Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 3 subscribers
  • Views 1824 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

HTTP HOST Header

Matthew Gough
Hi, I’m using Web protection in the UTM and have enabled SSL Inspection. I have the logs being sent to an external spunk instance. But when I inspect the logs there is no HTTP host headers being sent in the log message. Is there a way to see the host header? I’m trying to detect the Domain fronting.


This thread was automatically locked due to age.
  • 0

    Hi Matthew and welcome to the UTM Community!

    It sounds like you might not be sending the Web Filtering log.  Show us a relevant line from the Web Filtering log and say what you want to see in addition.

    Cheers - Bob
    PS I moved this thread from the General Discussion to the Web Protection forum.

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0

    I do not know much about the logging for splunk, but if we don't include host separately it can always be deduced.

     

    In transparent mode, a request looks like:
    GET www.example.com/foobar

     

    In standard mode, a request looks like:
    GET /foobar
    Host: www.example.com

     

    My recollection is that in both cases we log as www.example.com/foobar

    You should be able to parse the URL and pull out the hostname/fqdn.

     

     

Unfiltered HTML