CERT_IE.h
1 /*
2  *
3  ** @file CERT_IE.h
4  ** Definition of the CERT "standard" information elements extension to
5  ** the IETF standard RFC 5102 information elements
6  **
7  ** ------------------------------------------------------------------------
8  ** Copyright (C) 2009-2017 Carnegie Mellon University. All Rights Reserved.
9  ** ------------------------------------------------------------------------
10  ** Authors: Brian Trammell, Chris Inacio, Emily Ecoff <ecoff@cert.org>
11  ** <netsa-help@cert.org>
12  ** ------------------------------------------------------------------------
13  ** Use of the YAF system and related source code is subject to the terms
14  ** of the following licenses:
15  **
16  ** GNU Public License (GPL) Rights pursuant to Version 2, June 1991
17  ** Government Purpose License Rights (GPLR) pursuant to DFARS 252.227.7013
18  **
19  ** NO WARRANTY
20  **
21  ** ANY INFORMATION, MATERIALS, SERVICES, INTELLECTUAL PROPERTY OR OTHER
22  ** PROPERTY OR RIGHTS GRANTED OR PROVIDED BY CARNEGIE MELLON UNIVERSITY
23  ** PURSUANT TO THIS LICENSE (HEREINAFTER THE "DELIVERABLES") ARE ON AN
24  ** "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY
25  ** KIND, EITHER EXPRESS OR IMPLIED AS TO ANY MATTER INCLUDING, BUT NOT
26  ** LIMITED TO, WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE,
27  ** MERCHANTABILITY, INFORMATIONAL CONTENT, NONINFRINGEMENT, OR ERROR-FREE
28  ** OPERATION. CARNEGIE MELLON UNIVERSITY SHALL NOT BE LIABLE FOR INDIRECT,
29  ** SPECIAL OR CONSEQUENTIAL DAMAGES, SUCH AS LOSS OF PROFITS OR INABILITY
30  ** TO USE SAID INTELLECTUAL PROPERTY, UNDER THIS LICENSE, REGARDLESS OF
31  ** WHETHER SUCH PARTY WAS AWARE OF THE POSSIBILITY OF SUCH DAMAGES.
32  ** LICENSEE AGREES THAT IT WILL NOT MAKE ANY WARRANTY ON BEHALF OF
33  ** CARNEGIE MELLON UNIVERSITY, EXPRESS OR IMPLIED, TO ANY PERSON
34  ** CONCERNING THE APPLICATION OF OR THE RESULTS TO BE OBTAINED WITH THE
35  ** DELIVERABLES UNDER THIS LICENSE.
36  **
37  ** Licensee hereby agrees to defend, indemnify, and hold harmless Carnegie
38  ** Mellon University, its trustees, officers, employees, and agents from
39  ** all claims or demands made against them (and any related losses,
40  ** expenses, or attorney's fees) arising out of, or relating to Licensee's
41  ** and/or its sub licensees' negligent use or willful misuse of or
42  ** negligent conduct or willful misconduct regarding the Software,
43  ** facilities, or other rights or assistance granted by Carnegie Mellon
44  ** University under this License, including, but not limited to, any
45  ** claims of product liability, personal injury, death, damage to
46  ** property, or violation of any laws or regulations.
47  **
48  ** Carnegie Mellon University Software Engineering Institute authored
49  ** documents are sponsored by the U.S. Department of Defense under
50  ** Contract FA8721-05-C-0003. Carnegie Mellon University retains
51  ** copyrights in all material produced under this contract. The U.S.
52  ** Government retains a non-exclusive, royalty-free license to publish or
53  ** reproduce these documents, or allow others to do so, for U.S.
54  ** Government purposes only pursuant to the copyright license under the
55  ** contract clause at 252.227.7013.
56  **
57  ** ------------------------------------------------------------------------
58  */
59 
60 
61 #ifndef CERT_IE_H_
62 #define CERT_IE_H_
63 
64 #define NONE FB_IE_F_NONE
65 #define ER FB_IE_F_ENDIAN | FB_IE_F_REVERSIBLE
66 
74 static fbInfoElement_t yaf_info_elements[] = {
75  FB_IE_INIT_FULL("initialTCPFlags", CERT_PEN, 14, 1, ER | FB_IE_FLAGS,
76  0, 0, FB_UINT_8, NULL),
77  FB_IE_INIT_FULL("unionTCPFlags", CERT_PEN, 15, 1, ER | FB_IE_FLAGS, 0, 0,
78  FB_UINT_8, NULL),
79  FB_IE_INIT_FULL("payload", CERT_PEN, 18, FB_IE_VARLEN, FB_IE_F_REVERSIBLE,
80  0, 0, FB_OCTET_ARRAY, NULL),
81  FB_IE_INIT_FULL("reverseFlowDeltaMilliseconds", CERT_PEN, 21, 4,
82  FB_IE_F_ENDIAN | FB_IE_QUANTITY | FB_UNITS_MILLISECONDS,
83  0, 0, FB_UINT_32, NULL),
84  FB_IE_INIT_FULL("silkAppLabel", CERT_PEN, 33, 2,
85  FB_IE_F_ENDIAN | FB_IE_IDENTIFIER, 0, 0, FB_UINT_16, NULL),
86  FB_IE_INIT_FULL("payloadEntropy", CERT_PEN, 35, 1, ER, 0, 0,
87  FB_UINT_8, NULL),
88  FB_IE_INIT_FULL("osName", CERT_PEN, 36, FB_IE_VARLEN, FB_IE_F_REVERSIBLE,
89  0, 0, FB_STRING, NULL),
90  FB_IE_INIT_FULL("osVersion",CERT_PEN, 37, FB_IE_VARLEN, FB_IE_F_REVERSIBLE,
91  0, 0, FB_STRING, NULL),
92  FB_IE_INIT_FULL("firstPacketBanner", CERT_PEN, 38, FB_IE_VARLEN,
93  FB_IE_F_REVERSIBLE, 0, 0, FB_OCTET_ARRAY, NULL),
94  FB_IE_INIT_FULL("secondPacketBanner", CERT_PEN, 39, FB_IE_VARLEN,
95  FB_IE_F_REVERSIBLE, 0, 0, FB_OCTET_ARRAY, NULL),
96  FB_IE_INIT_FULL("flowAttributes", CERT_PEN, 40, 2, ER | FB_IE_FLAGS, 0, 0,
97  FB_UINT_16, NULL),
98  FB_IE_INIT_FULL("osFingerPrint",CERT_PEN, 107, FB_IE_VARLEN,
99  FB_IE_F_REVERSIBLE, 0, 0, FB_STRING, NULL),
100  FB_IE_INIT_FULL("expiredFragmentCount", CERT_PEN, 100, 4,
101  FB_IE_F_ENDIAN | FB_IE_TOTALCOUNTER | FB_UNITS_PACKETS,
102  0, 0, FB_UINT_32, NULL),
103  FB_IE_INIT_FULL("assembledFragmentCount", CERT_PEN, 101, 4,
104  FB_IE_F_ENDIAN | FB_IE_TOTALCOUNTER | FB_UNITS_PACKETS,
105  0, 0, FB_UINT_32, NULL),
106  FB_IE_INIT_FULL("meanFlowRate", CERT_PEN, 102, 4,
107  FB_IE_F_ENDIAN | FB_UNITS_FLOWS, 0, 0, FB_UINT_32, NULL),
108  FB_IE_INIT_FULL("meanPacketRate", CERT_PEN, 103, 4,
109  FB_IE_F_ENDIAN | FB_UNITS_PACKETS, 0, 0, FB_UINT_32, NULL),
110  FB_IE_INIT_FULL("flowTableFlushEventCount", CERT_PEN, 104, 4,
111  FB_IE_F_ENDIAN | FB_UNITS_FLOWS | FB_IE_TOTALCOUNTER,
112  0, 0, FB_UINT_32, NULL),
113  FB_IE_INIT_FULL("flowTablePeakCount", CERT_PEN, 105, 4,
114  FB_IE_F_ENDIAN | FB_UNITS_FLOWS, 0, 0, FB_UINT_32, NULL),
115  FB_IE_INIT_FULL("yafFlowKeyHash", CERT_PEN, 106, 4,
116  FB_IE_F_ENDIAN | FB_IE_IDENTIFIER, 0, 0, FB_UINT_32, NULL),
117  FB_IE_INIT_FULL("mptcpInitialDataSequenceNumber", CERT_PEN, 289, 8,
118  FB_IE_F_ENDIAN, 0, 0, FB_UINT_64, NULL),
119  FB_IE_INIT_FULL("mptcpReceiverToken", CERT_PEN, 290, 4,
120  FB_IE_F_ENDIAN | FB_IE_IDENTIFIER, 0, 0, FB_UINT_32, NULL),
121  FB_IE_INIT_FULL("mptcpMaximumSegmentSize", CERT_PEN, 291, 2,
122  FB_IE_F_ENDIAN , 0, 0, FB_UINT_16, NULL),
123  FB_IE_INIT_FULL("mptcpAddressID", CERT_PEN, 292, 1,
124  FB_IE_F_ENDIAN | FB_IE_IDENTIFIER, 0, 0, FB_UINT_8, NULL),
125  FB_IE_INIT_FULL("mptcpFlags", CERT_PEN, 293, 1,
126  FB_IE_F_ENDIAN | FB_IE_FLAGS, 0, 0, FB_UINT_8, NULL),
127  FB_IE_INIT_FULL("nDPIL7Protocol", CERT_PEN, 300, 2,
128  FB_IE_F_ENDIAN | FB_IE_IDENTIFIER, 0, 0, FB_UINT_16, NULL),
129  FB_IE_INIT_FULL("nDPIL7SubProtocol", CERT_PEN, 301, 2,
130  FB_IE_F_ENDIAN | FB_IE_IDENTIFIER, 0, 0, FB_UINT_16, NULL),
131 
132  /* flow stats */
133  FB_IE_INIT_FULL("smallPacketCount", CERT_PEN, 500, 4,
134  ER | FB_IE_TOTALCOUNTER | FB_UNITS_PACKETS, 0, 0,
135  FB_UINT_32, NULL),
136  FB_IE_INIT_FULL("nonEmptyPacketCount", CERT_PEN, 501, 4,
137  ER | FB_IE_TOTALCOUNTER | FB_UNITS_PACKETS, 0, 0,
138  FB_UINT_32, NULL),
139  FB_IE_INIT_FULL("dataByteCount", CERT_PEN, 502, 8,
140  ER | FB_IE_TOTALCOUNTER | FB_UNITS_OCTETS, 0, 0,
141  FB_UINT_64,NULL),
142  FB_IE_INIT_FULL("averageInterarrivalTime", CERT_PEN, 503, 8,
143  ER | FB_UNITS_MILLISECONDS, 0, 0, FB_UINT_64, NULL),
144  FB_IE_INIT_FULL("standardDeviationInterarrivalTime", CERT_PEN, 504, 8,
145  ER | FB_UNITS_MILLISECONDS, 0, 0, FB_UINT_64, NULL),
146  FB_IE_INIT_FULL("firstNonEmptyPacketSize", CERT_PEN, 505, 2,
147  ER | FB_IE_QUANTITY | FB_UNITS_OCTETS, 0, 0,
148  FB_UINT_16, NULL),
149  FB_IE_INIT_FULL("maxPacketSize", CERT_PEN, 506, 2,
150  ER | FB_IE_QUANTITY | FB_UNITS_OCTETS, 0, 0,
151  FB_UINT_16, NULL),
152  FB_IE_INIT_FULL("firstEightNonEmptyPacketDirections", CERT_PEN, 507, 1,
153  ER | FB_IE_FLAGS, 0, 0, FB_UINT_8, NULL),
154  FB_IE_INIT_FULL("standardDeviationPayloadLength", CERT_PEN, 508, 2,
155  ER | FB_UNITS_OCTETS, 0, 0, FB_UINT_16, NULL),
156  FB_IE_INIT_FULL("tcpUrgentCount", CERT_PEN, 509, 4,
157  ER | FB_IE_TOTALCOUNTER | FB_UNITS_PACKETS, 0, 0,
158  FB_UINT_32, NULL),
159  FB_IE_INIT_FULL("largePacketCount", CERT_PEN, 510, 4,
160  ER | FB_IE_TOTALCOUNTER | FB_UNITS_PACKETS, 0, 0,
161  FB_UINT_32, NULL),
162  FB_IE_NULL
163 };
164 
165 /* IE numbers 110-299 */
166 
167 #if YAF_ENABLE_HOOKS
168 
169 static fbInfoElement_t yaf_dpi_info_elements[] = {
170  FB_IE_INIT_FULL("httpServerString", CERT_PEN, 110, FB_IE_VARLEN, NONE,
171  0, 0, FB_STRING, NULL),
172  FB_IE_INIT_FULL("httpUserAgent", CERT_PEN, 111, FB_IE_VARLEN, NONE,
173  0, 0, FB_STRING, NULL),
174  FB_IE_INIT_FULL("httpGet", CERT_PEN, 112, FB_IE_VARLEN, NONE,
175  0, 0, FB_STRING, NULL),
176  FB_IE_INIT_FULL("httpConnection", CERT_PEN, 113, FB_IE_VARLEN, NONE,
177  0, 0, FB_STRING, NULL),
178  FB_IE_INIT_FULL("httpVersion", CERT_PEN, 114, FB_IE_VARLEN, NONE,
179  0, 0, FB_STRING, NULL),
180  FB_IE_INIT_FULL("httpReferer", CERT_PEN, 115, FB_IE_VARLEN, NONE,
181  0, 0, FB_STRING, NULL),
182  FB_IE_INIT_FULL("httpLocation", CERT_PEN, 116, FB_IE_VARLEN, NONE,
183  0, 0, FB_STRING, NULL),
184  FB_IE_INIT_FULL("httpHost", CERT_PEN, 117, FB_IE_VARLEN, NONE,
185  0, 0, FB_STRING, NULL),
186  FB_IE_INIT_FULL("httpContentLength", CERT_PEN, 118, FB_IE_VARLEN, NONE,
187  0, 0, FB_STRING, NULL),
188  FB_IE_INIT_FULL("httpAge", CERT_PEN, 119, FB_IE_VARLEN, NONE,
189  0, 0, FB_STRING, NULL),
190  FB_IE_INIT_FULL("httpAccept", CERT_PEN, 120, FB_IE_VARLEN, NONE,
191  0, 0, FB_STRING, NULL),
192  FB_IE_INIT_FULL("httpAcceptLanguage", CERT_PEN, 121, FB_IE_VARLEN, NONE,
193  0, 0, FB_STRING, NULL),
194  FB_IE_INIT_FULL("httpContentType", CERT_PEN, 122, FB_IE_VARLEN, NONE,
195  0, 0, FB_STRING, NULL),
196  FB_IE_INIT_FULL("httpResponse", CERT_PEN, 123, FB_IE_VARLEN, NONE,
197  0, 0, FB_STRING, NULL),
198  FB_IE_INIT_FULL("httpCookie", CERT_PEN, 220, FB_IE_VARLEN, NONE,
199  0, 0, FB_STRING, NULL),
200  FB_IE_INIT_FULL("httpSetCookie", CERT_PEN, 221, FB_IE_VARLEN, NONE,
201  0, 0, FB_STRING, NULL),
202  FB_IE_INIT_FULL("httpAuthorization", CERT_PEN, 252, FB_IE_VARLEN, NONE,
203  0, 0, FB_STRING, NULL),
204  FB_IE_INIT_FULL("httpVia", CERT_PEN, 253, FB_IE_VARLEN, NONE,
205  0, 0, FB_STRING, NULL),
206  FB_IE_INIT_FULL("httpX-Forwarded-For", CERT_PEN, 254, FB_IE_VARLEN, NONE,
207  0, 0, FB_STRING, NULL),
208  FB_IE_INIT_FULL("httpRefresh", CERT_PEN, 256, FB_IE_VARLEN, NONE,
209  0, 0, FB_STRING, NULL),
210  /* http mobile fields - turned off by default */
211  FB_IE_INIT_FULL("httpIMEI", CERT_PEN, 257, FB_IE_VARLEN, NONE,
212  0, 0, FB_STRING, NULL),
213  FB_IE_INIT_FULL("httpIMSI", CERT_PEN, 258, FB_IE_VARLEN, NONE,
214  0, 0, FB_STRING, NULL),
215  FB_IE_INIT_FULL("httpMSISDN", CERT_PEN, 259, FB_IE_VARLEN, NONE,
216  0, 0, FB_STRING, NULL),
217  FB_IE_INIT_FULL("httpSubscriber", CERT_PEN, 260, FB_IE_VARLEN, NONE,
218  0, 0, FB_STRING, NULL),
219  /* http extra fields - turned off by default */
220  FB_IE_INIT_FULL("httpExpires", CERT_PEN, 255, FB_IE_VARLEN, NONE,
221  0, 0, FB_STRING, NULL),
222  FB_IE_INIT_FULL("httpAcceptCharset", CERT_PEN, 261, FB_IE_VARLEN, NONE,
223  0, 0, FB_STRING, NULL),
224  FB_IE_INIT_FULL("httpAcceptEncoding", CERT_PEN, 262, FB_IE_VARLEN, NONE,
225  0, 0, FB_STRING, NULL),
226  FB_IE_INIT_FULL("httpAllow", CERT_PEN, 263, FB_IE_VARLEN, NONE,
227  0, 0, FB_STRING, NULL),
228  FB_IE_INIT_FULL("httpDate", CERT_PEN, 264, FB_IE_VARLEN, NONE,
229  0, 0, FB_STRING, NULL),
230  FB_IE_INIT_FULL("httpExpect", CERT_PEN, 265, FB_IE_VARLEN, NONE,
231  0, 0, FB_STRING, NULL),
232  FB_IE_INIT_FULL("httpFrom", CERT_PEN, 266, FB_IE_VARLEN, NONE,
233  0, 0, FB_STRING, NULL),
234  FB_IE_INIT_FULL("httpProxyAuthentication", CERT_PEN, 267, FB_IE_VARLEN,
235  NONE, 0, 0, FB_STRING, NULL),
236  FB_IE_INIT_FULL("httpUpgrade", CERT_PEN, 268, FB_IE_VARLEN, NONE,
237  0, 0, FB_STRING, NULL),
238  FB_IE_INIT_FULL("httpWarning", CERT_PEN, 269, FB_IE_VARLEN, NONE,
239  0, 0, FB_STRING, NULL),
240  FB_IE_INIT_FULL("httpDNT", CERT_PEN, 270, FB_IE_VARLEN, NONE,
241  0, 0, FB_STRING, NULL),
242  FB_IE_INIT_FULL("httpX-Forwarded-Proto", CERT_PEN, 271, FB_IE_VARLEN,
243  NONE, 0, 0, FB_STRING, NULL),
244  FB_IE_INIT_FULL("httpX-Forwarded-Host", CERT_PEN, 272, FB_IE_VARLEN, NONE,
245  0, 0, FB_STRING, NULL),
246  FB_IE_INIT_FULL("httpX-Forwarded-Server", CERT_PEN, 273, FB_IE_VARLEN,
247  NONE, 0, 0, FB_STRING, NULL),
248  FB_IE_INIT_FULL("httpX-DeviceID", CERT_PEN, 274, FB_IE_VARLEN, NONE,
249  0, 0, FB_STRING, NULL),
250  FB_IE_INIT_FULL("httpX-Profile", CERT_PEN, 275, FB_IE_VARLEN, NONE,
251  0, 0, FB_STRING, NULL),
252  FB_IE_INIT_FULL("httpLastModified", CERT_PEN, 276, FB_IE_VARLEN, NONE,
253  0, 0, FB_STRING, NULL),
254  FB_IE_INIT_FULL("httpContentEncoding", CERT_PEN, 277, FB_IE_VARLEN, NONE,
255  0, 0, FB_STRING, NULL),
256  FB_IE_INIT_FULL("httpContentLanguage", CERT_PEN, 278, FB_IE_VARLEN, NONE,
257  0, 0, FB_STRING, NULL),
258  FB_IE_INIT_FULL("httpContentLocation", CERT_PEN, 279, FB_IE_VARLEN, NONE,
259  0, 0, FB_STRING, NULL),
260  FB_IE_INIT_FULL("httpX-UA-Compatible", CERT_PEN, 280, FB_IE_VARLEN, NONE,
261  0, 0, FB_STRING, NULL),
262  /* POP3 IEs */
263  FB_IE_INIT_FULL("pop3TextMessage", CERT_PEN, 124, FB_IE_VARLEN, NONE,
264  0, 0, FB_STRING, NULL),
265  /* IRC IEs */
266  FB_IE_INIT_FULL("ircTextMessage", CERT_PEN, 125, FB_IE_VARLEN, NONE,
267  0, 0, FB_STRING, NULL),
268  /* TFTP IEs */
269  FB_IE_INIT_FULL("tftpFilename", CERT_PEN, 126, FB_IE_VARLEN, NONE,
270  0, 0, FB_STRING, NULL),
271  FB_IE_INIT_FULL("tftpMode", CERT_PEN, 127, FB_IE_VARLEN, NONE,
272  0, 0, FB_STRING, NULL),
273  /* SLP IEs */
274  FB_IE_INIT_FULL("slpVersion", CERT_PEN, 128, 1, FB_IE_F_ENDIAN,
275  0, 0, FB_UINT_8, NULL),
276  FB_IE_INIT_FULL("slpMessageType", CERT_PEN, 129, 1, FB_IE_F_ENDIAN,
277  0, 0, FB_UINT_8, NULL),
278  FB_IE_INIT_FULL("slpString", CERT_PEN, 130, FB_IE_VARLEN, NONE,
279  0, 0, FB_STRING, NULL),
280  /* FTP IEs */
281  FB_IE_INIT_FULL("ftpReturn", CERT_PEN, 131, FB_IE_VARLEN, NONE,
282  0, 0, FB_STRING, NULL),
283  FB_IE_INIT_FULL("ftpUser", CERT_PEN, 132, FB_IE_VARLEN, NONE,
284  0, 0, FB_STRING, NULL),
285  FB_IE_INIT_FULL("ftpPass", CERT_PEN,133, FB_IE_VARLEN, NONE,
286  0, 0, FB_STRING, NULL),
287  FB_IE_INIT_FULL("ftpType", CERT_PEN,134, FB_IE_VARLEN, NONE,
288  0, 0, FB_STRING, NULL),
289  FB_IE_INIT_FULL("ftpRespCode", CERT_PEN,135, FB_IE_VARLEN, NONE,
290  0, 0, FB_STRING, NULL),
291  /* IMAP IEs */
292  FB_IE_INIT_FULL("imapCapability", CERT_PEN, 136, FB_IE_VARLEN, NONE,
293  0, 0, FB_STRING, NULL),
294  FB_IE_INIT_FULL("imapLogin", CERT_PEN, 137, FB_IE_VARLEN, NONE,
295  0, 0, FB_STRING, NULL),
296  FB_IE_INIT_FULL("imapStartTLS", CERT_PEN, 138, FB_IE_VARLEN, NONE,
297  0, 0, FB_STRING, NULL),
298  FB_IE_INIT_FULL("imapAuthenticate", CERT_PEN, 139, FB_IE_VARLEN, NONE,
299  0, 0, FB_STRING, NULL),
300  FB_IE_INIT_FULL("imapCommand", CERT_PEN, 140, FB_IE_VARLEN, NONE,
301  0, 0, FB_STRING, NULL),
302  FB_IE_INIT_FULL("imapExists", CERT_PEN, 141, FB_IE_VARLEN, NONE,
303  0, 0, FB_STRING, NULL),
304  FB_IE_INIT_FULL("imapRecent", CERT_PEN, 142, FB_IE_VARLEN, NONE,
305  0, 0, FB_STRING, NULL),
306  /* rtsp IEs */
307  FB_IE_INIT_FULL("rtspURL", CERT_PEN, 143, FB_IE_VARLEN, NONE,
308  0, 0, FB_STRING, NULL),
309  FB_IE_INIT_FULL("rtspVersion", CERT_PEN, 144, FB_IE_VARLEN, NONE,
310  0, 0, FB_STRING, NULL),
311  FB_IE_INIT_FULL("rtspReturnCode", CERT_PEN, 145, FB_IE_VARLEN, NONE,
312  0, 0, FB_STRING, NULL),
313  FB_IE_INIT_FULL("rtspContentLength", CERT_PEN, 146, FB_IE_VARLEN, NONE,
314  0, 0, FB_STRING, NULL),
315  FB_IE_INIT_FULL("rtspCommand", CERT_PEN, 147, FB_IE_VARLEN, NONE,
316  0, 0, FB_STRING, NULL),
317  FB_IE_INIT_FULL("rtspContentType", CERT_PEN, 148, FB_IE_VARLEN, NONE,
318  0, 0, FB_STRING, NULL),
319  FB_IE_INIT_FULL("rtspTransport", CERT_PEN, 149, FB_IE_VARLEN, NONE,
320  0, 0, FB_STRING, NULL),
321  FB_IE_INIT_FULL("rtspCSeq", CERT_PEN, 150, FB_IE_VARLEN, NONE,
322  0, 0, FB_STRING, NULL),
323  FB_IE_INIT_FULL("rtspLocation", CERT_PEN, 151, FB_IE_VARLEN, NONE,
324  0, 0, FB_STRING, NULL),
325  FB_IE_INIT_FULL("rtspPacketsReceived", CERT_PEN, 152, FB_IE_VARLEN, NONE,
326  0, 0, FB_STRING, NULL),
327  FB_IE_INIT_FULL("rtspUserAgent", CERT_PEN, 153, FB_IE_VARLEN, NONE,
328  0, 0, FB_STRING, NULL),
329  FB_IE_INIT_FULL("rtspJitter", CERT_PEN, 154, FB_IE_VARLEN, NONE,
330  0, 0, FB_STRING, NULL),
331  /* sip IEs */
332  FB_IE_INIT_FULL("sipInvite", CERT_PEN, 155, FB_IE_VARLEN, NONE,
333  0, 0, FB_STRING, NULL),
334  FB_IE_INIT_FULL("sipCommand", CERT_PEN, 156, FB_IE_VARLEN, NONE,
335  0, 0, FB_STRING, NULL),
336  FB_IE_INIT_FULL("sipVia", CERT_PEN, 157, FB_IE_VARLEN, NONE,
337  0, 0, FB_STRING, NULL),
338  FB_IE_INIT_FULL("sipMaxForwards", CERT_PEN, 158, FB_IE_VARLEN, NONE,
339  0, 0, FB_STRING, NULL),
340  FB_IE_INIT_FULL("sipAddress", CERT_PEN, 159, FB_IE_VARLEN, NONE,
341  0, 0, FB_STRING, NULL),
342  FB_IE_INIT_FULL("sipContentLength", CERT_PEN, 160, FB_IE_VARLEN, NONE,
343  0, 0, FB_STRING, NULL),
344  FB_IE_INIT_FULL("sipUserAgent", CERT_PEN, 161, FB_IE_VARLEN, NONE,
345  0, 0, FB_STRING, NULL),
346  /* smtp IEs */
347  FB_IE_INIT_FULL("smtpHello", CERT_PEN, 162, FB_IE_VARLEN, NONE,
348  0, 0, FB_STRING, NULL),
349  FB_IE_INIT_FULL("smtpFrom", CERT_PEN, 163, FB_IE_VARLEN, NONE,
350  0, 0, FB_STRING, NULL),
351  FB_IE_INIT_FULL("smtpTo", CERT_PEN, 164, FB_IE_VARLEN, NONE,
352  0, 0, FB_STRING, NULL),
353  FB_IE_INIT_FULL("smtpContentType", CERT_PEN, 165, FB_IE_VARLEN, NONE,
354  0, 0, FB_STRING, NULL),
355  FB_IE_INIT_FULL("smtpSubject", CERT_PEN, 166, FB_IE_VARLEN, NONE,
356  0, 0, FB_STRING, NULL),
357  FB_IE_INIT_FULL("smtpFilename", CERT_PEN, 167, FB_IE_VARLEN, NONE,
358  0, 0, FB_STRING, NULL),
359  FB_IE_INIT_FULL("smtpContentDisposition", CERT_PEN, 168, FB_IE_VARLEN,
360  NONE, 0, 0, FB_STRING, NULL),
361  FB_IE_INIT_FULL("smtpResponse", CERT_PEN, 169, FB_IE_VARLEN, NONE,
362  0, 0, FB_STRING, NULL),
363  FB_IE_INIT_FULL("smtpEnhanced", CERT_PEN, 170, FB_IE_VARLEN, NONE,
364  0, 0, FB_STRING, NULL),
365  FB_IE_INIT_FULL("smtpSize", CERT_PEN, 222, FB_IE_VARLEN, NONE,
366  0, 0, FB_STRING, NULL),
367  FB_IE_INIT_FULL("smtpDate", CERT_PEN, 251, FB_IE_VARLEN, NONE,
368  0, 0, FB_STRING, NULL),
369  /* ssh IEs */
370  FB_IE_INIT_FULL("sshVersion", CERT_PEN, 171, FB_IE_VARLEN, NONE,
371  0, 0, FB_STRING, NULL),
372  /* nntp IEs */
373  FB_IE_INIT_FULL("nntpResponse", CERT_PEN, 172, FB_IE_VARLEN, NONE,
374  0, 0, FB_STRING, NULL),
375  FB_IE_INIT_FULL("nntpCommand", CERT_PEN, 173, FB_IE_VARLEN, NONE,
376  0, 0, FB_STRING, NULL),
377  /* dns IEs */
378  FB_IE_INIT_FULL("dnsQueryResponse", CERT_PEN, 174, 1, FB_IE_F_ENDIAN,
379  0, 0, FB_UINT_8, NULL),
380  FB_IE_INIT_FULL("dnsQRType", CERT_PEN, 175, 2, FB_IE_F_ENDIAN,
381  0, 0, FB_UINT_16, NULL),
382  FB_IE_INIT_FULL("dnsAuthoritative", CERT_PEN, 176, 1, FB_IE_F_ENDIAN,
383  0, 0, FB_UINT_8, NULL),
384  FB_IE_INIT_FULL("dnsNXDomain", CERT_PEN, 177, 1, FB_IE_F_ENDIAN,
385  0, 0, FB_UINT_8, NULL),
386  FB_IE_INIT_FULL("dnsRRSection", CERT_PEN, 178, 1, FB_IE_F_ENDIAN,
387  0, 0, FB_UINT_8, NULL),
388  FB_IE_INIT_FULL("dnsQName", CERT_PEN, 179, FB_IE_VARLEN, NONE,
389  0, 0, FB_STRING, NULL),
390  FB_IE_INIT_FULL("dnsCName", CERT_PEN, 180, FB_IE_VARLEN, NONE,
391  0, 0, FB_STRING, NULL),
392  FB_IE_INIT_FULL("dnsMXPreference", CERT_PEN, 181, 2, FB_IE_F_ENDIAN,
393  0, 0, FB_UINT_16, NULL),
394  FB_IE_INIT_FULL("dnsMXExchange", CERT_PEN, 182, FB_IE_VARLEN, NONE,
395  0, 0, FB_STRING, NULL),
396  FB_IE_INIT_FULL("dnsNSDName", CERT_PEN, 183, FB_IE_VARLEN, NONE,
397  0, 0, FB_STRING, NULL),
398  FB_IE_INIT_FULL("dnsPTRDName", CERT_PEN, 184, FB_IE_VARLEN, NONE,
399  0, 0, FB_STRING, NULL),
400  FB_IE_INIT_FULL("dnsTTL", CERT_PEN, 199, 4, FB_IE_F_ENDIAN,
401  0, 0, FB_UINT_32, NULL),
402  FB_IE_INIT_FULL("dnsTXTData", CERT_PEN, 208, FB_IE_VARLEN, NONE,
403  0, 0, FB_STRING, NULL),
404  FB_IE_INIT_FULL("dnsSOASerial", CERT_PEN, 209, 4, FB_IE_F_ENDIAN,
405  0, 0, FB_UINT_32, NULL),
406  FB_IE_INIT_FULL("dnsSOARefresh", CERT_PEN, 210, 4, FB_IE_F_ENDIAN,
407  0, 0, FB_UINT_32, NULL),
408  FB_IE_INIT_FULL("dnsSOARetry", CERT_PEN, 211, 4, FB_IE_F_ENDIAN,
409  0, 0, FB_UINT_32, NULL),
410  FB_IE_INIT_FULL("dnsSOAExpire", CERT_PEN, 212, 4, FB_IE_F_ENDIAN,
411  0, 0, FB_UINT_32, NULL),
412  FB_IE_INIT_FULL("dnsSOAMinimum", CERT_PEN, 213, 4, FB_IE_F_ENDIAN,
413  0, 0, FB_UINT_32, NULL),
414  FB_IE_INIT_FULL("dnsSOAMName", CERT_PEN, 214, FB_IE_VARLEN, NONE,
415  0, 0, FB_STRING, NULL),
416  FB_IE_INIT_FULL("dnsSOARName", CERT_PEN, 215, FB_IE_VARLEN, NONE,
417  0, 0, FB_STRING, NULL),
418  FB_IE_INIT_FULL("dnsSRVPriority", CERT_PEN, 216, 2, FB_IE_F_ENDIAN,
419  0, 0, FB_UINT_16, NULL),
420  FB_IE_INIT_FULL("dnsSRVWeight", CERT_PEN, 217, 2, FB_IE_F_ENDIAN,
421  0, 0, FB_UINT_16, NULL),
422  FB_IE_INIT_FULL("dnsSRVPort", CERT_PEN, 218, 2, FB_IE_F_ENDIAN,
423  0, 0, FB_UINT_16, NULL),
424  FB_IE_INIT_FULL("dnsSRVTarget", CERT_PEN, 219, FB_IE_VARLEN, NONE,
425  0, 0, FB_STRING, NULL),
426  FB_IE_INIT_FULL("dnsID", CERT_PEN, 226, 2, FB_IE_F_ENDIAN,
427  0, 0, FB_UINT_16, NULL),
428  /* dnssec IEs */
429  FB_IE_INIT_FULL("dnsAlgorithm", CERT_PEN, 227, 1, FB_IE_F_ENDIAN,
430  0, 0, FB_UINT_8, NULL),
431  FB_IE_INIT_FULL("dnsKeyTag", CERT_PEN, 228, 2, FB_IE_F_ENDIAN,
432  0, 0, FB_UINT_16, NULL),
433  FB_IE_INIT_FULL("dnsSigner", CERT_PEN, 229, FB_IE_VARLEN, NONE,
434  0, 0, FB_STRING, NULL),
435  FB_IE_INIT_FULL("dnsSignature", CERT_PEN, 230, FB_IE_VARLEN, NONE,
436  0, 0, FB_OCTET_ARRAY, NULL),
437  FB_IE_INIT_FULL("dnsDigest", CERT_PEN, 231, FB_IE_VARLEN, NONE,
438  0, 0, FB_OCTET_ARRAY, NULL),
439  FB_IE_INIT_FULL("dnsPublicKey", CERT_PEN, 232, FB_IE_VARLEN, NONE,
440  0, 0, FB_OCTET_ARRAY, NULL),
441  FB_IE_INIT_FULL("dnsSalt", CERT_PEN, 233, FB_IE_VARLEN, NONE,
442  0, 0, FB_OCTET_ARRAY, NULL),
443  FB_IE_INIT_FULL("dnsHashData", CERT_PEN, 234, FB_IE_VARLEN, NONE,
444  0, 0, FB_OCTET_ARRAY, NULL),
445  FB_IE_INIT_FULL("dnsIterations", CERT_PEN, 235, 2, FB_IE_F_ENDIAN,
446  0, 0, FB_UINT_16, NULL),
447  FB_IE_INIT_FULL("dnsSignatureExpiration", CERT_PEN, 236, 4,
448  FB_IE_F_ENDIAN, 0, 0, FB_UINT_32, NULL),
449  FB_IE_INIT_FULL("dnsSignatureInception", CERT_PEN, 237, 4, FB_IE_F_ENDIAN,
450  0, 0, FB_UINT_32, NULL),
451  FB_IE_INIT_FULL("dnsDigestType", CERT_PEN, 238, 1, FB_IE_F_ENDIAN,
452  0, 0, FB_UINT_8, NULL),
453  FB_IE_INIT_FULL("dnsLabels", CERT_PEN, 239, 1, FB_IE_F_ENDIAN,
454  0, 0, FB_UINT_8, NULL),
455  FB_IE_INIT_FULL("dnsTypeCovered", CERT_PEN, 240, 2, FB_IE_F_ENDIAN,
456  0, 0, FB_UINT_16, NULL),
457  FB_IE_INIT_FULL("dnsFlags", CERT_PEN, 241, 2,
458  FB_IE_F_ENDIAN | FB_IE_FLAGS, 0, 0, FB_UINT_16, NULL),
459  /* ssl IEs */
460  FB_IE_INIT_FULL("sslCipher", CERT_PEN, 185, 4, FB_IE_F_ENDIAN,
461  0, 0, FB_UINT_32, NULL),
462  FB_IE_INIT_FULL("sslClientVersion", CERT_PEN, 186, 1, FB_IE_F_ENDIAN,
463  0, 0, FB_UINT_8, NULL),
464  FB_IE_INIT_FULL("sslServerCipher", CERT_PEN, 187, 4, FB_IE_F_ENDIAN,
465  0, 0, FB_UINT_32, NULL),
466  FB_IE_INIT_FULL("sslCompressionMethod", CERT_PEN, 188, 1, FB_IE_F_ENDIAN,
467  0, 0, FB_UINT_8, NULL),
468  FB_IE_INIT_FULL("sslCertVersion", CERT_PEN, 189, 1, FB_IE_F_ENDIAN,
469  0, 0, FB_UINT_8, NULL),
470  FB_IE_INIT_FULL("sslCertSignature", CERT_PEN, 190, FB_IE_VARLEN, NONE,
471  0, 0, FB_OCTET_ARRAY, NULL),
472  FB_IE_INIT_FULL("sslCertSerialNumber", CERT_PEN, 244, FB_IE_VARLEN, NONE,
473  0, 0, FB_OCTET_ARRAY, NULL),
474  FB_IE_INIT_FULL("sslObjectType", CERT_PEN, 245, 1, FB_IE_F_ENDIAN,
475  0, 0, FB_UINT_8, NULL),
476  FB_IE_INIT_FULL("sslObjectValue", CERT_PEN, 246, FB_IE_VARLEN, NONE,
477  0, 0, FB_OCTET_ARRAY, NULL),
478  FB_IE_INIT_FULL("sslCertValidityNotBefore", CERT_PEN, 247, FB_IE_VARLEN,
479  NONE, 0, 0, FB_STRING, NULL),
480  FB_IE_INIT_FULL("sslCertValidityNotAfter", CERT_PEN, 248, FB_IE_VARLEN,
481  NONE, 0, 0, FB_STRING, NULL),
482  FB_IE_INIT_FULL("sslPublicKeyAlgorithm", CERT_PEN, 249, FB_IE_VARLEN,
483  NONE, 0, 0, FB_OCTET_ARRAY, NULL),
484  FB_IE_INIT_FULL("sslPublicKeyLength", CERT_PEN, 250, 2, FB_IE_F_ENDIAN,
485  0, 0, FB_UINT_16, NULL),
486  FB_IE_INIT_FULL("sslServerName", CERT_PEN, 294, FB_IE_VARLEN, NONE,
487  0, 0, FB_STRING, NULL),
488  FB_IE_INIT_FULL("sslCertificateHash", CERT_PEN, 295, FB_IE_VARLEN, NONE,
489  0, 0, FB_OCTET_ARRAY, NULL),
490  FB_IE_INIT_FULL("sslCertificate", CERT_PEN, 296, FB_IE_VARLEN, NONE,
491  0, 0, FB_OCTET_ARRAY, NULL),
492  /* mysql IEs */
493  FB_IE_INIT_FULL("mysqlUsername", CERT_PEN, 223, FB_IE_VARLEN, NONE,
494  0, 0, FB_STRING, NULL),
495  FB_IE_INIT_FULL("mysqlCommandCode", CERT_PEN, 224, 1, FB_IE_F_ENDIAN,
496  0, 0, FB_UINT_8, NULL),
497  FB_IE_INIT_FULL("mysqlCommandText", CERT_PEN, 225, FB_IE_VARLEN, NONE,
498  0, 0, FB_STRING, NULL),
499  /* dnp3.0 IEs */
500  FB_IE_INIT_FULL("dnp3SourceAddress", CERT_PEN, 281, 2, FB_IE_F_ENDIAN,
501  0, 0, FB_UINT_16, NULL),
502  FB_IE_INIT_FULL("dnp3DestinationAddress", CERT_PEN, 282, 2,
503  FB_IE_F_ENDIAN, 0, 0, FB_UINT_16, NULL),
504  FB_IE_INIT_FULL("dnp3Function", CERT_PEN, 283, 1, FB_IE_F_ENDIAN,
505  0, 0, FB_UINT_8, NULL),
506  FB_IE_INIT_FULL("dnp3ObjectData", CERT_PEN, 284, FB_IE_VARLEN, NONE,
507  0, 0, FB_OCTET_ARRAY, NULL),
508  FB_IE_INIT_FULL("modbusData", CERT_PEN, 285, FB_IE_VARLEN, NONE,
509  0, 0, FB_OCTET_ARRAY, NULL),
510  FB_IE_INIT_FULL("ethernetIPData", CERT_PEN, 286, FB_IE_VARLEN, NONE,
511  0, 0, FB_OCTET_ARRAY, NULL),
512  FB_IE_INIT_FULL("rtpPayloadType", CERT_PEN, 287, 1, ER,
513  0, 0, FB_UINT_8, NULL),
514  FB_IE_INIT_FULL("sslRecordVersion", CERT_PEN, 288, 2, FB_IE_F_ENDIAN,
515  0, 0, FB_UINT_16, NULL),
516  FB_IE_NULL
517 };
518 
519 static fbInfoElement_t yaf_dhcp_info_elements[] = {
520  FB_IE_INIT_FULL("dhcpFingerPrint", CERT_PEN, 242, FB_IE_VARLEN,
521  FB_IE_F_REVERSIBLE, 0, 0, FB_STRING, NULL),
522  FB_IE_INIT_FULL("dhcpVendorCode", CERT_PEN, 243, FB_IE_VARLEN,
523  FB_IE_F_REVERSIBLE, 0, 0, FB_STRING, NULL),
524  FB_IE_INIT_FULL("dhcpOption", CERT_PEN, 297, 1, FB_IE_F_ENDIAN,
525  0, 0, FB_UINT_8, NULL),
526  FB_IE_NULL
527 };
528 
529 #endif
530 
531 #endif
#define CERT_PEN
This is the CERT Private Enterprise Number (PEN) assigned by IANA, used to define our enterprise data...
Definition: yafcore.h:110