aheh/bit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #16 from sjdonado/automated/update-parsers

Browse Source 
chore: Update UA regexes and GeoLite2 database
This commit is contained in:
Juan Rodriguez Donado
2026-05-05 08:27:37 +02:00
committed by GitHub
parent adfebe9d63 2a4264e4c5
commit 2c55ebf406
2 changed files with 131 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
data/GeoLite2-Country.mmdb
BIN
View File
Binary file not shown.
data/uap_core_regexes.yaml
+131 -4
View File
@@ -93,6 +93,10 @@ user_agent_parsers:
- regex: '(NewRelicPinger)/(\d+)\.(\d+)'
family_replacement: 'NewRelicPingerBot'
# Dynatrace/Ruxit synthetic monitor
- regex: '(RuxitSynthetic)/(\d+)\.(\d+)'
family_replacement: 'Ruxit Synthetic'
# Tableau
- regex: '(Tableau)/(\d+)\.(\d+)'
family_replacement: 'Tableau'
@@ -206,7 +210,12 @@ user_agent_parsers:
- regex: '\[(Pinterest)/[^\]]{1,50}\]'
- regex: '(Pinterest)(?: for Android(?: Tablet|)|)/(\d+)(?:\.(\d+)|)(?:\.(\d+)|)'
# Instagram app
# iOS Instagram embeds the token inside a full WebKit UA:
# Mozilla/5.0 (iPhone; ...) Mobile/... Instagram VERSION (...)
# Android Instagram uses a bare format with no browser wrapper:
# Instagram VERSION Android (...)
- regex: 'Mozilla.{1,200}Mobile.{1,100}(Instagram).(\d+)\.(\d+)\.(\d+)'
- regex: '(Instagram) (\d+)\.(\d+)\.(\d+)'
# Flipboard app
- regex: 'Mozilla.{1,200}Mobile.{1,100}(Flipboard).(\d+)\.(\d+)\.(\d+)'
# Flipboard-briefing app
@@ -228,6 +237,9 @@ user_agent_parsers:
# KakaoTalk
- regex: 'Mozilla.{1,200}Mobile.{1,100}(KAKAOTALK)/(\d+)\.(\d+)\.(\d+)'
family_replacement: 'KakaoTalk'
# Telegram
- regex: '(Telegram-Android)/(\d+)\.(\d+)\.(\d+)'
family_replacement: 'Telegram'
# Phantom app
- regex: 'Mozilla.{1,200}Mobile.{1,100}(Phantom\/ios|Phantom\/android).(\d+)\.(\d+)\.(\d+)'
@@ -248,6 +260,10 @@ user_agent_parsers:
- regex: '(PaleMoon)/(\d+)\.(\d+)(?:\.(\d+)|)'
family_replacement: 'Pale Moon'
# Camoufox - anti-detect Firefox fork for web scraping/automation; replaces the
# Firefox version token with "Camoufox Camoufox VERSION" in the UA string
- regex: '(Camoufox) Camoufox (\d+)\.(\d+)'
# Firefox
- regex: '(Fennec)/(\d+)\.(\d+)\.?([ab]?\d+[a-z]*)'
family_replacement: 'Firefox Mobile'
@@ -296,7 +312,7 @@ user_agent_parsers:
# UC Browser
# we need check it before opera. In other case case UC Browser detected look like Opera Mini
- regex: '(UC? ?Browser|UCWEB|U3)[ /]?(\d+)\.(\d+)\.(\d+)'
- regex: '(UC? ?Browser|UCWEB|UCMobile|U3)[ /]?(\d+)\.(\d+)\.(\d+)'
family_replacement: 'UC Browser'
# Opera will stop at 9.80 and hide the real version in the Version string.
@@ -321,6 +337,14 @@ user_agent_parsers:
- regex: '(?:Chrome).{1,300}(OPR)/(\d+)\.(\d+)\.(\d+)'
family_replacement: 'Opera'
# Opera GX uses "OPX" instead of "OPR"
- regex: '(OPX)/(\d+)\.(\d+)(?:\.(\d+)|)'
family_replacement: 'Opera GX'
# Opera Touch uses "OPT"
- regex: '(OPT)/(\d+)\.(\d+)(?:\.(\d+)|)'
family_replacement: 'Opera Touch'
# Opera Coast
- regex: '(Coast)/(\d+).(\d+).(\d+)'
family_replacement: 'Opera Coast'
@@ -517,7 +541,7 @@ user_agent_parsers:
family_replacement: 'HiBrowser'
# Honor Browser
- regex: '(HonorBrowser)/(\d+)\.(\d+)\.(\d+)\.(\d+)'
- regex: '(HonorBrowser)/(\d+)\.(\d+)\.(\d+)(?:\.(\d+)|)'
family_replacement: 'Honor Browser'
# Honor Browser
@@ -640,7 +664,7 @@ user_agent_parsers:
family_replacement: 'Quark PC'
# Smart Lenovo Browser
- regex: '(SLBrowser)/(\d+)\.(\d+)\.(\d+)\.(\d+) SLBChan/(\d+)'
- regex: '(SLBrowser)/(\d+)\.(\d+)\.(\d+)'
family_replacement: 'Smart Lenovo Browser'
# Atom Browser
@@ -704,7 +728,7 @@ user_agent_parsers:
family_replacement: 'SmartTV WebBrowser'
# WeChat Browser
- regex: '(MicroMessenger)/(\d+)\.(\d+)\.(\d+)'
- regex: '(MicroMessenger)/(\d+)\.(\d+)(?:\.(\d+)|)'
family_replacement: 'WeChat Browser'
# Odin Browser
@@ -726,6 +750,19 @@ user_agent_parsers:
- regex: '(Mypal)/(\d+)\.(\d+)\.(\d+)'
family_replacement: 'Mypal Browser'
# Chess.com native app
- regex: '(Chesscom-Android)/(\d+)\.(\d+)\.(\d+)'
# Roblox native app
- regex: '(RobloxApp)/(\d+)\.(\d+)\.(\d+)'
family_replacement: 'Roblox App'
# Roadrunner iOS app (not the legacy Time Warner Cable ISP identifier)
- regex: '(Roadrunner)/IOS/\d+/(\d+)\.(\d+)\.(\d+)'
# Ancestry.com Android app
- regex: '(AncestryAndroid)/(\d+)\.(\d+)(?:\.(\d+)|)'
#### END SPECIAL CASES TOP ####
#### MAIN CASES - this catches > 50% of all browsers ####
@@ -823,6 +860,96 @@ user_agent_parsers:
# Browser/major_version.minor_version
- regex: '(bingbot|Bolt|AdobeAIR|Jasmine|IceCat|Skyfire|Midori|Maxthon|Lynx|Arora|IBrowse|Dillo|Camino|Shiira|Fennec|Phoenix|Flock|Netscape|Lunascape|Epiphany|WebPilot|Opera Mini|Opera|NetFront|Netfront|Konqueror|Googlebot|SeaMonkey|Kazehakase|Vienna|Iceape|Iceweasel|IceWeasel|Iron|K-Meleon|Sleipnir|Galeon|GranParadiso|iCab|iTunes|MacAppStore|NetNewsWire|Space Bison|Stainless|Orca|Dolfin|BOLT|Minimo|Tizen Browser|Polaris|Abrowser|Planetweb|ICE Browser|mDolphin|qutebrowser|Otter|QupZilla|MailBar|kmail2|YahooMobileMail|ExchangeWebServices|ExchangeServicesClient|Dragon|Outlook-iOS-Android)/(\d+)\.(\d+)(?:\.(\d+)|)'
# Qt Web Engine embedded browser, must be before Chrome
- regex: '(QtWebEngine)/(\d+)\.(\d+)\.(\d+)'
family_replacement: 'Qt Web Engine'
# OpenWave browser (Chromium-based), must be before Chrome
- regex: '(OpenWave)/(\d+)\.(\d+)\.(\d+)'
family_replacement: 'Open Wave'
# AtContent - confirmed APT29/Nobelium (Cozy Bear) C2 malware marker. The implant
# (AcroSup.dll, side-loaded via Adobe WCChromeNativeMessagingHost.exe) uses a hardcoded
# UA of the form 'Chrome/100.0.4896.75 Safari/537.36 AtContent/91.5.2444.45' to
# communicate with Dropbox C2. Also observed appended after Edg/ tokens.
# Source: Cluster25/DuskRise 'Cozy Smuggled Into the Box', May 2022
# (https://www.duskrise.com/2022/05/13/cozy-smuggled-into-the-box-apt29-abusing-legitimate-software-for-targeted-operations-in-europe/)
- regex: '(AtContent)/(\d+)\.(\d+)\.(\d+)'
# Trailer - suspicious fake UA token appended to Chrome/Edge/Opera UA strings
# (TOKEN/MAJOR.MINOR.BUILD.PATCH). No known legitimate browser uses this token.
# Structurally identical to AtContent (confirmed APT29/Nobelium C2 marker; see
# Cluster25/DuskRise 'Cozy Smuggled Into the Box', May 2022). Unconfirmed attribution;
# may be same actor rotating token names or a copycat using the same spoofing technique.
- regex: '(Trailer)/(\d+)\.(\d+)\.(\d+)'
# Agency - suspicious fake UA token appended to Chrome UA strings
# (TOKEN/MAJOR.MINOR.BUILD.PATCH). No known legitimate browser uses this token.
# Structurally identical to AtContent (confirmed APT29/Nobelium C2 marker; see
# Cluster25/DuskRise 'Cozy Smuggled Into the Box', May 2022). Unconfirmed attribution;
# may be same actor rotating token names or a copycat using the same spoofing technique.
- regex: '(Agency)/(\d+)\.(\d+)\.(\d+)'
# Herring - suspicious fake UA token appended to Chrome UA strings
# (TOKEN/MAJOR.MINOR.BUILD.PATCH). No known legitimate browser uses this token.
# Structurally identical to AtContent (confirmed APT29/Nobelium C2 marker; see
# Cluster25/DuskRise 'Cozy Smuggled Into the Box', May 2022). Unconfirmed attribution;
# may be same actor rotating token names or a copycat using the same spoofing technique.
- regex: '(Herring)/(\d+)\.(\d+)\.(\d+)'
# Config - suspicious fake UA token appended to Chrome UA strings
# (TOKEN/MAJOR.MINOR.BUILD.PATCH). No known legitimate browser uses this token.
# Structurally identical to AtContent (confirmed APT29/Nobelium C2 marker; see
# Cluster25/DuskRise 'Cozy Smuggled Into the Box', May 2022). Unconfirmed attribution;
# may be same actor rotating token names or a copycat using the same spoofing technique.
- regex: '(Config)/(\d+)\.(\d+)\.(\d+)'
# Viewer - suspicious fake UA token appended to Chrome UA strings
# (TOKEN/MAJOR.MINOR.BUILD.PATCH). No known legitimate browser uses this token.
# Structurally identical to AtContent (confirmed APT29/Nobelium C2 marker; see
# Cluster25/DuskRise 'Cozy Smuggled Into the Box', May 2022). Unconfirmed attribution;
# may be same actor rotating token names or a copycat using the same spoofing technique.
- regex: '(Viewer)/(\d+)\.(\d+)\.(\d+)'
# LikeWise - suspicious fake UA token appended to Chrome UA strings
# (TOKEN/MAJOR.MINOR.BUILD.PATCH). No known legitimate browser uses this token.
# Structurally identical to AtContent (confirmed APT29/Nobelium C2 marker; see
# Cluster25/DuskRise 'Cozy Smuggled Into the Box', May 2022). Unconfirmed attribution;
# may be same actor rotating token names or a copycat using the same spoofing technique.
- regex: '(LikeWise)/(\d+)\.(\d+)\.(\d+)'
# Unique - suspicious fake UA token appended to Chrome/Opera UA strings
# (TOKEN/MAJOR.MINOR.BUILD.PATCH). No known legitimate browser uses this token.
# Structurally identical to AtContent (confirmed APT29/Nobelium C2 marker; see
# Cluster25/DuskRise 'Cozy Smuggled Into the Box', May 2022). Unconfirmed attribution;
# may be same actor rotating token names or a copycat using the same spoofing technique.
- regex: '(Unique)/(\d+)\.(\d+)\.(\d+)'
# CitizenFX - embedded Chromium browser in FiveM/RedM (GTA V / RDR2 game mod frameworks)
- regex: '(CitizenFX)/(\d+)\.(\d+)\.(\d+)'
# R2Client - R2Games game launcher embedded browser (CEF-based)
- regex: '(R2Client)/(\d+)\.(\d+)(?:\.(\d+)|)'
# OBS Studio embedded browser (CEF-based, used for browser sources/docks)
- regex: '(OBS)/(\d+)\.(\d+)\.(\d+)'
family_replacement: 'OBS Studio'
# Adobe CEP - embedded Chromium runtime for extension panels in Adobe CC apps
- regex: '(AdobeCEP)/(\d+)\.(\d+)\.(\d+)'
family_replacement: 'Adobe CEP'
# Steam embedded browsers; version from Chrome. Must be before Chrome.
# GameOverlay = in-game overlay browser (Shift+Tab)
- regex: 'Valve Steam (GameOverlay).{1,200}Chrome/(\d+)\.(\d+)\.(\d+)'
family_replacement: 'Steam GameOverlay'
# Steam Deck built-in browser
- regex: 'Valve Steam (Gamepad)/Steam Deck.{1,200}Chrome/(\d+)\.(\d+)\.(\d+)'
family_replacement: 'Steam Deck'
# Steam desktop client browser
- regex: '(Valve(?: Steam|) Client).{1,200}Chrome/(\d+)\.(\d+)\.(\d+)'
family_replacement: 'Steam Client'
# Chrome/Chromium/major_version.minor_version
- regex: '(Chromium|Chrome)/(\d+)\.(\d+)(?:\.(\d+)|)(?:\.(\d+)|)'