HTTP Basic Authentication is commonly used as a quick and dirty credential harvesting mechanism in low-complexity phishing attacks. These authentication events traversing the network in the clear also subjects the transmitted credentials to theft at any portion of the network path.
HTTP Basic Authentication event can be detected by the presence of the Authentication header in the POST request, followed by the word Basic and a base64 encoded string that is the username and password without any further encryption/obfuscation.
False positive.
192.168.1.112 50581 40.100.29.8 80
#SURICATA HTTP Request unrecognized authorization method suppress gen_id 1, sig_id 2221034