Skip to content
Switch branches/tags
Go to file
Latest commit e947012 Jul 9, 2016 History
Detailed SANS Reading Room - "The User Agent Field: Analyzing and Detecting the
Abnormal or Malicious in your Organization"
2 contributors

Users who have contributed to this file

@DavidJBianco @MHaggis
28 lines (18 sloc) 1.61 KB

#HTTP User-Agent Analysis

Purpose: Identify malware by analyzing the User-Agent strings they present

Data Required: HTTP proxy data; list of known-bad UAs (optional)

Collection Considerations:

Analysis Techniques: Stack counting, String matching, tokenization, outlier detection


  • Stack the entire UA string and look for rare occurrences. There may be a LOT of these, though. Every web plugin changes the UA string a bit, but that doesn't mean there's anything evil.
  • Consider more detailed analysis, including
    • tokenizing the string and focusing on strings with the lowest number of tokens, most unique tokens, or some combination
    • Looking for abnormally short or long strings
  • Look for list of known-bad UAs

Other Notes

Consider also doing this type of analysis for incoming HTTP transactions (in server logs) to identify potential recon or attack activity.