Operator On The Wire
← Back to Knowledge Base
BLUE TEAM / SOC / FILTERING / ATTACKS / APPLICATION LAYER / HTTP / REQUESTS

Dangerous User-Agent

Attacker uses suspicious, default, or spoofed User-Agent strings (e.g., scanning tools or automation frameworks) to probe or exploit web applications


Hunting

Statistics → Conversations → IPv4
Statistics → Endpoints → IPv4
Statistics → Protocol Hierarchy
Statistics → IO Graph


Red Flags

Attacker brute-forces paths:

/admin  
/login  
/.git  
/backup.zip  
/.env

Tools commonly used:

  • ffuf
  • gobuster
  • dirsearch
  • wfuzz

Filters

# No User-Agent 
http.request and not http.user_agent

# Common tool-based user agents
http.user_agent matches "(?i)(ffuf|gobuster|dirsearch|wfuzz|curl|python|nikto|sqlmap)"

# Common tool-based user agents
http.user_agent contains "gobuster" or
http.user_agent contains "ffuf" or
http.user_agent contains "curl" or
http.user_agent contains "python"