Attacker uses suspicious, default, or spoofed User-Agent strings (e.g., scanning tools or automation frameworks) to probe or exploit web applications
Hunting
Statistics → Conversations → IPv4
Statistics → Endpoints → IPv4
Statistics → Protocol Hierarchy
Statistics → IO Graph
Red Flags
Attacker brute-forces paths:
/admin
/login
/.git
/backup.zip
/.env
Tools commonly used:
ffufgobusterdirsearchwfuzz
Filters
# No User-Agent
http.request and not http.user_agent
# Common tool-based user agents
http.user_agent matches "(?i)(ffuf|gobuster|dirsearch|wfuzz|curl|python|nikto|sqlmap)"
# Common tool-based user agents
http.user_agent contains "gobuster" or
http.user_agent contains "ffuf" or
http.user_agent contains "curl" or
http.user_agent contains "python"