2017-07-08 09:59:05 -06:00
title : Suspicious User Agent
2019-11-12 23:12:27 +01:00
id : 7195a772-4b3f-43a4-a210-6a003d65caa1
2017-07-08 09:59:05 -06:00
status : experimental
description : Detects suspicious malformed user agent strings in proxy logs
2018-01-28 02:12:19 +03:00
references :
2017-07-08 09:59:05 -06:00
- https://github.com/fastly/waf_testbed/blob/master/templates/default/scanners-user-agents.data.erb
author : Florian Roth
logsource :
2017-09-11 00:35:52 +02:00
category : proxy
2017-07-08 09:59:05 -06:00
detection :
selection :
2019-12-07 00:11:33 +01:00
c-useragent :
2017-07-08 09:59:05 -06:00
# Badly scripted UA
- 'user-agent' # User-Agent : User-Agent :
- '* (compatible;MSIE *' # typical typo - missing space
- '*.0;Windows NT *' # typical typo - missing space
- 'Mozilla/3.0 *'
- 'Mozilla/2.0 *'
- 'Mozilla/1.0 *'
- 'Mozilla *' # missing slash
- ' Mozilla/*' # leading space
- 'Mozila/*' # single 'l'
- '_'
2018-10-06 16:47:20 +02:00
- 'CertUtil URL Agent' # https://twitter.com/stvemillertime/status/985150675527974912
2019-02-05 14:32:29 +01:00
- 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0)' # CobaltStrike Beacon https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/
2019-08-30 11:53:55 +02:00
- 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0' # used by APT28 malware https://threatvector.cylance.com/en_us/home/inside-the-apt28-dll-backdoor-blitz.html
2019-12-12 10:42:23 +01:00
- 'HTTPS' # https://twitter.com/stvemillertime/status/1204437531632250880
2018-09-04 11:33:05 +02:00
falsepositives :
2019-12-07 00:11:33 +01:00
c-useragent :
2018-09-04 11:33:05 +02:00
- 'Mozilla/3.0 * Acrobat *' # Acrobat with linked content
condition : selection and not falsepositives
2017-09-12 23:54:04 +02:00
fields :
- ClientIP
2019-12-07 00:11:33 +01:00
- c-uri
- c-useragent
2017-07-08 09:59:05 -06:00
falsepositives :
- Unknown
level : high
