<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: logtriage</title>
    <description>The latest articles on DEV Community by logtriage (@logtriage).</description>
    <link>https://dev.to/logtriage</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F4014883%2Fdc392349-9969-4dfd-bf9e-4e7e3525fd8d.png</url>
      <title>DEV Community: logtriage</title>
      <link>https://dev.to/logtriage</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/logtriage"/>
    <language>en</language>
    <item>
      <title>Why a curl User-Agent Isn't Automatically Malicious</title>
      <dc:creator>logtriage</dc:creator>
      <pubDate>Sun, 05 Jul 2026 06:38:20 +0000</pubDate>
      <link>https://dev.to/logtriage/why-a-curl-user-agent-isnt-automatically-malicious-393a</link>
      <guid>https://dev.to/logtriage/why-a-curl-user-agent-isnt-automatically-malicious-393a</guid>
      <description>&lt;p&gt;A surprising number of security tools treat user-agent strings as a static blocklist: see &lt;code&gt;curl&lt;/code&gt;, &lt;code&gt;python-requests&lt;/code&gt;, or &lt;code&gt;Go-http-client&lt;/code&gt;, raise an alert. In practice, this produces so many false positives that analysts learn to ignore the alert entirely — which defeats the purpose of having it.&lt;/p&gt;

&lt;p&gt;&lt;code&gt;curl&lt;/code&gt; hitting a public &lt;code&gt;/health&lt;/code&gt; endpoint is completely unremarkable; it's almost certainly a monitoring probe or a developer's smoke test. The same &lt;code&gt;curl&lt;/code&gt; user-agent posting to &lt;code&gt;/api/v1/admin/users&lt;/code&gt; or &lt;code&gt;/api/v1/beacon&lt;/code&gt; is a different story. The string itself didn't change. What changed is the &lt;em&gt;context&lt;/em&gt; — the path being accessed, the response it got, what else that source IP did in the same session.&lt;/p&gt;

&lt;p&gt;This is why context-aware risk scoring doesn't operate on the user-agent alone. A suspicious user-agent match is one signal among several: path sensitivity, ASN reputation, IP threat intelligence, and behavioral patterns from session grouping all feed into the same score. A compound-signal rule specifically rewards combinations — three or more independent high-severity indicators on the same event get a 1.25× multiplier. A &lt;code&gt;curl&lt;/code&gt; request to a low-sensitivity endpoint from a clean IP stays low risk. The same user-agent on a sensitive admin path, from an ASN already flagged in a threat intelligence feed, compounds quickly.&lt;/p&gt;

&lt;p&gt;The broader principle: a security tool that can't tell &lt;code&gt;curl&lt;/code&gt; apart by context isn't actually doing risk assessment — it's pattern matching with an extra step.&lt;/p&gt;




&lt;p&gt;&lt;em&gt;I build &lt;a href="https://logtriage.app" rel="noopener noreferrer"&gt;LogTriage&lt;/a&gt; and publish a free, validated Sigma detection-rule library — each rule tested against a real sample log before it ships: &lt;a href="https://logtriage.app/rules/" rel="noopener noreferrer"&gt;logtriage.app/rules&lt;/a&gt;.&lt;/em&gt;&lt;/p&gt;

</description>
      <category>security</category>
      <category>cybersecurity</category>
      <category>detection</category>
      <category>devops</category>
    </item>
  </channel>
</rss>
