<parser name="exploit_x86_shellcode" desc="example netwitness flex parser. See the following for more information: http://garygolomb.blogspot.com/2010/11/network-detection-of-x86-buffer.html ">
<!-- declaration section holds all variables used down in the <match> section -->
<declaration>
<!--this parser will output messages to suspicious risk catergory -->
<meta format="Text" key="risk.suspicious" name="suspicious"/>
<token name="jmp" value="ë"/>
<!--some number variables we’ll use for testing below-->
<number name="num_jmp_offset" scope="session"/>
<number name="num_call_1" scope="session"/>
<number name="num_call_2" scope="session"/>
</declaration>
<!--enter the below node when the pattern held in “jmp" is found-->
<match name="jmp">
<!--read the next byte and store the value in num_jmp_offset-->
<read length="1" name="num_jmp_offset">
<!--move the value stored in num_jmp_offset -->
<move direction="forward" value="$num_jmp_offset">
<move direction="forward" value="1">
<!-- read the next byte, if it is 0xe8 (decimal 232), then continue -->
<read length="1" name="num_call_1">
<if name="num_call_1" equal="232">
<!--skip low-order address byte -->
<move direction="forward" value="1">
<!--check others for values 0xff’s, meaning we’re not going far in this code-->
<read length="2" name="num_call_2">
<if name="num_call_2" equal="65535">
<!--if we get here, add the tag “exploit_x86_shellcode" to the suspicious catergory for this session-->
<register name="suspicious" value="exploit_x86_shellcode"/>
</if>
</read>
</move>
</if>
</read>
</move>
</move>
</read>
</match>
</parser>