[Oisf-users] HTTP missing user agent detection
Evrard, Benjamin
benjamin.evrard at adelpha.be
Thu Oct 30 10:21:09 UTC 2014
Hi everyone !
I've been trying to find if it's possible to write a rule that's
triggered when specific fields are completely absent from a request or
empty.
In this specific case, I'd like to trigger an alert when no user agent
is sent with an HTTP request.
I have found rulesets achieving the same kind of match I try to
(https://github.com/decanio/suricata/blob/master/rules/http-events.rules)
but could see no trace of a way to specifically match the absence of
user-agent. I also looked at the source code of the app-layer-htp
module (https://github.com/inliniac/suricata/blob/master/src/app-layer-htp.c)
but could not find any lead there either.
Does this feature exist somewhere else or is it planned to be included
in some future release ?
Best regards,
Evrard B.
More information about the Oisf-users
mailing list