Project

General

Profile

Actions

Feature #2563

closed

Add dump of all headers in http eve-log

Added by Maurizio Abba over 6 years ago. Updated almost 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Effort:
low
Difficulty:
low
Label:

Description

A patch adding a list of json objects with the list of HTTP headers encountered for that transaction in the two object "request_headers" and "response_headers".

The direction of the information (i.e., whether we want to log only HTTP request headers, only HTTP response headers, or both) is set via configuration key "dump-all-headers".

We introduced two limits to avoid potential memory exhaustion caused by very long http headers. This limit is hardcoded to 256 bytes for HTTP header name and 2048 for http header value.

The resulting list of http headers will be in this form:

"http": {
    "request_headers": [
      {
        "name": "User-Agent",
        "value": "Wget/1.13.4 (linux-gnu)" 
      },
      {
        "name": "Accept",
        "value": "*/*" 
      },
    ],
    "response_headers": [
      {
        "name": "Date",
        "value": "Wed, 25 Mar 2015 15:40:41 GMT" 
      },
      {
        "name": "Server",
        "value": "Apache" 
      },
      {
        "name": "Last-Modified",
        "value": "Wed, 25 Mar 2015 15:38:48 GMT" 
      },
      {
        "name": "ETag",
        "value": "\"34000d-c3-5121eb20b238d\"" 
      },
    ],
} 

Note that the dump-all-headers is disabled by default, meaning that by default the fields will not be present.


Related issues 1 (1 open0 closed)

Related to Suricata - Task #2685: SuriCon 2018 brainstormAssignedVictor JulienActions
Actions

Also available in: Atom PDF