I was trying to write signatures for detecting connections to a mail server.
'http-request-header' followed by the payload to be matched.
ip-proto == tcp
tcp state established
event "Connection to Mail server"
When I tried to start bro, I got the following error message:
"parse error at line x:" i.e., at the line where i have mentioned
I did load the analyzers.
Can anyone suggest a way to handle this problem.
Oh, I'm sorry about that. The documentation talks about
http-request-header but it appears that the code for it never made
it into the distribution. I recall that I implemented this a long
time ago but somehow it got lost.
So for the time being, this functionality is actually not there. If
you depend on it, it wouldn't be to difficult to add it again
Oh, I'm sorry about that.
If you depend on it, it wouldn't be to difficult to add it again
Thats good. Can you suggest me how to add it?
If you give me a few days, I'll take a look at it.
However, if you really want to give it a try yourself (which is
always appreciated!), grep for "Rule::HTTP" across the source to see
how it is done for HTTP URLs (the "http" signature keyword).
http-request-header can be added in a similar fashion.