[Bro] Problem in using 'http-request-header' in Signatures

Jaya Dhanesh dhanesh at tataelxsi.co.in
Tue Sep 26 02:11:01 PDT 2006


I was trying to write signatures for detecting connections to a mail server.
I used
'http-request-header' followed by the payload to be matched.

	signature abcd
		ip-proto == tcp
		tcp state established
		event "Connection to Mail server"
		http-request-header /.*mail/

When I tried to start bro, I got the following error message:
"parse error at line x:" i.e., at the line where i have mentioned
I did load the analyzers.

Can anyone suggest a way to handle this problem.


More information about the Bro mailing list