[Oisf-users] HTTP missing user agent detection

Geert Alberghs alberghs.g at gmail.com
Sat Nov 1 11:12:26 UTC 2014

T,,,,,,,,,,,,,,,,;;; ,PPP,,6;; okpopooop
On Nov 1, 2014 12:07 PM, "Evrard, Benjamin" <benjamin.evrard at adelpha.be>

> Hi everyone !
> I've been trying to find if it's possible to write a rule that's
> triggered when specific fields are completely absent from a request or
> empty.
> In this specific case, I'd like to trigger an alert when no user agent
> is sent with an HTTP request.
> I have found rulesets achieving the same kind of match I try to
> (https://github.com/decanio/suricata/blob/master/rules/http-events.rules)
> but could see no trace of a way to specifically match the absence of
> user-agent. I also looked at the source code of the app-layer-htp
> module (
> https://github.com/inliniac/suricata/blob/master/src/app-layer-htp.c)
> but could not find any lead there either.
> Does this feature exist somewhere else or is it planned to be included
> in some future release ?
> Best regards,
> Evrard B.
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20141101/6c2b8737/attachment.html>

More information about the Oisf-users mailing list