Forum Discussion
Eric_St__John
Feb 17, 2015Employee
This wouldn't require regex, unless there is more to what you are trying to accomplish.
when HTTP_REQUEST {
if { [ string tolower [HTTP::header User-Agent]] contains "sqlmap"} {
drop
log local0. "Client IP:[IP::client_addr] has been blocked with user agent :[HTTP::header User-Agent]"
}
}
Code borrowed from other DevCentral post(s).