Decoder: Nodes

Document created by RSA Information Design and Development on Sep 13, 2017Last modified by RSA Information Design and Development on Oct 11, 2017
Version 6Show Document
  • View in full screen mode
 

This topic defines language for the flex parser nodes.

Nodes Language Definition

                                                                                                                                                                                                                            
Node NameAttribute NameDescription
parsers  The root node in each definition file.
 xmins:xsi Defines the namespace to use for the schema inclusion. This attribute is not required; however, language definition is not possible without it. This node must have the following value: http://www.w3.org/2001/XMLSchema-instance
 xsi:noNamespaceSchemaLocation Defines the XSD schema validation file used to validate the language definition. This attribute is not required; however, language definition is not possible without it. This node must have the following value: parsers.xsd
parser  The node that defines a single parser definition. This node must be directly under the parsers node. There can be more than one per file.
 name The name that uniquely identifies the parser. This name should be short and succinct. This is used by the system to allow enabling and disabling. It should contain only the letters [a-z] and [A-Z].
 desc This node provides a friendly description of what the parser does.
 service This is the unique number assigned to the session when identified.
declaration  The node that delineates the definition. Each of these definitions can have an associated match entry.
token  Specifies a definition for identifying a token somewhere in the session protocol. This defines a match callback when the specified tokens are encountered in a session payload. The read position is set to the byte immediately following the matched token.
 name This is a unique identifier for the declaration.
 value This is the exact token value to be identified.
 options Options specify that the token should start on a new line or at an end of a line (linestart or linestop).
meta-callback  Registers a callback for the flex parser whenever meta of a specific format is created. This can be further qualified to generate callbacks only for sessions that have been identified as a specific apptype (e.g. 80 for http).
 name Name of the match element to be executed when a callback occurs. (String)
 key Name of the meta key that generates callbacks. (String)
 format The data type of the meta key that will generate the meta.
 apptype The meta callback is only generated if the session being parsed has been identified with the specified apptype. (Unsigned Integer, Optional)
number  Defines a numeric variable that can be referenced elsewhere within the parser definition. All numeric values are 64-bit unsigned values.
 name This is a unique identifier for the declaration.
 scope (optional)Specifies when to reset the variable. This can either be for each side of a two-sided session or only after a new session is detected. The possible values are global, constant, streamand session (default).
string  Defines a numeric variable that can be referenced elsewhere within the parser definition.
 name This is a unique identifier for the declaration.
 scope (optional)Specifies when to reset the variable. This can either be for each side of a two-sided session or only after a new session is detected. The possible values are global, constant, stream, and session (default).
port Defines a match callback when a session is encountered using the specified port. The read position is set to the first byte of the first stream (client) in the session.
 name This is a unique identifier for the declaration.
 value This is the port number to identify.
session  Defines a match callback for session begin/end events. These events only occur if a token for the parser is encountered in the session.
 name This is a unique identifier for the declaration.
 value Specifies that processing takes place at the beginning of a new session or at the end of a session (begin or end).
stream  Defines a match callback for stream begin/end events. These events only occur if a token for the parser is encountered in the stream. 
 name This is a unique identifier for the declaration
 value Specifies that processing takes place at the beginning or at the end of a stream (begin or end). 
function  Defines a match section that can be used as a generic function. No callbacks are associated with this declaration. 
 name This is a unique identifier for the declaration.
meta  Defines the type of data that the parser will create.
 key Specifies the key name. The key needs to be 1-16 bytes in size.
 format Specifies the variant type (for example, Text, IPv4, UInt32). Refer to the SDK documentation for a full list. 
pattern  Defines a regular expression variable for use by the regex function
 name This is a unique identifier for the declaration.
 scope (optional)Specifies when to reset the variable. This can be for each side of a two-sided session or only after a new session is detected. Possible values are global, constant, stream, and session (default). 
 value (optional)Specifies a regular expression to assign to the pattern variable. This attribute is only valid when the scope attribute is set to constant
match  The possible entries for taking an action once a match criterion has been found for a declaration. These nodes can be nested to provide deeper logic. There are several categories of execution elements (functions) that can appear as children of a match element:
  • General
  • Arithmetic
  • String
  • Payload
Previous Topic:Logging Functions
You are here
Table of Contents > Feed and Parser References > Flex Parser > Nodes

Attachments

    Outcomes