NF – Web search engine – Sogou
This alert is triggered when an HTTP request is sent to a monitored web server with a User-Agent header containing "Sogou." indicating traffic originating from the Sogou web search engine.
Sogou is a popular Chinese search engine developed by Sogou Inc. It is widely used in China for internet searches, similar to Google or Bing in other regions.
This traffic might be part of legitimate web crawling or unauthorized scraping.
Signature
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"NF - Web search engine - Sogou"; content:"GET"; nocase; http_method; content:"User-Agent|3a|"; http_header; content:"Sogou"; nocase; http_header; classtype:misc-activity; reference:url,networkforensic.dk; metadata:09102016; sid:5022201; rev:1;)
Recommendations/Investigative actions
Verify if Sogou traffic is expected, such as legitimate web crawling activity.
Block or restrict Sogou traffic if unnecessary.
Relations to other alerts