User Agent [7.2]

The User Agent string from web server logs (for example, Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36).

This field is not available in LogRhythm versions earlier than 7.2.1.

Data Type

String (255 characters maximum)

Aliases

Field Relationships

• Full URL

Common Applications

• Web server logs
• Firewalls

Use Case

• Detecting malicious or malformed user agents.
• Searching for user agents as IOCs.

MPE/Data Masking Manipulations

Not applicable.

Usage Standards

Parse the full user agent string into the field.

Examples

• Juniper SSLVPN

07 31 2007 10:24:57 1.1.1.1 <LOC6:INFO> SSLVPN: id=sslvpn sn=0006222222B74 time="2007-07-31 10:24:57" vp_time="2007-07-31 15:24:57 UTC" fw=1.1.1.1 pri=6 m=18 src=1.1.1.1 dst=1.1.1.1 user="pete.store" usr="pete.store" msg="NetExtender" rule=access-policy proto=NetExtender agent="Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

Mozilla/4.0… parses into User Agent.

• MS IIS Web Log

10 30 2007 15:41:49 USABLDRRECFLOW01/1.1.1.1 <USER:NOTE> Oct 30 15:41:53 recflow/1.1.1.1 IISWebLog 3 2007-10-30 19:41:47 W3SVC414557987 recflow 1.1.1.1 POST /DataPHost2 - 443 - 1.1.1.1 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+5.2.3790.0;+MS+.NET+Remoting;+MS+.NET+CLR+1.1.4322.2407+) - - Host1 200 0 0 2277 1993 0Full UserAgent string capture

• Bluecoat Proxy

2010-03-01 20:23:45 1 1.1.1.1 pete.store safaware\Domain%20Users - OBSERVED "Sports/Recreation" http://espn.go.com/free-online-games/  200 TCP_HIT GET image/jpeg http a.espncdn.com 80 /i/espnarcade/GOM/116x67_gom_touch.jpg - jpg "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" 1.1.1.1 4318 443 -