<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><br><div><br>On 6 Oct 2017, at 18:36, erik clark <<a href="mailto:philosnef@gmail.com">philosnef@gmail.com</a>> wrote:<br><br></div><blockquote type="cite"><div><div dir="ltr">I am seeing Suri parsing the following out as a UA. Not sure why this is occurring. Method is correctly broken out. Site referring the traffic is <a href="http://linguee.com">linguee.com</a>. Not sure if its specific to something <a href="http://linguee.com">linguee.com</a> is doing, or if this is a bug in the parser for Suri. The _TEST_ alert from ET (2009545) will fire on traffic coming from this site, and the malformed http information shoved into the json alert.<div><br></div><div><span class="gmail-key gmail-level-2" style="color:rgb(51,51,51);font-family:"Droid Sans Mono",Consolas,Monaco,"Courier New",Courier,monospace;font-size:12px;background-color:rgba(61,171,255,0.12)"><span class="gmail-key-name" style="color:rgb(214,86,60);font-weight:700;white-space:pre-wrap">http_user_agent</span>:       <span class="gmail-t gmail-string" style="color:rgb(17,168,139);white-space:pre-wrap">Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) GET /gampad/ads?gdfp_req=1(morestufffollowshere)</span></span><br></div><div><span class="gmail-key gmail-level-2" style="color:rgb(51,51,51);font-family:"Droid Sans Mono",Consolas,Monaco,"Courier New",Courier,monospace;font-size:12px;background-color:rgba(61,171,255,0.12)"><span class="gmail-t gmail-string" style="color:rgb(17,168,139);white-space:pre-wrap"><br></span></span></div><div><span class="gmail-key gmail-level-2" style="color:rgb(51,51,51);font-family:"Droid Sans Mono",Consolas,Monaco,"Courier New",Courier,monospace;font-size:12px;background-color:rgba(61,171,255,0.12)"><span class="gmail-t gmail-string" style="color:rgb(17,168,139);white-space:pre-wrap"><span class="gmail-key gmail-level-1" style="color:rgb(51,51,51);white-space:normal"><span class="gmail-key-name" style="color:rgb(214,86,60);font-weight:700;white-space:pre-wrap">payload_printable</span>:        <span class="gmail-t gmail-string" style="color:rgb(17,168,139);white-space:pre-wrap">GET /gampad/ads?gdfp_req=1</span></span><br></span></span></div></div></div></blockquote><div><br></div><div><br></div><div>Can you share a pcap that can reproduce the case?</div><br><blockquote type="cite"><div><div dir="ltr"><div><br></div></div>
</div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a></span><br><span>Site: <a href="http://suricata-ids.org">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/">http://suricata-ids.org/support/</a></span><br><span>List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a></span><br><span></span><br><span>Conference: <a href="https://suricon.net">https://suricon.net</a></span><br><span>Trainings: <a href="https://suricata-ids.org/training/">https://suricata-ids.org/training/</a></span></div></blockquote></body></html>