In the world of cybersecurity, we’re always looking for an edge—that one piece of data that can turn a mountain of logs into a clear, actionable lead. Often, this secret weapon is hiding in plain sight. Today, we’re diving deep into one of the most common and valuable data points in your network traffic: the User-Agent string.
You’ve seen them in your logs, but are you using them to their full potential? Let’s explore how you can leverage user agents to not only spot common automated scanners but also to uncover sophisticated, unknown threats hiding in your environment.
Think of a User-Agent string as a digital handshake. Whenever your browser or any other application makes an HTTP request to a web server, it sends this string to introduce itself. Its official purpose, as defined by the RFC standards, is to help the server understand how to best deliver content. For example, it tells the server things like:
What browser is making the request? (e.g., Chrome, Firefox, Safari)
What is the browser’s version?
What operating system is it running on? (e.g., Windows, macOS, Linux)
A typical user agent for a Chrome browser on a Windows machine might look something like this:
$Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36$
The format is generally one or more product identifiers (like $Mozilla/5.0$) followed by comments in parentheses that provide more detail about the system.
While designed for compatibility, this “fingerprint” is precisely what makes the user agent so valuable for us as defenders. It gives us a baseline of normal activity and a powerful way to spot anomalies.
Some of the most common cybersecurity tools, often used by both attackers and red teams, leave very distinct fingerprints in their user-agent strings. Let’s look at three popular examples.
Hydra is a well-known password-cracking tool that can perform rapid brute-force attacks against dozens of different protocols. When used for web-based attacks, its default user agent is a dead giveaway:
$Mozilla/4.0 (Hydra)$
There are two immediate red flags here for a threat hunter:
The Obvious: The comment field literally says (Hydra). It doesn’t get much clearer than that.
The Subtle: The product version is $Mozilla/4.0$. Most modern browsers use $Mozilla/5.0$. A simple query for this older version across your network could reveal outdated clients or, in this case, a malicious tool trying to blend in poorly.
Nikto is a powerful open-source scanner that checks web servers for thousands of known vulnerabilities. Nikto’s user agents are also quite loud by default:
$Mozilla/5.0 (compatible; Nikto/2.5.0)$
What’s particularly interesting about Nikto is that its user agent often includes information about the specific test it’s running:
$Mozilla/5.00 (Nikto/2.5.0) (Evasions:None) (Test:000001)$
This level of detail is a gift to defenders. Not only can you detect the scan, but you can see exactly which test module was used. You can then look up that test in the Nikto documentation to understand precisely what vulnerability the attacker was searching for.
Nmap is the Swiss Army knife for network discovery and security auditing. While it has many functions, its scripting engine (NSE) can perform HTTP requests, and when it does, it uses a default user agent:
$Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)$
Again, the comment field clearly identifies the tool. An attacker can customize the user agent in all these tools, but you’d be surprised how often they stick with the defaults out of convenience or ignorance.
Detecting known tools is a great start, but what about custom tools or attackers who are savvy enough to change their user agents? This is where baselining and anomaly detection come in. The goal is to move beyond static signatures and start asking, “What looks weird in my environment?”
The key principle is that an attacker doesn’t know what’s normal for you. They might pick a user agent that is common globally, but if it has never been seen on your network before, it’s an outlier worth investigating.
Here’s a simple process to get started:
Establish Your Baseline: Analyze your logs to understand the most common user agents across your user workstations and servers. What version of Chrome is standard? What does the user agent from your internal Java applications look like? You are building a profile of “normal.”
Monitor for Deviations: Set up alerts or run regular hunts for new user agents that have never appeared before. A sudden spike in a previously unseen user agent is a massive red flag. We’ve caught red team engagements just by noticing when a new, unique user agent appeared on the network and when it disappeared.
Look for Unexpected Usage: It’s not just about what the user agent is, but where it’s coming from. For example, if you see a standard macOS Chrome user agent making requests from a Windows server in your data center, that’s highly suspicious. Context is everything.
You have this valuable data all over your network. You just need to know where to look.
Zeek (formerly Bro) Logs: The http.log file in Zeek is a goldmine. It neatly parses every HTTP request, including the user agent, making it easy to script, analyze in tools like Elasticsearch, or load into a Jupyter Notebook.
Packet Captures (PCAP): Tools like Wireshark or Tshark can directly extract user-agent strings from raw network traffic.
Web Server & Application Logs: Services like Apache, Nginx, and IIS can be configured to log the user agent for every incoming request.
Firewall & IDS Logs: Many Intrusion Detection Systems (like Suricata and Snort) come with pre-built rules to detect known malicious user agents (like those for Nikto and Hydra). These alerts often include the full user-agent string for further analysis.
The user-agent string is far more than a simple piece of metadata. It’s a rich, contextual data source that can help you catch automated scanners and hunt for the most elusive threats.
Start by building a baseline of what’s normal in your environment. Then, hunt for the outliers. You might be surprised by what you find hiding in plain sight.
Our products are designed to work with
you and keep your network protected.