Project

General

Profile

Actions
Copy link

Optimization #1256

closed

Expand HTTP logging (eve-json)

Added by Andreas Moe almost 11 years ago. Updated over 10 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Effort:
Difficulty:
Label:

Description

As far as i can see not all the possible HTTP header fields and values are beeing collected and put into the eve-format output (JSON). This would mean that analysts are missing out on potentialy important data when looking at HTTP logs from Suricta. The fields that are stored are documented in EveJSONFormat, but as a found out today more than these are possibly stored (saw X-Forwarded-For values stored under the name "xff"). So if it is the case that all fieldnames and values are stored, sorry for my lack of doublechecking before posting this issue, if not all observed field/values are stored, this would be a good thing to implement.

P.s. I think i might have seen a similar issue but i could not find it, so sorry if this is a duplicate entry.

Actions
Copy link
 #1

Updated by Peter Manev almost 11 years ago

I have updated the page EveJSONFormat

There are 47 additional custom http fields available.
How to:
http://www.pevma.blogspot.se/2014/06/http-header-fields-extended-logging.html

Actions
Copy link
 #2

Updated by Andreas Moe over 10 years ago

I see that this case has a good answer, could it be closed?

Actions
Copy link
 #3

Updated by Peter Manev over 10 years ago

  • Status changed from New to Closed
Actions
Copy link

Also available in: Atom PDF