Permalink
Switch branches/tags
Nothing to show
Find file Copy path
e947012 Jul 8, 2016
2 contributors

Users who have contributed to this file

@DavidJBianco @MHaggis
29 lines (18 sloc) 1.61 KB

#HTTP User-Agent Analysis

Purpose: Identify malware by analyzing the User-Agent strings they present

Data Required: HTTP proxy data; list of known-bad UAs (optional)

Collection Considerations:

Analysis Techniques: Stack counting, String matching, tokenization, outlier detection

Description

  • Stack the entire UA string and look for rare occurrences. There may be a LOT of these, though. Every web plugin changes the UA string a bit, but that doesn't mean there's anything evil.
  • Consider more detailed analysis, including
    • tokenizing the string and focusing on strings with the lowest number of tokens, most unique tokens, or some combination
    • Looking for abnormally short or long strings
  • Look for list of known-bad UAs

Other Notes

Consider also doing this type of analysis for incoming HTTP transactions (in server logs) to identify potential recon or attack activity.