The Options file for HTTP_lua parser has been updated recently. The latest addition is interesting which you can find at the bottom of the file called customHeaders()
Current version of the file is at the top of the options ...
"Custom Headers" : default NONE
Beware of excessive duplication, which will impact performance and retention. Meta
registered will be in addition to, not replacement of, standard meta registration.
In other words, if you specify "user-agent" headers be registered to key "foo", it
will still also be registered to alias.host (or alias.ip / alias.ipv6 if appropriate).
["header"] = "key",
"header" is the desired HTTP header in lowercase. Do not included spaces, colons, etc.
"key" is the desired meta key with which to register the value of that header
Key names must be 16 characters or less, and consist only of alphanumeric, dots, and
hyphens. Keys specified that do not meet these requirements will be modified in order
Keys listed here are registered as format="Text". Don't use keys indexed in other formats.
--["origin"] = "referer",
That option addition allows you to capture and write to a metakey a specific header by name.
Maybe your use case was to grab Pragma or Proxy-Connection or X-Cache or a custom header that specific malware was using (maybe cookie?).
These values may already be extracted into another set of advanced keys from the Options file such as http response header/request header or unique http request/response header but this gives you a targeted method to grab specific headers and put them in specific keys to reduce meta bloat and get just the data you might be looking for.
As always, don't subscribe to any of the options files from Live, deploy directly from Live otherwise once an update like this is pushed out it will overwrite your custom version and changes. Download the new version, diff offline and make the changes that are required until the product UI catches up with these Options features.