Does anyone know if http_log records everything from port 80, or anything detected as the HTTP protocol etc?
I’m asking as I would like to detect software that communicates over port 80 or 8080 but that isn’t infact using HTTP (some beaconing malware for example communicates over port 80).
And similarly it would be very useful to be able to detect non SSL over port 443. I’m thinking that checking for ssl.log where cipher="-" might be a good idea, if ssl.log records everything over port 443.
Apologies if this has been answered before, I couldn’t find the answer from a quick google and code check.