Custom app sig for a non-standard browser type

Forum|Forum|9 years ago
November 3, 2016
1 reply
3604 views

I'm having trouble getting a custom app ctrl sig to work on 5.4.1. Basically i want to identify the use of a special type of browser, it's present in the user-agent field as 'Shield' and the header includes the unique field 'X-SHIELD-ID:'

I've got an app ctrl sensor that passes everything and a custom override with the sig below set to monitor, however the log identifies the app as http.browser_ie , which it basically is.

Can anyone see anything wrong in the syntax i've used, if not, is there another reason why this is getting logged at IE and not the custom sig?

GET /favicon.ico HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko; Shield X-SHIELD-ID: d0131c8c-fa23-4e74-9e1d-d6b8fa9489ed

F-SBID( --name "Shielded_Browser"; --protocol tcp; --service HTTP; --flow from_client; --parsed_type HTTP_GET; --pattern "Shield"; --context header; --no_case; --app_cat 25; )

Best answer by simonorch

Just thought i'd report back how we got this signature to work, it may help others in the future.

As the browser was basically IE, the IE signature was 'beating' the custom signature. All we had to do was add the weight value to the sig and it worked

--weight 20;

simonorchAuthorAnswer

Explorer

Just thought i'd report back how we got this signature to work, it may help others in the future.

As the browser was basically IE, the IE signature was 'beating' the custom signature. All we had to do was add the weight value to the sig and it worked

--weight 20;

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded