[Oisf-users] HTTP missing user agent detection
Geert Alberghs
alberghs.g at gmail.com
Sat Nov 1 11:12:26 UTC 2014
T,,,,,,,,,,,,,,,,;;; ,PPP,,6;; okpopooop
On Nov 1, 2014 12:07 PM, "Evrard, Benjamin" <benjamin.evrard at adelpha.be>
wrote:
> Hi everyone !
>
> I've been trying to find if it's possible to write a rule that's
> triggered when specific fields are completely absent from a request or
> empty.
>
> In this specific case, I'd like to trigger an alert when no user agent
> is sent with an HTTP request.
>
> I have found rulesets achieving the same kind of match I try to
> (https://github.com/decanio/suricata/blob/master/rules/http-events.rules)
> but could see no trace of a way to specifically match the absence of
> user-agent. I also looked at the source code of the app-layer-htp
> module (
> https://github.com/inliniac/suricata/blob/master/src/app-layer-htp.c)
> but could not find any lead there either.
>
> Does this feature exist somewhere else or is it planned to be included
> in some future release ?
>
> Best regards,
> Evrard B.
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20141101/6c2b8737/attachment.html>
More information about the Oisf-users
mailing list