Decoder: Common Parser Operations

Document created by RSA Information Design and Development Employee on Sep 13, 2017Last modified by RSA Information Design and Development Employee on Apr 23, 2020
Version 21Show Document
  • View in full screen mode
 

This topic provides some examples of common parser operations.

This topic includes five common parser operations.

Match Port and Identify Immediately

<?xml version="1.0" encoding="utf-8"?>

<parsers

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

xsi:noNamespaceSchemaLocation="parsers.xsd">

<parser name="CustApp" desc="Acme Custom App" service="45324">

<declaration>

<port name="port" value="45324" />

<declaration>

</match name="port">

<identify />

</match>

</parser>

</parsers>

Match Port and Delay Identification

<?xml version="1.0" encoding="utf-8"?>

<parsers

   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

   xsi:noNamespaceSchemaLocation="parsers.xsd">

<parser name="MSRPC" desc="Microsoft RPC protocol" service=135">

<declaration>

<port name="port" value="135" />

<number name="state" scope="session" />

<session name="end" value="end" />

</declaration>

<match name="port">

<assign name="state" value="1" />

</match>

<match name="end">

<if name="state" equal="1" />

<identify />

</if>

</match>

</parser>

</parsers>

Match Token and Identify Immediately

<?xml version="1.0" encoding="utf-8?>

<parsers

   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

   xsi:noNamespaceSchemaLocation="parsers.xsd">

<parser name="RDP" desc="Remote Desktop Protocol" service="3389">

<declaration>

<token name="signature" value="Cookie: mstshash=" />

</declaration>

<match name="signature">

<identify />

</match>

</parser>

</parsers>

Match Multiple Tokens

<?xml version="1.0" encoding="utf-8"?>

<parsers

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

xsi:noNamespaceSchemaLocation="parsers.xsd">

<parser name="MyServiceMultiToken" desc="Multiple Tokens" service="333">

<declaration>

<number name="state" scope="stream" />

<token name="user" value="USER " />

<token name="pass" value="PASS " />

<session name="session" value="end" />

</declaration>

<match name="user">

<or name="state" value="1" />

</match>

<match name="pass">

<or name="state" value="2" />

</match>

<match name="session">

<if name="state" equal="3">

<identify />

</if>

</match>

</parser>

</parsers>

Match Token and Create Metadata

<?xml version="1.0" encoding="utf-8"?>

<parsers xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

xsi:noNamespaceSchemaLocation="parsers.xsd">

<parser name="SHELL" desc="Command Shell Identification">

<declaration>

<token name="cmd.exe" value=" (C) Copyright 1985-2001 Microsoft Corp" options="linestart" />

<meta name="client" key="client" format="Text" />

</declaration>

<match name="cmd.exe"

<register  name="client" value="MS Command Shell" />

</match>

</parser>

</parsers>

Previous Topic:Arithmetic Functions
You are here
Table of Contents > Configure Parsers and Feeds > Configure Parsers > Flex Parser > Common Parser Operations

Attachments

    Outcomes