Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deprecate guidance to lowercase "http.request.method" #838

Closed
webmat opened this issue May 7, 2020 · 1 comment · Fixed by #840
Closed

Deprecate guidance to lowercase "http.request.method" #838

webmat opened this issue May 7, 2020 · 1 comment · Fixed by #840
Labels
deprecation

Comments

@webmat
Copy link
Contributor

webmat commented May 7, 2020

It was recently raised that lowercasing http.request.method was a lossy normalization on a field that captures potentially suspicious behaviour.

E.g. an attacker could try to evade detection by using "PoST" instead of "POST".

Fields that currently suggest lowercasing the value are the following:

  • http.request.method
  • network.type
  • network.transport
  • network.application
  • network.protocol
  • tls.version_protocol

Other than the HTTP field for now, our stance is to leave the normalization in place. They're not places where we would usually need to do anomaly detection around letter casing. These values are provided by the data sources themselves. Feedback is welcome on this, however.

So the proposal is to mark this guidance as deprecated, and remove this guidance completely at ECS 2.0.
@webmat webmat mentioned this issue May 7, 2020
Closed
@webmat
Copy link
Contributor Author

webmat commented May 7, 2020

cc @leehinman @neu5ron

@webmat webmat mentioned this issue May 7, 2020
Merged
3 tasks
@leehinman leehinman mentioned this issue May 7, 2020
Merged
@ebeahan ebeahan changed the title Removing guidance to lowercase "http.request.method" Deprecate guidance to lowercase "http.request.method" Apr 15, 2021
@ebeahan ebeahan mentioned this issue Apr 15, 2021
Closed
@ebeahan ebeahan mentioned this issue Nov 21, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
deprecation
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Remove guidance to lowercase http.request.method leehinman/ecs
1 participant
@webmat