Forum Discussion
NimbostratusCompare user-agent content and then match?
Hi,
I'm looking solution to match botnets width fake user-agent and width fake user-agent syntax.
First check, is the user-agent complete:
Mozilla/5.0 (Linux; Android 4.4.2; SM-G7102 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36 - good
Mozilla/5.0 (Linux; Android 4.4.2) - bad
Second check, if the user-agent version is having too much or too less digits:
Mozilla/1.2.3 (Linux; U; Android 1.2.3) - more then 3, bad, match
Mozilla/1.2 (Linux; U; Android 1.2) - less then 2, bad, match
Third check to match all which are using same number twice and are equal in user-agent, for example:
Mozilla/1.2.3 (Linux; U; Android 1.2.3) - bad, match
I managed somehow to match fist 2 conditions, but how to match third condition? How to compare strings inside user-agent and if they are equal, then match as bad and drop?
when HTTP_REQUEST {
set uagent [string tolower [HTTP::header User-Agent]]
set uri [string tolower [HTTP::uri]]
set headers ""
foreach aHeader [HTTP::header names] { set headers "$headers $aHeader: [HTTP::header value $aHeader];" }
switch -glob $uagent {
"mozilla/[0-9].[0-9].[0-9] (linux; u; android [0-9].[0-9].[0-9])"
{
if { ( ($uri starts_with "/admin.php") && ([HTTP::header Referrer] equals "") and ([string length $osversion] < 3) or ([string length $osversion] > 5) } then {
event disable all
TCP::close
log local0. "BAD"
return
}
}
default {
log local0. "GOOD"
}
}
}
Simon_BlakelyEmployee
If it were me, I'd check the user agent against a datagroup of known valid user agents (lists are available if you google).
Otherwise, you need to learn how to extract substrings from the user-agent using TCL scan or TCL regular expressions (tip - scan is faster than regexp).
I'll also note that DoS Profiles available with modules like ASM and AFM have User-Agent signatures for Bot detection.