<p dir="ltr">T,,,,,,,,,,,,,,,,;;; ,PPP,,6;; okpopooop</p>
<div class="gmail_quote">On Nov 1, 2014 12:07 PM, "Evrard, Benjamin" <<a href="mailto:benjamin.evrard@adelpha.be">benjamin.evrard@adelpha.be</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi everyone !<br>
<br>
I've been trying to find if it's possible to write a rule that's<br>
triggered when specific fields are completely absent from a request or<br>
empty.<br>
<br>
In this specific case, I'd like to trigger an alert when no user agent<br>
is sent with an HTTP request.<br>
<br>
I have found rulesets achieving the same kind of match I try to<br>
(<a href="https://github.com/decanio/suricata/blob/master/rules/http-events.rules" target="_blank">https://github.com/decanio/suricata/blob/master/rules/http-events.rules</a>)<br>
but could see no trace of a way to specifically match the absence of<br>
user-agent. I also looked at the source code of the app-layer-htp<br>
module (<a href="https://github.com/inliniac/suricata/blob/master/src/app-layer-htp.c" target="_blank">https://github.com/inliniac/suricata/blob/master/src/app-layer-htp.c</a>)<br>
but could not find any lead there either.<br>
<br>
Does this feature exist somewhere else or is it planned to be included<br>
in some future release ?<br>
<br>
Best regards,<br>
Evrard B.<br>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
Training now available: <a href="http://suricata-ids.org/training/" target="_blank">http://suricata-ids.org/training/</a><br>
</blockquote></div>