[Oisf-users] HTTP missing user agent detection

Evrard, Benjamin benjamin.evrard at adelpha.be
Thu Oct 30 10:21:09 UTC 2014


Hi everyone !

I've been trying to find if it's possible to write a rule that's
triggered when specific fields are completely absent from a request or
empty.

In this specific case, I'd like to trigger an alert when no user agent
is sent with an HTTP request.

I have found rulesets achieving the same kind of match I try to
(https://github.com/decanio/suricata/blob/master/rules/http-events.rules)
but could see no trace of a way to specifically match the absence of
user-agent. I also looked at the source code of the app-layer-htp
module (https://github.com/inliniac/suricata/blob/master/src/app-layer-htp.c)
but could not find any lead there either.

Does this feature exist somewhere else or is it planned to be included
in some future release ?

Best regards,
Evrard B.


More information about the Oisf-users mailing list