Decoder: Common Parser Operations

Document created by RSA Information Design and Development on Jul 26, 2016Last modified by RSA Information Design and Development on Sep 28, 2016
Version 4Show Document
  • View in full screen mode
 

This topic includes five common parser operations.

Match Port and Identify Immediately

<?xml version="1.0" encoding="utf-8"?>

<parsers

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

xsi:noNamespaceSchemaLocation="parsers.xsd">

<parser name="CustApp" desc="Acme Custom App" service="45324">

<declaration>

<port name="port" value="45324" />

<declaration>

</match name="port">

<identify />

</match>

</parser>

</parsers>

Match Port and Delay Identification

<?xml version="1.0" encoding="utf-8"?>

<parsers

   xmlns:xsi=http://www.w3.org/2001/XMLSchema-instancehttp://www.w3.org/2001/XMLSchema-instance

   xsi:noNamespaceSchemaLocation="parsers.xsd">

<parser name="MSRPC" desc="Microsoft RPC protocol" service=135">

<declaration>

<port name="port" value="135" />

<number name="state" scope="session" />

<session name="end" value="end" />

</declaration>

<match name="port">

<assign name="state" value="1" />

</match>

<match name="end">

<if name="state" equal="1" />

<identify />

</if>

</match>

</parser>

</parsers>

Match Token and Identify Immediately

<?xml version="1.0" encoding="utf-8?>

<parsers

   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

   xsi:noNamespaceSchemaLocation="parsers.xsd">

<parser name="RDP" desc="Remote Desktop Protocol" service="3389">

<declaration>

<token name="signature" value="Cookie: mstshash=" />

</declaration>

<match name="signature">

<identify />

</match>

</parser>

</parsers>

Match Multiple Tokens

<?xml version="1.0" encoding="utf-8"?>

<parsers

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

xsi:noNamespaceSchemaLocation="parsers.xsd">

<parser name="MyServiceMultiToken" desc="Multiple Tokens" service="333">

<declaration>

<number name="state" scope="stream" />

<token name="user" value="USER " />

<token name="pass" value="PASS " />

<session name="session" value="end" />

</declaration>

<match name="user">

<or name="state" value="1" />

</match>

<match name="pass">

<or name="state" value="2" />

</match>

<match name="session">

<if name="state" equal="3">

<identify />

</if>

</match>

</parser>

</parsers>

Match Token and Create Metadata

<?xml version="1.0" encoding="utf-8"?>

<parsers xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

xsi:noNamespaceSchemaLocation="parsers.xsd">

<parser name="SHELL" desc="Command Shell Identification">

<declaration>

<token name="cmd.exe" value=" (C) Copyright 1985-2001 Microsoft Corp" options="linestart" />

<meta name="client" key="client" format="Text" />

</declaration>

<match name="cmd.exe"

<register  name="client" value="MS Command Shell" />

</match>

</parser>

</parsers>

Example

Following is an example to use ....

 command action -option1 -option2 

You are here: References > Services Config View - Files Tab > Flex Parser > Common Parser Operations

Attachments

    Outcomes