CERT IE Registry

Created
2017-11-28
Last Updated
2018-05-01

Download

(SHA256=20d3c2a0cdd387f072fcd07776499bc9fb61a843f88d88cc873782c1c404486a)

CERT Enterprise IPFIX Elements (PEN 6871)

NOTES:

  • Obsolete element names are struck out.
  • Deprecated element names are marked with ❌.
  • Reversible element names are marked with 🔄.
ElementIDNameData TypeSemanticsUnitsRangeDate
Description
0Reserved

Reserved as per section 4 of [RFC7012].

1-11Unassigned
12obsoleteReverseOctetTotalCountunsigned64totalCounter
13obsoleteReversePacketTotalCountunsigned64totalCounter
14initialTCPFlags 🔄unsigned16flags2017-12-19
15unionTCPFlags 🔄unsigned16flags2017-12-19
16obsoleteReverseInitialTCPFlagsunsigned8flags
17obsoleteReverseUnionTCPFlagsunsigned8flags
18payload 🔄octetArray
19obsoleteReversePayloadoctetArray
20obsoleteReverseTcpSequenceNumberunsigned32
21reverseFlowDeltaMillisecondsunsigned32quantitymilliseconds
22-28Unassigned
29obsoleteReverseVlanIdunsigned16identifier
30silkFlowTypeunsigned8identifier
31silkFlowSensorunsigned16identifier
32silkTCPStateunsigned8flags
33silkAppLabelunsigned16identifier
34Unassigned
35payloadEntropy 🔄unsigned8
36osName 🔄string
37osVersion 🔄string
38firstPacketBanner 🔄octetArray
39secondPacketBanner 🔄octetArray
40flowAttributes 🔄unsigned16flags
41-99Unassigned
100expiredFragmentCountunsigned32totalCounterpackets
101assembledFragmentCountunsigned32totalCounterpackets
102meanFlowRateunsigned32flows
103meanPacketRateunsigned32packets
104flowTableFlushEventCountunsigned32totalCounterflows
105flowTablePeakCountunsigned32flows
106yafFlowKeyHashunsigned32identifier
107osFingerPrint 🔄string
108-109Unassigned
110httpServerStringstring

HTTP Server Response-header field. Contains information about the software used to handle the HTTP Request.

111httpUserAgentstring

HTTP User-Agent Request-header field. Contains information about the user agent originating the request.

112httpGetstring

HTTP Method Command. Retrieves information identified by the following Request-URI.

113httpConnectionstring

HTTP Connection header fields. Contains options that are desired for a particular connection.

114httpVersionstring

HTTP Version Number.

115httpRefererstring

HTTP Referer request-header field. Address (URI) of the resource which the Request-URI was obtained.

116httpLocationstring

HTTP Location response-header field. Used to redirect the recipient to a location to complete a request or identify a new resource.

117httpHoststring

HTTP Host Request-header. The Internet host and port number of the resource being requested.

118httpContentLengthstring

HTTP Content-Length header. Indicates the size of the entity-body.

119httpAgestring

HTTP Age response-header. Argument is the sender's estimate of the time elapsed since the response.

120httpAcceptstring

HTTP Accept request-header field. Used to specify certain media types that are acceptable for the response.

121httpAcceptLanguagestring

HTTP Accept-Language Request-Header field. Restricts the set of natural languages that preferred.

122httpContentTypestring

HTTP Content Type entity-header field. Indicates the media type of the entity-body.

123httpResponsestring

HTTP Response Status Code. Usually a three-digit number followed by text.

124pop3TextMessagestring

POP3 Command and Replies. Contains any command or reply message found in POP3 payload data.

125ircTextMessagestring

IRC Chat or Join Message. This field contains any IRC Command and the following arguments.

126tftpFilenamestring

TFTP Name of File being transferred.

127tftpModestring

Contains the mode of transfer. (netascii, octet, mail)

128slpVersionunsigned8

SLP Version Number.

129slpMessageTypeunsigned81-11

SLP Message Type. This value should be between 1 and 11 and describes the type of SLP message.

130slpStringstring

Contains the text elements found in an SLP Service Request.

131ftpReturnstring

FTP Commands or Replies.

132ftpUserstring

FTP User Command Argument. This command will normally be the first command transmitted by the user.

133ftpPassstring

FTP Password Command Argument. This command must be preceded by the user name command, and is usually required to complete authentication.

134ftpTypestring

FTP Data Representation Type.

135ftpRespCodestring

FTP Reply. This consists of a three digit number followed by some text.

136imapCapabilitystring

IMAP Capability Command and Response. Captures the listing of capabilities that the server supports.

137imapLoginstring

IMAP Login Command. Arguments are user name and password.

138imapStartTLSstring

IMAP STARTTLS Command. Captures this command only as no arguments or responses are related.

139imapAuthenticatestring

IMAP Authenticate Command. Captures the authentication mechanism name of the server following this command.

140imapCommandstring

Captures a variety of IMAP Commands and their arguments.

141imapExistsstring

IMAP Exists Response. Reports the number of messages in the mailbox.

142imapRecentstring

IMAP Recent Response. Reports the number of message with the Recent flag set.

143rtspURLstring

RTSP URL. Captures the address of the network resources requested.

144rtspVersionstring

RTSP Version Number.

145rtspReturnCodestring

RTSP Status-Line. Captures the RTSP Protocol version, numeric status code, and the textual phrase associated with the numeric code.

146rtspContentLengthstring

RTSP Content-Length Header Field. Contains the length of the content of the method.

147rtspCommandstring

RTSP Command. Captures the method to be performed and the Request-URI associated with the method.

148rtspContentTypestring

RTSP Content Type.

149rtspTransportstring

RTSP Transport request header field. Captures the transport protocol used and the parameters that follow.

150rtspCSeqstring

RTSP CSeq field. Contains the sequence number for an RTSP request-response pair.

151rtspLocationstring

RTSP Location header field.

152rtspPacketsReceivedstring

RTSP User Agent field. Contains information about the user agent originating the request.

153rtspUserAgentstring

RTSP User Agent field. Contains information about the user agent originating the request.

154rtspJitterstring

RTSP Jitter Value.

155sipInvitestring

SIP Invite Method. Contains the SIP address and SIP Version Number.

156sipCommandstring

SIP Command. Contains a SIP Method, SIP address, and SIP Version Number.

157sipViastring

SIP Via contains the SIP Version Number and the address the sender is expecting to receive responses.

158sipMaxForwardsstring

SIP Max Forwards contains the limit of number of hops a request can make on the way to its destination.

159sipAddressstring

SIP Address contains the argument of the To, From, or Contact Header Fields.

160sipContentLengthstring

SIP Content Length header field. Contains the byte count of the message byte.

161sipUserAgentstring

SIP User Agent Header Field. Contains information about the User Agent Client originating the request.

162smtpHellostring

SMTP Hello or Extend Hello command. Captures the command and the domain name of the SMTP client.

163smtpFromstring

SMTP Mail Command. Contains the reverse-path of the sender mailbox.

164smtpTostring

The SMTP Recipient (RCPT) Command. Captures the command and the forward-path of the recipient of the mail data.

165smtpContentTypestring

SMTP Content Type Header Field.

166smtpSubjectstring

SMTP Subject. Contains the subject of the mail data.

167smtpFilenamestring

SMTP Filename. Contains the name of the file attached to the mail message.

168smtpContentDispositionstring

SMTP Content-Disposition Header field.

169smtpResponsestring

SMTP Replies. Consists of a three digit number followed by text.

170smtpEnhancedstring

Enhanced SMTP. Contains the ESMTP command with the following argument.

171sshVersionstring

SSH Version Number

172nntpResponsestring

NNTP Reply. This consists of a three digit status code and text message.

173nntpCommandstring

NNTP Command. Contains an NNTP Command and following argument(s).

174dnsQueryResponseunsigned8

DNS Query/Response header field. This corresponds with the DNS header one bit field, QR. If the message is a query (0), or a response (1).

175dnsQRTypeunsigned16

DNS Query/Response Type. This corresponds with the QTYPE field in the DNS Question Section or the TYPE field in the DNS Resource Record Section. This field determines the type of subTemplateList found in this record.

176dnsAuthoritativeunsigned8

DNS Authoritative header field. This corresponds with the DNS header one bit field, AA. This bit is only valid in responses (when dnsQueryResponse is 1), and specifies that the responding name server is an authority for the domain name in the question section.

177dnsNXDomainunsigned8

DNS NXDomain or Response Code (RCODE). This corresponds with the DNS RCODE header field. This field will be set to 3 for a Name Error, 2 for a Server Failure, 1 for a Format Error, and 0 for No Error. See [dns-parameters] for other valid values.

178dnsRRSectionunsigned8

DNS Resource Record Section Field. This field will be set to 0 if the information is from the Question Section, 1 for the Answer Section, 2 for the Name Server Section, and 3 for the Additional Section.

179dnsQNamestring

A DNS Query or Response Name. This field corresponds with the QNAME field in the DNS Question Section or the NAME field in the DNS Resource Record Section.

180dnsCNamestring

A domain-name which specificies the canonical or primary name for the owner.

181dnsMXPreferenceunsigned16

Corresponds to the DNS MX Preference field.

182dnsMXExchangestring

Corresponds to the DNS MX Exchange field.

183dnsNSDNamestring

An authoritative name server domain-name.

184dnsPTRDNamestring

Corresponds to DNS PTR PTRDNAME Field.

185sslCipherunsigned32

sslCipher is a CipherSuite suggested by the client in the ClientHello Message.

186sslClientVersionunsigned8

sslClientVersion is the version it supports contained in the initial ClientHello message.

187sslServerCipherunsigned32

sslServerCipher is the CipherSuite chosen by the server in the ServerHello message.

188sslCompressionMethodunsigned8

sslCompressionMethod is the compression method chosen by the server in the ServerHello message.

189sslCertVersionunsigned8

The Certificate Version. This is the value contained in the certificate v1(0), v2(1), v3(2).

190sslCertSignatureoctetArray

The signature contained in a SSL certificate. This is typically the hashing algorithm identifier.

191sslCertIssuerCountryNamestring
192sslCertIssuerOrgNamestring
193sslCertIssuerOrgUnitNamestring
194sslCertIssuerZipCodestring
195sslCertIssuerStatestring
196sslCertIssuerCommonNamestring
197sslCertIssuerLocalityNamestring
198sslCertIssuerStreetAddressstring
199dnsTTLunsigned32

DNS Time To Live. This is an unsigned integer that specifies the time interval, in seconds, that the resource record may be cached for. This will contain a value of zero for DNS Queries.

200sslCertSubCountryNamestring
201sslCertSubOrgNamestring
202sslCertSubOrgUnitNamestring
203sslCertSubZipCodestring
204sslCertSubStatestring
205sslCertSubCommonNamestring
206sslCertSubLocalityNamestring
207sslCertSubStreetAddressstring
208dnsTXTDatastring

Corresponds to DNS TXT TXT-DATA field.

209dnsSOASerialunsigned32

Corresponds to DNS SOA SERIAL Field.

210dnsSOARefreshunsigned32

Corresponds to DNS SOA REFRESH Field.

211dnsSOARetryunsigned32

Corresponds to DNS SOA RETRY Field.

212dnsSOAExpireunsigned32

Corresponds to DNS SOA EXPIRE Field.

213dnsSOAMinimumunsigned32

Corresponds to DNS SOA MINIMUM Field.

214dnsSOAMNamestring

Corresponds to DNS SOA MNAME Field.

215dnsSOARNamestring

Corresponds to DNS SOA RNAME Field.

216dnsSRVPriorityunsigned16

Corresponds to the Priority Field in the DNS SRV Resource Record.

217dnsSRVWeightunsigned16

Corresponds to the Weight Field in the DNS SRV Resource Record.

218dnsSRVPortunsigned16

Corresponds to the Port Field in the DNS SRV Resource Record.

219dnsSRVTargetstring

Corresponds to the Target Field in the DNS SRV Resource Record.

220httpCookiestring

HTTP Cookie Header Field.

221httpSetCookiestring

HTTP Set Cookie Header Field.

222smtpSizestring

SMTP Size Header Field. Contains the size in bytes of the mail data.

223mysqlUsernamestring
224mysqlCommandCodeunsigned80-28

MySQL Command Code. This number should be between 0 and 28.

225mysqlCommandTextstring

MySQL Command Text. For example, this can be a SELECT, INSERT, DELETE statement.

226dnsIDunsigned16

DNS Transaction ID. This identifier is used by the requester to match up replies to outstanding queries.

227dnsAlgorithmunsigned8

The Hash Algorithm field in the DNSSEC NSEC3 or NSEC3PARAM RR. Values are described in [RFC5155].

228dnsKeyTagunsigned16

The Key Tag field in the DS RR.

229dnsSignerstring

The Signer's Name field in the RRSIG RR.

230dnsSignatureoctetArray

The Signature field in the RRSIG RR. Contains the cryptographic signature that covers the dnsQName field.

231dnsDigestoctetArray

The digest of the DNSKEY RR.

232dnsPublicKeyoctetArray

DNSSEC uses public key cryptography to sign and authenticate DNS resource record sets. This field holds the public key. The format depends on the algorithm of the key.

233dnsSaltoctetArray

The Salt Field in the DNSSEC NSEC3 or NSEC3PARAM RR.

234dnsHashDataoctetArray

The Next Hashed Owner Name in the DNSSEC NSEC3 RR. This will be empty for NSEC3PARAM records.

235dnsIterationsunsigned16

The Iterations field in the DNSSEC NSEC3 or NSEC3PARAM RR.

236dnsSignatureExpirationunsigned32

The Signature Inception field in a RRSIG RR. The Expiration and Inception fields specify a validity period for the signature.

237dnsSignatureInceptionunsigned32

The Signature Expiration field in a RRSIG RR. The Expiration and Inception fields specify a validity period for the signature.

238dnsDigestTypeunsigned8

The Digest Type field which identifes the algorithm used to construct the digest.

239dnsLabelsunsigned8

The Labels field in a RRSIG RR. Specifies the number of labels in the original RRSIG resource record owner name.

240dnsTypeCoveredunsigned16

The Type Covered field in a RRSIG RR.

241dnsFlagsunsigned16flags

The flags field in the DNSKey Resource Record. Certain bits determine if the key is a zone key or should be used for a secure entry point.

242dhcpFingerPrint 🔄string

The DHCP fingerprint. This will be the description of the OS.

243dhcpVendorCode 🔄string

The DHCP vendor class ID found in Option 60 of the DHCP packet. This field may help further identify the operating system of the sender.

244sslCertSerialNumberoctetArray

The Serial Number from the X.509 certificate.

245sslObjectTypeunsigned8

For the Issuer and Subject subTemplateLists, yaf only parses objects that are members of the id-at arc {joint-iso-ccitt(2) ds(5) 4}, pkcs-9 {iso(1) member-body (2) us(840) rsadsi(113459) pkcs(1) 9}, and LDAP dc 0.9.2342.19200300.100.1.25. This field will not contain the full object identfier, it will just contain the member id. For example, for an issuer common name, sslObjectType will contain 3. Below is a list of common objects in an X.509 RelativeDistinguishedName Sequence for X.509 Certificates:

pkcs-9-emailAddress          {pkcs-9 1}
id-at-commonName             {id-at 3}
id-at-countryName            {id-at 6}
id-at-localityName           {id-at 7}
id-at-stateOrProvinceName    {id-at 8}
id-at-streetAddress          {id-at 9}
id-at-organizationName       {id-at 10}
id-at-organizationalUnitName {id-at 11}
id-at-title                  {id-at 12}
id-at-postalCode             {id-at 17}
0.9.2342.19200300.100.1.25   {dc 25}
id-at-name                   {id-at 41}
246sslObjectValueoctetArray

The bit strings associated with sslObjectType.

247sslCertValidityNotBeforestring

The notBefore field in the Validity Sequence of the X.509 Certificate.

248sslCertValidityNotAfterstring

The notAfter field in the Validity Sequence of the X.509 Certificate.

249sslPublicKeyAlgorithmoctetArray

The algorithm, encoded in ASN.1, in the SubjectPublicKeyInfo Sequence of the X.509 Certificate.

250sslPublicKeyLengthunsigned16

The length of the public key in the X.509 Certificate.

251smtpDatestring

SMTP Date Field.

252httpAuthorizationstring

HTTP Authorization Header Field.

253httpViastring

HTTP Via Header Field.

254httpX-Forwarded-Forstring

HTTP X-Forwarded-For Header Field.

255httpExpiresstring

HTTP Expires Header Field.

256httpRefreshstring

HTTP Refresh Header Field.

257httpIMEIstring

HTTP International Mobile Station Equipment Identity ID.

258httpIMSIstring

HTTP International Mobile Subscriber Identity

259httpMSISDNstring

HTTP MSISDN number, a telephone number for the SIM card in a mobile/cellular phone.

260httpSubscriberstring

HTTP Mobile Subscriber Information.

261httpAcceptCharsetstring

HTTP Accept Charset Header Field.

262httpAcceptEncodingstring

HTTP Accept Encoding Header Field.

263httpAllowstring

HTTP Allow Header Field.

264httpDatestring

HTTP Date Header Field.

265httpExpectstring

HTTP Expect Header Field.

266httpFromstring

HTTP From Header Field.

267httpProxyAuthenticationstring

HTTP Proxy Authentication Field.

268httpUpgradestring

HTTP Upgrade Header Field.

269httpWarningstring

HTTP Warning Header Field.

270httpDNTstring

HTTP DNT Header Field.

271httpX-Forwarded-Protostring

HTTP X-Forwarded-Proto Header Field.

272httpX-Forwarded-Hoststring

HTTP X-Forwarded-Host Header Field.

273httpX-Forwarded-Serverstring

HTTP X-Forwarded-Server Header Field.

274httpX-DeviceIDstring

HTTP X-Device ID Header Field.

275httpX-Profilestring

HTTP X-Profile Header Field.

276httpLastModifiedstring

HTTP Last Modified Header Field.

277httpContentEncodingstring

HTTP Content Encoding Header Field.

278httpContentLanguagestring

HTTP Content Language Header Field.

279httpContentLocationstring

HTTP Content Location Header Field.

280httpX-UA-Compatiblestring

HTTP X-UA-Compatible Header Field.

281dnp3SourceAddressunsigned16

The DNP3 Source Address found in the Data Link Layer of the DNP Header.

282dnp3DestinationAddressunsigned16

The DNP3 Destination Address found in the Data Link Layer of the DNP Header.

283dnp3Functionunsigned8

The DNP3 Function Code found in the first byte of the Application Layer.

284dnp3ObjectDataoctetArray

The pattern captured from the DNP3 regular expression.

285modbusDataoctetArray
286ethernetIPDataoctetArray
287rtpPayloadType 🔄unsigned8

The payload type in the RTP header of the first payload in the forward direction.

288sslRecordVersionunsigned16

sslRecordVersion is the version of ssl or tls that was used in the flow.

289mptcpInitialDataSequenceNumberunsigned64
290mptcpReceiverTokenunsigned32identifier
291mptcpMaximumSegmentSizeunsigned16
292mptcpAddressIDunsigned8identifier
293mptcpFlagsunsigned8flags
294sslServerNamestring

The server name from the SSL/TLS Client Hello. This is typically the name of the server that the client is connecting to.

295sslCertificateHashoctetArray

The hash of the X.509 certificate.

296sslCertificateoctetArray
297dhcpOptionunsigned8

The list of requested parameters found in DHCP Option 55.

298sslCertificateSHA1octetArray
299sslCertificateMD5octetArray
300nDPIL7Protocolunsigned16identifier
301nDPIL7SubProtocolunsigned16identifier
302rrIPv4ipv4Address

IPv4 address than a dns query resolved to in a resource record. It is from the yaf-DNS template. Called rrIPv4 instead of sourceIPv4Address for disambiguation purposes.

303rrIPv6ipv6Address

IPv6 address than a dns query resolved to in a resource record. It is from the yaf-DNS template. Called rrIPv4 instead of sourceIPv4Address for disambiguation purposes.

304DNSKEY_protocolIdentifierunsigned8

Protocol from a DNS-KEY record out of YAF.

305DNS_A_RECORDsubTemplateList

Element holding an entire DNS A record, which is a sub template list when emitted from YAF. This is used in Analysis Pipeline for fast flux.

306DNS_AAAA_RECORDsubTemplateList

Element holding an entire DNS AAAA record, which is a sub template list when emitted from YAF. This is used in Analysis Pipeline for fast flux.

307-499Unassigned
500smallPacketCount 🔄unsigned32totalCounterpackets
501nonEmptyPacketCount 🔄unsigned32totalCounterpackets
502dataByteCount 🔄unsigned64totalCounteroctets
503averageInterarrivalTime 🔄unsigned64milliseconds
504standardDeviationInterarrivalTime 🔄unsigned64milliseconds
505firstNonEmptyPacketSize 🔄unsigned16quantityoctets
506maxPacketSize 🔄unsigned16quantityoctets
507firstEightNonEmptyPacketDirections 🔄unsigned8flags
508standardDeviationPayloadLength 🔄unsigned16octets
509tcpUrgentCount 🔄unsigned32totalCounterpackets
510largePacketCount 🔄unsigned32totalCounterpackets
511-549Unassigned
550tombstoneIdunsigned32identifier
551exporterConfiguredIdunsigned16identifier
552exporterUniqueIdunsigned16identifier
553-926Unassigned
927dnsRNamestring
928dnsHitCountunsigned16
929observedDataTotalCountunsigned64totalCounter
930observedDataoctetArray
931-999Unassigned
1000templateNamestring
1001templateDescriptionstring
1002-16383Unassigned

People

IDNameContact URILast Updated
[Netsa_Tools]Netsa Tools Helpmailto:netsa-help@cert.org2018-05-01