re: 01339413

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

re: 01339413

L2 Linker

Hi Team 

 

One of my Customer has configured a custom signature to block the windows 7 machine based on Http request headers. This signature is working but hitting a lot of false positives as well. For example, he can see that window 8 and windows 10 also detected by this signature.

 

The customer has followed this KB article: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHeCAK

 

Can you please advise what next can be one 

 

1 REPLY 1

Hi @alal 

 

Looking at the KB you post it seems the OS check comes to regex match in the HTTP header user-agent string.

As a start I would suggest you to check the regex expression and see if its match what it is expected or it needs to be improved. It will be useful if you can past it here.

 

Googling around you should be able to find how different OS versions are described in the user-agent string. My first results says:

For windows 10 it is Windows NT 10.0 for windows 8 it is 6.2, windows 8.1 it is 6.3 and windows 7 it is 6.1.

https://stackoverflow.com/questions/40218173/user-agent-for-windows-7-vs-8-vs-10

So the regex expression should look like:

User-Agent:.+Windows NT 6\.1

 

This is also very useful site - http://www.useragentstring.com/

 

 

  • 4470 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!