Hide_keywords does not seem to be working

(Wanderer) #1

Packetbeat 6.2.4

packetbeat.yml http settings:

  • type: http
    ports: [80, 8080, 8000, 5000, 8002]
    hide_keywords: ["pass", "password", "passwd", "pwd"]
    send_headers: ["from", "host", "code", "link", "server", "x-pingback", "phrase"]
    #send_all_headers: true
    send_request: true
    real_ip_header: "X-Forwarded-For"

sample request field:
GET /someurl
Host: somesite.com
Connection: keep-alive
Accept: application/json, text/javascript, /; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36
DNT: 1
Referer: http://somesite
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: username=dfgdfgdfgdfg; password=sdfgsdfgdfgdfgdfgdfg; PHPSESSID=dfsgdfgdfgdfgdfg

(Adrian Serrano) #2

hide_keywords will only hide keywords in the URL query string and those passed by POST, so it doesn't work on cookies. (See the documentation for a more thorough explanation).

Also, the contents of the request or response fields (created when send_request or send_response are set) are never censored.

But I think it's not a bad idea to have hide_keywords apply to cookies (or a similar option i.e. hide_cookies) and also to censor the raw request and response. Feel free to open a feature request.

(Wanderer) #3

Thank you for the reply. The ability to have a blanket removal of sensitive data i think is imperative especially now with GDPR...

(system) #4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.