Project

General

Profile

Actions
Copy link

Task #8549

open
JI JI

http: consider making extended the default

Task #8549: http: consider making extended the default

Added by Jason Ish 4 days ago. Updated 16 minutes ago.

Status:
Feedback
Priority:
Normal
Assignee:
Jason Ish
Target version:
TBD
Effort:
Difficulty:
Label:

Description

Currently extended is enabled in the default configuration file, but this is not the default if that field is commented out. We should consider removing this option and just log in extended mode all the time.

When not in extended mode (default mode), the following are logged:

  • hostname
  • http_port — only if port is present in Host/URL
  • url
  • http_user_agent
  • xff — from X-Forwarded-For
  • http_content_type
  • content_range {raw, start, end, size}

Extended adds:

  • http_refer
  • http_method
  • protocol
  • status — numeric status, if valid
  • status_string — if status is non-numeric
  • redirect — from Location
  • length — response message length

Arguably, some of these extended fields make sense in basic cases, such as method, protocol, and status.

At the same time, it would make sense to hoise the "Server" header into the server field. Its complimentary to the user agent that is already hoisted.

Related issues 1 (1 open0 closed)

Related to Suricata - Feature #8516: http: include server header in default eve record as a field TriagedOISF DevActions

JI Updated by Jason Ish 4 days ago Actions
Copy link
 #1

  • Related to Feature #8516: http: include server header in default eve record as a field added

PM Updated by Peter Manev 16 minutes ago Actions
Copy link
 #2

Yes, agree with Jason. Makes sense to me too to add method, protocol, status and http server into the default logging. Maybe move the content_range into extended logging.

Actions
Copy link

Also available in: PDF Atom