00001
00002
00003
00004
00005
00006
00007
00008
00009
00010
00011
00012
00013
00014
00015
00016
00017
00018
00019
00020
00021
00022
00023
00024
00025
00026
00027
00028
00029
00030
00031
00032
00033
00034
00035
00036
00037
00038
00039
00040
00041
00042
00043
00044
00045
00046
00047
00048
00049
00050
00051
00052
00053
00054
00055
00056
00057
00058
00059
00060
00061 #ifndef CERT_IE_H_
00062 #define CERT_IE_H_
00063
00064 #define NONE FB_IE_F_NONE
00065 #define ER FB_IE_F_ENDIAN | FB_IE_F_REVERSIBLE
00066
00073 static fbInfoElement_t yaf_info_elements[] = {
00074 FB_IE_INIT("initialTCPFlags", CERT_PEN, 14, 1, ER),
00075 FB_IE_INIT("unionTCPFlags", CERT_PEN, 15, 1, ER),
00076 FB_IE_INIT("payload", CERT_PEN, 18, FB_IE_VARLEN, FB_IE_F_REVERSIBLE),
00077 FB_IE_INIT("reverseFlowDeltaMilliseconds", CERT_PEN, 21, 4, FB_IE_F_ENDIAN),
00078 FB_IE_INIT("silkAppLabel", CERT_PEN, 33, 2, FB_IE_F_ENDIAN),
00079 FB_IE_INIT("payloadEntropy", CERT_PEN, 35, 1, FB_IE_F_REVERSIBLE),
00080 FB_IE_INIT("osName", CERT_PEN, 36, FB_IE_VARLEN, FB_IE_F_REVERSIBLE),
00081 FB_IE_INIT("osVersion", CERT_PEN, 37, FB_IE_VARLEN, FB_IE_F_REVERSIBLE),
00082 FB_IE_INIT("firstPacketBanner", CERT_PEN, 38, FB_IE_VARLEN,
00083 FB_IE_F_REVERSIBLE),
00084 FB_IE_INIT("secondPacketBanner", CERT_PEN, 39, FB_IE_VARLEN,
00085 FB_IE_F_REVERSIBLE),
00086 FB_IE_INIT("flowAttributes", CERT_PEN, 40, 2, ER),
00087 FB_IE_INIT("osFingerPrint",CERT_PEN, 107, FB_IE_VARLEN, FB_IE_F_REVERSIBLE),
00088 FB_IE_INIT("expiredFragmentCount", CERT_PEN, 100, 4, FB_IE_F_ENDIAN),
00089 FB_IE_INIT("assembledFragmentCount", CERT_PEN, 101, 4, FB_IE_F_ENDIAN),
00090 FB_IE_INIT("meanFlowRate", CERT_PEN, 102, 4, FB_IE_F_ENDIAN),
00091 FB_IE_INIT("meanPacketRate", CERT_PEN, 103, 4, FB_IE_F_ENDIAN),
00092 FB_IE_INIT("flowTableFlushEventCount", CERT_PEN, 104, 4, FB_IE_F_ENDIAN),
00093 FB_IE_INIT("flowTablePeakCount", CERT_PEN, 105, 4, FB_IE_F_ENDIAN),
00094
00095 FB_IE_INIT("smallPacketCount", CERT_PEN, 500, 4, ER),
00096 FB_IE_INIT("nonEmptyPacketCount", CERT_PEN, 501, 4, ER),
00097 FB_IE_INIT("dataByteCount", CERT_PEN, 502, 8, ER),
00098 FB_IE_INIT("averageInterarrivalTime", CERT_PEN, 503, 8, ER),
00099 FB_IE_INIT("standardDeviationInterarrivalTime", CERT_PEN, 504, 8, ER),
00100 FB_IE_INIT("firstNonEmptyPacketSize", CERT_PEN, 505, 2, ER),
00101 FB_IE_INIT("maxPacketSize", CERT_PEN, 506, 2, ER),
00102 FB_IE_INIT("firstEightNonEmptyPacketDirections", CERT_PEN, 507, 1, ER),
00103 FB_IE_INIT("standardDeviationPayloadLength", CERT_PEN, 508, 2, ER),
00104 FB_IE_INIT("tcpUrgentCount", CERT_PEN, 509, 4, ER),
00105 FB_IE_INIT("largePacketCount", CERT_PEN, 510, 4, ER),
00106 FB_IE_NULL
00107 };
00108
00109
00110
00111 #if YAF_ENABLE_HOOKS
00112 static fbInfoElement_t yaf_dpi_info_elements[] = {
00113 FB_IE_INIT("httpServerString", CERT_PEN, 110, FB_IE_VARLEN, NONE),
00114 FB_IE_INIT("httpUserAgent", CERT_PEN, 111, FB_IE_VARLEN, NONE),
00115 FB_IE_INIT("httpGet", CERT_PEN, 112, FB_IE_VARLEN, NONE),
00116 FB_IE_INIT("httpConnection", CERT_PEN, 113, FB_IE_VARLEN, NONE),
00117 FB_IE_INIT("httpVersion", CERT_PEN, 114, FB_IE_VARLEN, NONE),
00118 FB_IE_INIT("httpReferer", CERT_PEN, 115, FB_IE_VARLEN, NONE),
00119 FB_IE_INIT("httpLocation", CERT_PEN, 116, FB_IE_VARLEN, NONE),
00120 FB_IE_INIT("httpHost", CERT_PEN, 117, FB_IE_VARLEN, NONE),
00121 FB_IE_INIT("httpContentLength", CERT_PEN, 118, FB_IE_VARLEN, NONE),
00122 FB_IE_INIT("httpAge", CERT_PEN, 119, FB_IE_VARLEN, NONE),
00123 FB_IE_INIT("httpAccept", CERT_PEN, 120, FB_IE_VARLEN, NONE),
00124 FB_IE_INIT("httpAcceptLanguage", CERT_PEN, 121, FB_IE_VARLEN, NONE),
00125 FB_IE_INIT("httpContentType", CERT_PEN, 122, FB_IE_VARLEN, NONE),
00126 FB_IE_INIT("httpResponse", CERT_PEN, 123, FB_IE_VARLEN, NONE),
00127 FB_IE_INIT("httpCookie", CERT_PEN, 220, FB_IE_VARLEN, NONE),
00128 FB_IE_INIT("httpSetCookie", CERT_PEN, 221, FB_IE_VARLEN, NONE),
00129 FB_IE_INIT("httpAuthorization", CERT_PEN, 252, FB_IE_VARLEN, NONE),
00130 FB_IE_INIT("httpVia", CERT_PEN, 253, FB_IE_VARLEN, NONE),
00131 FB_IE_INIT("httpX-Forwarded-For", CERT_PEN, 254, FB_IE_VARLEN, NONE),
00132 FB_IE_INIT("httpRefresh", CERT_PEN, 256, FB_IE_VARLEN, NONE),
00133
00134 FB_IE_INIT("httpIMEI", CERT_PEN, 257, FB_IE_VARLEN, NONE),
00135 FB_IE_INIT("httpIMSI", CERT_PEN, 258, FB_IE_VARLEN, NONE),
00136 FB_IE_INIT("httpMSISDN", CERT_PEN, 259, FB_IE_VARLEN, NONE),
00137 FB_IE_INIT("httpSubscriber", CERT_PEN, 260, FB_IE_VARLEN, NONE),
00138
00139 FB_IE_INIT("httpExpires", CERT_PEN, 255, FB_IE_VARLEN, NONE),
00140 FB_IE_INIT("httpAcceptCharset", CERT_PEN, 261, FB_IE_VARLEN, NONE),
00141 FB_IE_INIT("httpAcceptEncoding", CERT_PEN, 262, FB_IE_VARLEN, NONE),
00142 FB_IE_INIT("httpAllow", CERT_PEN, 263, FB_IE_VARLEN, NONE),
00143 FB_IE_INIT("httpDate", CERT_PEN, 264, FB_IE_VARLEN, NONE),
00144 FB_IE_INIT("httpExpect", CERT_PEN, 265, FB_IE_VARLEN, NONE),
00145 FB_IE_INIT("httpFrom", CERT_PEN, 266, FB_IE_VARLEN, NONE),
00146 FB_IE_INIT("httpProxyAuthentication", CERT_PEN, 267, FB_IE_VARLEN, NONE),
00147 FB_IE_INIT("httpUpgrade", CERT_PEN, 268, FB_IE_VARLEN, NONE),
00148 FB_IE_INIT("httpWarning", CERT_PEN, 269, FB_IE_VARLEN, NONE),
00149 FB_IE_INIT("httpDNT", CERT_PEN, 270, FB_IE_VARLEN, NONE),
00150 FB_IE_INIT("httpX-Forwarded-Proto", CERT_PEN, 271, FB_IE_VARLEN, NONE),
00151 FB_IE_INIT("httpX-Forwarded-Host", CERT_PEN, 272, FB_IE_VARLEN, NONE),
00152 FB_IE_INIT("httpX-Forwarded-Server", CERT_PEN, 273, FB_IE_VARLEN, NONE),
00153 FB_IE_INIT("httpX-DeviceID", CERT_PEN, 274, FB_IE_VARLEN, NONE),
00154 FB_IE_INIT("httpX-Profile", CERT_PEN, 275, FB_IE_VARLEN, NONE),
00155 FB_IE_INIT("httpLastModified", CERT_PEN, 276, FB_IE_VARLEN, NONE),
00156 FB_IE_INIT("httpContentEncoding", CERT_PEN, 277, FB_IE_VARLEN, NONE),
00157 FB_IE_INIT("httpContentLanguage", CERT_PEN, 278, FB_IE_VARLEN, NONE),
00158 FB_IE_INIT("httpContentLocation", CERT_PEN, 279, FB_IE_VARLEN, NONE),
00159 FB_IE_INIT("httpX-UA-Compatible", CERT_PEN, 280, FB_IE_VARLEN, NONE),
00160
00161 FB_IE_INIT("pop3TextMessage", CERT_PEN, 124, FB_IE_VARLEN, NONE),
00162
00163 FB_IE_INIT("ircTextMessage", CERT_PEN, 125, FB_IE_VARLEN, NONE),
00164
00165 FB_IE_INIT("tftpFilename", CERT_PEN, 126, FB_IE_VARLEN, NONE),
00166 FB_IE_INIT("tftpMode", CERT_PEN, 127, FB_IE_VARLEN, NONE),
00167
00168 FB_IE_INIT("slpVersion", CERT_PEN, 128, 1, FB_IE_F_ENDIAN),
00169 FB_IE_INIT("slpMessageType", CERT_PEN, 129, 1, FB_IE_F_ENDIAN),
00170 FB_IE_INIT("slpString", CERT_PEN, 130, FB_IE_VARLEN, NONE),
00171
00172 FB_IE_INIT("ftpReturn", CERT_PEN, 131, FB_IE_VARLEN, NONE),
00173 FB_IE_INIT("ftpUser", CERT_PEN, 132, FB_IE_VARLEN, NONE),
00174 FB_IE_INIT("ftpPass", CERT_PEN,133, FB_IE_VARLEN, NONE),
00175 FB_IE_INIT("ftpType", CERT_PEN,134, FB_IE_VARLEN, NONE),
00176 FB_IE_INIT("ftpRespCode", CERT_PEN,135, FB_IE_VARLEN, NONE),
00177
00178 FB_IE_INIT("imapCapability", CERT_PEN, 136, FB_IE_VARLEN, NONE),
00179 FB_IE_INIT("imapLogin", CERT_PEN, 137, FB_IE_VARLEN, NONE),
00180 FB_IE_INIT("imapStartTLS", CERT_PEN, 138, FB_IE_VARLEN, NONE),
00181 FB_IE_INIT("imapAuthenticate", CERT_PEN, 139, FB_IE_VARLEN, NONE),
00182 FB_IE_INIT("imapCommand", CERT_PEN, 140, FB_IE_VARLEN, NONE),
00183 FB_IE_INIT("imapExists", CERT_PEN, 141, FB_IE_VARLEN, NONE),
00184 FB_IE_INIT("imapRecent", CERT_PEN, 142, FB_IE_VARLEN, NONE),
00185
00186 FB_IE_INIT("rtspURL", CERT_PEN, 143, FB_IE_VARLEN, NONE),
00187 FB_IE_INIT("rtspVersion", CERT_PEN, 144, FB_IE_VARLEN, NONE),
00188 FB_IE_INIT("rtspReturnCode", CERT_PEN, 145, FB_IE_VARLEN, NONE),
00189 FB_IE_INIT("rtspContentLength", CERT_PEN, 146, FB_IE_VARLEN, NONE),
00190 FB_IE_INIT("rtspCommand", CERT_PEN, 147, FB_IE_VARLEN, NONE),
00191 FB_IE_INIT("rtspContentType", CERT_PEN, 148, FB_IE_VARLEN, NONE),
00192 FB_IE_INIT("rtspTransport", CERT_PEN, 149, FB_IE_VARLEN, NONE),
00193 FB_IE_INIT("rtspCSeq", CERT_PEN, 150, FB_IE_VARLEN, NONE),
00194 FB_IE_INIT("rtspLocation", CERT_PEN, 151, FB_IE_VARLEN, NONE),
00195 FB_IE_INIT("rtspPacketsReceived", CERT_PEN, 152, FB_IE_VARLEN, NONE),
00196 FB_IE_INIT("rtspUserAgent", CERT_PEN, 153, FB_IE_VARLEN, NONE),
00197 FB_IE_INIT("rtspJitter", CERT_PEN, 154, FB_IE_VARLEN, NONE),
00198
00199 FB_IE_INIT("sipInvite", CERT_PEN, 155, FB_IE_VARLEN, NONE),
00200 FB_IE_INIT("sipCommand", CERT_PEN, 156, FB_IE_VARLEN, NONE),
00201 FB_IE_INIT("sipVia", CERT_PEN, 157, FB_IE_VARLEN, NONE),
00202 FB_IE_INIT("sipMaxForwards", CERT_PEN, 158, FB_IE_VARLEN, NONE),
00203 FB_IE_INIT("sipAddress", CERT_PEN, 159, FB_IE_VARLEN, NONE),
00204 FB_IE_INIT("sipContentLength", CERT_PEN, 160, FB_IE_VARLEN, NONE),
00205 FB_IE_INIT("sipUserAgent", CERT_PEN, 161, FB_IE_VARLEN, NONE),
00206
00207 FB_IE_INIT("smtpHello", CERT_PEN, 162, FB_IE_VARLEN, NONE),
00208 FB_IE_INIT("smtpFrom", CERT_PEN, 163, FB_IE_VARLEN, NONE),
00209 FB_IE_INIT("smtpTo", CERT_PEN, 164, FB_IE_VARLEN, NONE),
00210 FB_IE_INIT("smtpContentType", CERT_PEN, 165, FB_IE_VARLEN, NONE),
00211 FB_IE_INIT("smtpSubject", CERT_PEN, 166, FB_IE_VARLEN, NONE),
00212 FB_IE_INIT("smtpFilename", CERT_PEN, 167, FB_IE_VARLEN, NONE),
00213 FB_IE_INIT("smtpContentDisposition", CERT_PEN, 168, FB_IE_VARLEN, NONE),
00214 FB_IE_INIT("smtpResponse", CERT_PEN, 169, FB_IE_VARLEN, NONE),
00215 FB_IE_INIT("smtpEnhanced", CERT_PEN, 170, FB_IE_VARLEN, NONE),
00216 FB_IE_INIT("smtpSize", CERT_PEN, 222, FB_IE_VARLEN, NONE),
00217 FB_IE_INIT("smtpDate", CERT_PEN, 251, FB_IE_VARLEN, NONE),
00218
00219 FB_IE_INIT("sshVersion", CERT_PEN, 171, FB_IE_VARLEN, NONE),
00220
00221 FB_IE_INIT("nntpResponse", CERT_PEN, 172, FB_IE_VARLEN, NONE),
00222 FB_IE_INIT("nntpCommand", CERT_PEN, 173, FB_IE_VARLEN, NONE),
00223
00224 FB_IE_INIT("dnsQueryResponse", CERT_PEN, 174, 1, FB_IE_F_ENDIAN),
00225 FB_IE_INIT("dnsQRType", CERT_PEN, 175, 2, FB_IE_F_ENDIAN),
00226 FB_IE_INIT("dnsAuthoritative", CERT_PEN, 176, 1, FB_IE_F_ENDIAN),
00227 FB_IE_INIT("dnsNXDomain", CERT_PEN, 177, 1, FB_IE_F_ENDIAN),
00228 FB_IE_INIT("dnsRRSection", CERT_PEN, 178, 1, FB_IE_F_ENDIAN),
00229 FB_IE_INIT("dnsQName", CERT_PEN, 179, FB_IE_VARLEN, NONE),
00230 FB_IE_INIT("dnsCName", CERT_PEN, 180, FB_IE_VARLEN, NONE),
00231 FB_IE_INIT("dnsMXPreference", CERT_PEN, 181, 2, FB_IE_F_ENDIAN),
00232 FB_IE_INIT("dnsMXExchange", CERT_PEN, 182, FB_IE_VARLEN, NONE),
00233 FB_IE_INIT("dnsNSDName", CERT_PEN, 183, FB_IE_VARLEN, NONE),
00234 FB_IE_INIT("dnsPTRDName", CERT_PEN, 184, FB_IE_VARLEN, NONE),
00235 FB_IE_INIT("dnsTTL", CERT_PEN, 199, 4, FB_IE_F_ENDIAN),
00236 FB_IE_INIT("dnsTXTData", CERT_PEN, 208, FB_IE_VARLEN, NONE),
00237 FB_IE_INIT("dnsSOASerial", CERT_PEN, 209, 4, FB_IE_F_ENDIAN),
00238 FB_IE_INIT("dnsSOARefresh", CERT_PEN, 210, 4, FB_IE_F_ENDIAN),
00239 FB_IE_INIT("dnsSOARetry", CERT_PEN, 211, 4, FB_IE_F_ENDIAN),
00240 FB_IE_INIT("dnsSOAExpire", CERT_PEN, 212, 4, FB_IE_F_ENDIAN),
00241 FB_IE_INIT("dnsSOAMinimum", CERT_PEN, 213, 4, FB_IE_F_ENDIAN),
00242 FB_IE_INIT("dnsSOAMName", CERT_PEN, 214, FB_IE_VARLEN, NONE),
00243 FB_IE_INIT("dnsSOARName", CERT_PEN, 215, FB_IE_VARLEN, NONE),
00244 FB_IE_INIT("dnsSRVPriority", CERT_PEN, 216, 2, FB_IE_F_ENDIAN),
00245 FB_IE_INIT("dnsSRVWeight", CERT_PEN, 217, 2, FB_IE_F_ENDIAN),
00246 FB_IE_INIT("dnsSRVPort", CERT_PEN, 218, 2, FB_IE_F_ENDIAN),
00247 FB_IE_INIT("dnsSRVTarget", CERT_PEN, 219, FB_IE_VARLEN, NONE),
00248 FB_IE_INIT("dnsID", CERT_PEN, 226, 2, FB_IE_F_ENDIAN),
00249
00250 FB_IE_INIT("dnsAlgorithm", CERT_PEN, 227, 1, FB_IE_F_ENDIAN),
00251 FB_IE_INIT("dnsKeyTag", CERT_PEN, 228, 2, FB_IE_F_ENDIAN),
00252 FB_IE_INIT("dnsSigner", CERT_PEN, 229, FB_IE_VARLEN, NONE),
00253 FB_IE_INIT("dnsSignature", CERT_PEN, 230, FB_IE_VARLEN, NONE),
00254 FB_IE_INIT("dnsDigest", CERT_PEN, 231, FB_IE_VARLEN, NONE),
00255 FB_IE_INIT("dnsPublicKey", CERT_PEN, 232, FB_IE_VARLEN, NONE),
00256 FB_IE_INIT("dnsSalt", CERT_PEN, 233, FB_IE_VARLEN, NONE),
00257 FB_IE_INIT("dnsHashData", CERT_PEN, 234, FB_IE_VARLEN, NONE),
00258 FB_IE_INIT("dnsIterations", CERT_PEN, 235, 2, FB_IE_F_ENDIAN),
00259 FB_IE_INIT("dnsSignatureExpiration", CERT_PEN, 236, 4, FB_IE_F_ENDIAN),
00260 FB_IE_INIT("dnsSignatureInception", CERT_PEN, 237, 4, FB_IE_F_ENDIAN),
00261 FB_IE_INIT("dnsDigestType", CERT_PEN, 238, 1, FB_IE_F_ENDIAN),
00262 FB_IE_INIT("dnsLabels", CERT_PEN, 239, 1, FB_IE_F_ENDIAN),
00263 FB_IE_INIT("dnsTypeCovered", CERT_PEN, 240, 2, FB_IE_F_ENDIAN),
00264 FB_IE_INIT("dnsFlags", CERT_PEN, 241, 2, FB_IE_F_ENDIAN),
00265
00266 FB_IE_INIT("sslCipher", CERT_PEN, 185, 4, FB_IE_F_ENDIAN),
00267 FB_IE_INIT("sslClientVersion", CERT_PEN, 186, 1, FB_IE_F_ENDIAN),
00268 FB_IE_INIT("sslServerCipher", CERT_PEN, 187, 4, FB_IE_F_ENDIAN),
00269 FB_IE_INIT("sslCompressionMethod", CERT_PEN, 188, 1, FB_IE_F_ENDIAN),
00270 FB_IE_INIT("sslCertVersion", CERT_PEN, 189, 1, FB_IE_F_ENDIAN),
00271 FB_IE_INIT("sslCertSignature", CERT_PEN, 190, FB_IE_VARLEN, NONE),
00272 FB_IE_INIT("sslCertSerialNumber", CERT_PEN, 244, FB_IE_VARLEN, NONE),
00273 FB_IE_INIT("sslObjectType", CERT_PEN, 245, 1, FB_IE_F_ENDIAN),
00274 FB_IE_INIT("sslObjectValue", CERT_PEN, 246, FB_IE_VARLEN, NONE),
00275 FB_IE_INIT("sslCertValidityNotBefore", CERT_PEN, 247, FB_IE_VARLEN, NONE),
00276 FB_IE_INIT("sslCertValidityNotAfter", CERT_PEN, 248, FB_IE_VARLEN, NONE),
00277 FB_IE_INIT("sslPublicKeyAlgorithm", CERT_PEN, 249, FB_IE_VARLEN, NONE),
00278 FB_IE_INIT("sslPublicKeyLength", CERT_PEN, 250, 2, FB_IE_F_ENDIAN),
00279
00280 FB_IE_INIT("mysqlUsername", CERT_PEN, 223, FB_IE_VARLEN, NONE),
00281 FB_IE_INIT("mysqlCommandCode", CERT_PEN, 224, 1, FB_IE_F_ENDIAN),
00282 FB_IE_INIT("mysqlCommandText", CERT_PEN, 225, FB_IE_VARLEN, NONE),
00283
00284 FB_IE_NULL
00285 };
00286
00287 static fbInfoElement_t yaf_dhcp_info_elements[] = {
00288 FB_IE_INIT("dhcpFingerPrint", CERT_PEN, 242, FB_IE_VARLEN,
00289 FB_IE_F_REVERSIBLE),
00290 FB_IE_INIT("dhcpVendorCode", CERT_PEN, 243, FB_IE_VARLEN,
00291 FB_IE_F_REVERSIBLE),
00292 FB_IE_NULL
00293 };
00294
00295
00296 #endif
00297
00298 #endif