NF – Web search engine – Sogou

This alert is triggered when an HTTP request is sent to a monitored web server with a User-Agent header containing "Sogou." indicating traffic originating from the Sogou web search engine. Sogou is a popular Chinese search engine developed by Sogou Inc. It is widely used in China for internet searches, similar to Google or Bing in other regions. This traffic might be part of legitimate web crawling or unauthorized scraping.

Categories:

ID Number

5022201

Signature

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"NF - Web search engine - Sogou"; content:"GET"; nocase; http_method; content:"User-Agent|3a|"; http_header; content:"Sogou"; nocase; http_header; classtype:misc-activity; reference:url,networkforensic.dk; metadata:09102016; sid:5022201; rev:1;)

Severity

Low

Recommendations/Investigative actions

Verify if Sogou traffic is expected, such as legitimate web crawling activity. Block or restrict Sogou traffic if unnecessary.