[Oisf-users] user agent parsing error

Peter Manev petermanev at gmail.com
Sat Oct 7 05:05:30 UTC 2017

> On 6 Oct 2017, at 18:36, erik clark <philosnef at gmail.com> wrote:
> I am seeing Suri parsing the following out as a UA. Not sure why this is occurring. Method is correctly broken out. Site referring the traffic is linguee.com. Not sure if its specific to something linguee.com is doing, or if this is a bug in the parser for Suri. The _TEST_ alert from ET (2009545) will fire on traffic coming from this site, and the malformed http information shoved into the json alert.
> http_user_agent:	Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) GET /gampad/ads?gdfp_req=1(morestufffollowshere)
> payload_printable:	GET /gampad/ads?gdfp_req=1

Can you share a pcap that can reproduce the case?

> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20171007/6d322d45/attachment-0002.html>

More information about the Oisf-users mailing list