[Oisf-users] HTTP missing user agent detection

Francis Trudeau ftrudeau at emergingthreats.net
Sat Nov 1 15:39:34 UTC 2014


I don't think there's a specific dedicated way to test for this, but
this should work:

content:!"User-Agent|3a 20|"; http_header;

Probably could get a little tricky with pcre to make it doesn't FP on
something else in the header, but I wouldn't think that would be
necessary.

ft





On Thu, Oct 30, 2014 at 4:21 AM, Evrard, Benjamin
<benjamin.evrard at adelpha.be> wrote:
> Hi everyone !
>
> I've been trying to find if it's possible to write a rule that's
> triggered when specific fields are completely absent from a request or
> empty.
>
> In this specific case, I'd like to trigger an alert when no user agent
> is sent with an HTTP request.
>
> I have found rulesets achieving the same kind of match I try to
> (https://github.com/decanio/suricata/blob/master/rules/http-events.rules)
> but could see no trace of a way to specifically match the absence of
> user-agent. I also looked at the source code of the app-layer-htp
> module (https://github.com/inliniac/suricata/blob/master/src/app-layer-htp.c)
> but could not find any lead there either.
>
> Does this feature exist somewhere else or is it planned to be included
> in some future release ?
>
> Best regards,
> Evrard B.
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/



More information about the Oisf-users mailing list