Hi,

I was trying to write signatures for detecting connections to a mail server.
I used
'http-request-header' followed by the payload to be matched.

  signature abcd
  {
    ip-proto == tcp
    tcp state established
    event "Connection to Mail server"
    http-request-header /.*mail/
  }

When I tried to start bro, I got the following error message:
"parse error at line x:" i.e., at the line where i have mentioned
http-request-header.
I did load the analyzers.

Can anyone suggest a way to handle this problem.

Thanks,
Dhanesh.

Oh, I'm sorry about that. The documentation talks about
http-request-header but it appears that the code for it never made
it into the distribution. I recall that I implemented this a long
time ago but somehow it got lost.

So for the time being, this functionality is actually not there. If
you depend on it, it wouldn't be to difficult to add it again
though.

Robin

Oh, I'm sorry about that.

Thats OK.

If you depend on it, it wouldn't be to difficult to add it again
though.

Thats good. Can you suggest me how to add it?

Thanks,
Dhanesh.

If you give me a few days, I'll take a look at it.

However, if you really want to give it a try yourself (which is
always appreciated!), grep for "Rule::HTTP" across the source to see
how it is done for HTTP URLs (the "http" signature keyword).
http-request-header can be added in a similar fashion.

Robin