This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

HTTP HOST Header

Hi, I’m using Web protection in the UTM and have enabled SSL Inspection. I have the logs being sent to an external spunk instance. But when I inspect the logs there is no HTTP host headers being sent in the log message. Is there a way to see the host header? I’m trying to detect the Domain fronting.

This thread was automatically locked due to age.

Parents

0 Michael Dunn over 5 years ago

I do not know much about the logging for splunk, but if we don't include host separately it can always be deduced.

In transparent mode, a request looks like:
GET www.example.com/foobar

In standard mode, a request looks like:
GET /foobar
Host: www.example.com

My recollection is that in both cases we log as www.example.com/foobar

You should be able to parse the URL and pull out the hostname/fqdn.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Michael Dunn over 5 years ago

I do not know much about the logging for splunk, but if we don't include host separately it can always be deduced.

In transparent mode, a request looks like:
GET www.example.com/foobar

In standard mode, a request looks like:
GET /foobar
Host: www.example.com

My recollection is that in both cases we log as www.example.com/foobar

You should be able to parse the URL and pull out the hostname/fqdn.
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data