parsed_type
Use the parsed_type
keyword to match a packet or session attribute that can be identified by the dissectors. A signature can have more than one --parsed_type
keyword.
Syntax:
--parsed_type <type>;
<type> |
Description |
---|---|
|
These types are used to identify the SSL and TLS versions. |
|
These match sessions using the SOCKS 4 or SOCKS 5 proxy protocols. |
|
The HTTP request method to be matched is GET. This is valid for the lifetime of the request. In most cases, a signature using --service HTTP; --parsed_type HTTP_GET; can replace a pattern-based signature like this: --service HTTP; --pattern "GET|20|" context uri; --within 4,context; |
|
The HTTP request method to be matched is POST. This if valid for the lifetime of the request. |
|
The Transfer-Encoding type of the HTTP request to be matched is chunked. This is valid for the lifetime of the request. In most cases, a signature using the --parsed_type HTTP_CHUNKED; can replace one that looks for strings, like this: --service HTTP; --pattern "TransferEncoding"; --context header; --no_case; --pattern "chunked"; --context header; --no_case; --distance 1; |
Examples:
--parsed_type HTTP_POST;
--parsed_type HTTP_GET;