Common Parser OperationsCommon Parser Operations

This topic provides some examples of common parser operations.

This topic includes five common parser operations.

Match Port and Identify ImmediatelyMatch Port and Identify Immediately

<?xml version="1.0" encoding="utf-8"?>

<parsers

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

xsi:noNamespaceSchemaLocation="parsers.xsd">

<parser name="CustApp" desc="Acme Custom App" service="45324">

<declaration>

<port name="port" value="45324" />

<declaration>

</match name="port">

<identify />

</match>

</parser>

</parsers>

Match Port and Delay IdentificationMatch Port and Delay Identification

<?xml version="1.0" encoding="utf-8"?>

<parsers

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

xsi:noNamespaceSchemaLocation="parsers.xsd">

<parser name="MSRPC" desc="Microsoft RPC protocol" service=135">

<declaration>

<port name="port" value="135" />

<number name="state" scope="session" />

<session name="end" value="end" />

</declaration>

<match name="port">

<assign name="state" value="1" />

</match>

<match name="end">

<if name="state" equal="1" />

<identify />

</if>

</match>

</parser>

</parsers>

Match Token and Identify ImmediatelyMatch Token and Identify Immediately

<?xml version="1.0" encoding="utf-8?>

<parsers

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

xsi:noNamespaceSchemaLocation="parsers.xsd">

<parser name="RDP" desc="Remote Desktop Protocol" service="3389">

<declaration>

<token name="signature" value="Cookie: mstshash=" />

</declaration>

<match name="signature">

<identify />

</match>

</parser>

</parsers>

Match Multiple TokensMatch Multiple Tokens

<?xml version="1.0" encoding="utf-8"?>

<parsers

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

xsi:noNamespaceSchemaLocation="parsers.xsd">

<parser name="MyServiceMultiToken" desc="Multiple Tokens" service="333">

<declaration>

<number name="state" scope="stream" />

<token name="user" value="USER " />

<token name="pass" value="PASS " />

<session name="session" value="end" />

</declaration>

<match name="user">

<or name="state" value="1" />

</match>

<match name="pass">

<or name="state" value="2" />

</match>

<match name="session">

<if name="state" equal="3">

<identify />

</if>

</match>

</parser>

</parsers>

Match Token and Create MetadataMatch Token and Create Metadata

<?xml version="1.0" encoding="utf-8"?>

<parsers xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

xsi:noNamespaceSchemaLocation="parsers.xsd">

<parser name="SHELL" desc="Command Shell Identification">

<declaration>

<token name="cmd.exe" value=" (C) Copyright 1985-2001 Microsoft Corp" options="linestart" />

<meta name="client" key="client" format="Text" />

</declaration>

<match name="cmd.exe"

<register name="client" value="MS Command Shell" />

</match>

</parser>

</parsers>