NF – USER_AGENTS Suspicious Mozilla User-Agent Likely Fake (Mozilla/5.0)
This alert is triggered when an HTTP request with a suspicious "Mozilla/5.0" User-Agent header is detected. This User-Agent string might be used by fake or malicious clients and is flagged if it doesn’t match typical patterns or known safe domains.
ID Number
5005000
Signature
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"NF - USER_AGENTS Suspicious Mozilla User-Agent Likely Fake (Mozilla/5.0)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/5.0|0d 0a|"; fast_pattern:5,20; nocase; http_header; content:!"|0d 0a|Host|3a| download.releasenotes.nokia.com"; http_header; content:!"Mozilla/5.0|0d 0a|Connection|3a| Close|0d 0a 0d 0a|"; http_header; reference:url,networkforensic.dk; metadata:27122014; classtype:misc-activity; sid:5005000; rev:12;)
Severity
High
Recommendations/Investigative actions
Determine which device is sending this suspicious User-Agent string to verify if it’s authorized or potentially compromised.
Prevent additional outbound traffic from the source if it’s unauthorized, to mitigate potential risks.
Check the source device for signs of malware or User-Agent spoofing that may be attempting to mask malicious activity.