Skip to content

Instantly share code, notes, and snippets.

@NSkelsey

NSkelsey/evil_user_agent.zeek

Created September 22, 2020 15:26
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save NSkelsey/eda2586e20542baa34770619199e5dc0 to your computer and use it in GitHub Desktop.
Save NSkelsey/eda2586e20542baa34770619199e5dc0 to your computer and use it in GitHub Desktop.
Download ZIP
Simple zeek script
Raw
evil_user_agent.zeek
@load base/protocols/http
module EvilUserAgents;
export {
const evil_user_agents = /curl\/[0-9.]+/ &redef;
}
event HTTP::log_http(rec: HTTP::Info)
{
if ( evil_user_agents in rec$user_agent ) {
local ua = rec$user_agent;
local msg = fmt("%s used the evil UA: %s", rec$id$orig_h, ua);
print(msg);
}
}
@NSkelsey
Copy link
Author 

> zeek -b evil_user_agent.zeek -r capture.pcap

> zeek -e "redef EvilUserAgent::evil_user_agents = /^[^curl]/;"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment