I'm having trouble getting a custom app ctrl sig to work on 5.4.1. Basically i want to identify the use of a special type of browser, it's present in the user-agent field as 'Shield' and the header includes the unique field 'X-SHIELD-ID:'

I've got an app ctrl sensor that passes everything and a custom override with the sig below set to monitor, however the log identifies the app as http.browser_ie , which it basically is.

Can anyone see anything wrong in the syntax i've used, if not, is there another reason why this is getting logged at IE and not the custom sig?

GET /favicon.ico HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko; Shield X-SHIELD-ID: d0131c8c-fa23-4e74-9e1d-d6b8fa9489ed

F-SBID( --name "Shielded_Browser"; --protocol tcp; --service HTTP; --flow from_client; --parsed_type HTTP_GET; --pattern "Shield"; --context header; --no_case; --app_cat 25; )