Decoder: Nodes

Document created by RSA Information Design and Development on Apr 21, 2016
Version 1Show Document
  • View in full screen mode
 
  

This topic defines language for the flex parser nodes.

Nodes Language Definition

                                                                                                                                                                                                                            
Node NameAttribute NameDescription
parsers The root node in each definition file.
 xmins:xsiDefines the namespace to use for the schema inclusion. This attribute is not required; however, language definition is not possible without it. This node must have the following value: http://www.w3.org/2001/XMLSchema-instance
 xsi:noNamespaceSchemaLocationDefines the XSD schema validation file used to validate the language definition. This attribute is not required; however, language definition is not possible without it. This node must have the following value: parsers.xsd
parser The node that defines a single parser definition. This node must be directly under the parsers node. There can be more than one per file.
 nameThe name that uniquely identifies the parser. This name should be short and succinct. This is used by the system to allow enabling and disabling. It should contain only the letters [a-z] and [A-Z].
 descThis node provides a friendly description of what the parser does.
 serviceThis is the unique number assigned to the session when identified.
declaration  The node that delineates the definition. Each of these definitions can have an associated match entry.
token Specifies a definition for identifying a token somewhere in the session protocol. This defines a match callback when the specified tokens are encountered in a session payload. The read position is set to the byte immediately following the matched token.
 nameThis is a unique identifier for the declaration.
 valueThis is the exact token value to be identified.
 optionsOptions specify that the token should start on a new line or at an end of a line (linestart or linestop).
meta-callback  Registers a callback for the flex parser whenever meta of a specific format is created. This can be further qualified to generate callbacks only for sessions that have been identified as a specific apptype (e.g. 80 for http).
 nameName of the match element to be executed when a callback occurs. (String)
 keyName of the meta key that generates callbacks. (String)
 formatThe data type of the meta key that will generate the meta.
 apptypeThe meta callback is only generated if the session being parsed has been identified with the specified apptype. (Unsigned Integer, Optional)
number Defines a numeric variable that can be referenced elsewhere within the parser definition. All numeric values are 64-bit unsigned values.
 nameThis is a unique identifier for the declaration.
 scope (optional)Specifies when to reset the variable. This can either be for each side of a two-sided session or only after a new session is detected. The possible values are global, constant, stream, and session (default).
string Defines a numeric variable that can be referenced elsewhere within the parser definition.
 nameThis is a unique identifier for the declaration.
 scope (optional)Specifies when to reset the variable. This can either be for each side of a two-sided session or only after a new session is detected. The possible values are global, constant, stream, and session (default).
port Defines a match callback when a session is encountered using the specified port. The read position is set to the first byte of the first stream (client) in the session.
 nameThis is a unique identifier for the declaration.
 valueThis is the port number to identify.
session Defines a match callback for session begin/end events. These events only occur if a token for the parser is encountered in the session.
 nameThis is a unique identifier for the declaration.
 valueSpecifies that processing takes place at the beginning of a new session or at the end of a session (begin or end).
stream Defines a match callback for stream begin/end events. These events only occur if a token for the parser is encountered in the stream. 
 nameThis is a unique identifier for the declaration
 valueSpecifies that processing takes place at the beginning or at the end of a stream (begin or end). 
function Defines a match section that can be used as a generic function. No callbacks are associated with this declaration. 
 nameThis is a unique identifier for the declaration.
meta Defines the type of data that the parser will create.
 keySpecifies the key name. The key needs to be 1-16 bytes in size.
 formatSpecifies the variant type (e.g. Text, IPv4, UInt32). Refer to the SDK documentation for a full list. 
pattern Defines a regular expression variable for use by the regex function
 nameThis is a unique identifier for the declaration.
 scope (optional)Specifies when to reset the variable. This can be for each side of a two-sided session or only after a new session is detected. Possible values are global, constant, stream, and session (default). 
 value (optional)Specifies a regular expression to assign to the pattern variable. This attribute is only valid when the scope attribute is set to constant
match 
The possible entries for taking an action once a match criterion has been found for a declaration. These nodes can be nested to provide deeper logic. There are several categories of execution elements (functions) that can appear as children of a match element:
  • General
  • Arithmetic
  • String
  • Payload

Attachments

    Outcomes