Forum Discussion
2 Replies
Sort By
- Eric_St__JohnEmployee
This wouldn't require regex, unless there is more to what you are trying to accomplish.
when HTTP_REQUEST { if { [ string tolower [HTTP::header User-Agent]] contains "sqlmap"} { drop log local0. "Client IP:[IP::client_addr] has been blocked with user agent :[HTTP::header User-Agent]" } }
Code borrowed from other DevCentral post(s).
- Reginald_Sible1Nimbostratus
Nothing more just want to block User-agent: sqlmap*" at all Internet perimeters