers logged.
>>
>> What is your opinion about this?
>> Have you seen malicious headers using a non-standard-name?
>> Is this idea just unfeasible as normal traffic generates so many
>> different headers.
>>
>> Curious what you think about this idea.
>
> On a related topic, you could try my Lua output branch [1], and then run
> a script like at [2]
>
> What it generates is output like:
>
> Request Headers:
> 11131   Accept
> 5391    Accept-Encoding
> 6845    Accept-Language
> 6       Authorization
> 828     Cache-Control
> 18      Cache-control
> 11102   Connection
> 234     Content-Length
> 1       Content-Transfer-Encoding
> 165     Content-Type
> 40      Content-type
> 3856    Cookie
> 7       HOST
> 2       HoST
> 12746   Host
> 310     If-Modified-Since
> 136     If-None-Match
> 6       If-Range
> 422     Pragma
> 6       Proxy-Connection
> 10      Range
> 7384    Referer
> 2       UA-CPU
> 6       Unless-Modified-Since
> 2       UsER-AgENt
> 12179   User-Agent
> 2       X-Request-Kind-Code
> 2       translate
> 513     x-flash-version
> 28      x-requested-with
>
> In the script, the 'log' function is called for each HTTP transaction,
> so you can do direct logging of headers from there as well. It wouldn't
> be hard to check a white list first to exclude stuff you don't care about.

Interesting, I'll wait until the lua output is in the master.
thanks !

Christophe


> Cheers,
> Victor
>
>
> [1] https://github.com/inliniac/suricata/pull/1062
> [2] https://gist.github.com/inliniac/f0ecc5cc37433576b9af
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/

More information about the Oisf-users mailing list