public function userAgentRule($ruleFormat, $attribute, &$sid)
{
$overruled = $this->checkWhitelist($attribute['value']);
$attribute['value'] = NidsExport::replaceIllegalChars($attribute['value']);
// substitute chars not allowed in rule
// warning: only suricata compatible
$content = 'flow:to_server,established; content:"' . $attribute['value'] . '"; fast_pattern; http_user_agent;';
$this->rules[] = sprintf($ruleFormat, $overruled ? '#OVERRULED BY WHITELIST# ' : '', 'http', '$HOME_NET', 'any', '->', '$EXTERNAL_NET', 'any', 'Outgoing User-Agent: ' . $attribute['value'], $content, 'tag:session,600,seconds;', $sid, 1);
}
