CERT IE Registry

Created
2017-11-28
Last Updated
2021-11-15

Download

(SHA256=a33ab076322caf27f50a6345f51790e9bca168d9f238b4645601228e55953c11)

CERT Enterprise IPFIX Elements (PEN 6871)

NOTES:

  • Obsolete element names are struck out and marked with ❌.
  • Deprecated element names are marked with ⚠️.
  • Reversible element names are marked with 🔄.
ElementIDNameData TypeSemanticsUnitsRangeDate
Description
0Reserved

Reserved as per section 4 of [RFC7012].

1-11Unassigned
12obsoleteReverseOctetTotalCountunsigned64totalCounter
13obsoleteReversePacketTotalCountunsigned64totalCounter
14initialTCPFlagsunsigned16flags2017-12-19

Reversible as reverseInitialTCPFlags (ElementID 16398).

TCP flags on the initial packet in the forward direction of the flow.

15unionTCPFlagsunsigned16flags2017-12-19

Reversible as reverseUnionTCPFlags (ElementID 16399).

Union of TCP flags of all packets other than the initial packet in the forward direction of the flow.

16obsoleteReverseInitialTCPFlagsunsigned8flags
17obsoleteReverseUnionTCPFlagsunsigned8flags
18payloadoctetArray

Reversible as reversePayload (ElementID 16402).

Initial bytes of flow payload in the forward direction.

19obsoleteReversePayloadoctetArray
20obsoleteReverseTcpSequenceNumberunsigned32
21reverseFlowDeltaMillisecondsunsigned32quantitymilliseconds

Difference in milliseconds between the times of the first packet in forward direction and the first packet in the reverse direction.

22-28Unassigned
29obsoleteReverseVlanIdunsigned16identifier
30silkFlowTypeunsigned8identifier

The type of flow as assigned by the SiLK rwflowpack tool.

31silkFlowSensorunsigned16identifier

The sensor where a flow was collected as assigned by the SiLK rwflowpack tool.

32silkTCPStateunsigned8flags

Aspects of a flow record assigned by the SiLK rwflowpack tool.

33silkAppLabelunsigned16identifier

Application label, defined as the primary well-known port associated with a given application.

34Unassigned
35payloadEntropyunsigned8

Reversible as reversePayloadEntropy (ElementID 16419).

The Shannon Entropy value for the payload, converted from a floating point (range 0.0 to 8.0) to an 8-bit unsigned integer. Generally, numbers above 230 are compressed or encrypted, numbers centered around 140 are English text, and very low value may indicate zero-padding of packets (e.g. TLS).

36osNamestring

Reversible as reverseOsName (ElementID 16420).

p0f OS Name for the forward flow based on the SYN packet and p0f SYN Fingerprints.

37osVersionstring

Reversible as reverseOsVersion (ElementID 16421).

p0f OS Version for the forward flow based on the SYN packet and p0f SYN Fingerprints.

38firstPacketBanneroctetArray

Reversible as reverseFirstPacketBanner (ElementID 16422).

IP and transport headers for first packet in forward direction to be used for external OS Fingerprinters.

39secondPacketBanneroctetArray

Reversible as reverseSecondPacketBanner (ElementID 16423).

IP and transport headers for first packet in forward direction to be used for external OS Fingerprinters.

40flowAttributesunsigned16flags

Reversible as reverseFlowAttributes (ElementID 16424).

Miscellaneous flow attributes for the forward direction of the flow.

41-99Unassigned
100yafExpiredFragmentCountunsigned32totalCounterpackets2021-06-07

Total number of packet fragments that have been expired since yaf start time.

This element previously was named "expiredFragmentCount".

101yafAssembledFragmentCountunsigned32totalCounterpackets2021-06-07

Total number of packets that been assembled from a series of fragments since yaf start time.

This element previously was named "assembledFragmentCount".

102yafMeanFlowRateunsigned32flows2021-06-07

The mean flow rate of the yaf flow sensor since yaf start time, rounded to the nearest integer.

This element previously was named "meanFlowRate".

103yafMeanPacketRateunsigned32packets2021-06-07

The mean packet rate of the yaf flow sensor since yaf start time, rounded to the nearest integer.

This element previously was named "meanPacketRate".

104yafFlowTableFlushEventCountunsigned32totalCounterflows2021-06-07

Total number of times the yaf flow table has been flushed since yaf start time.

This element previously was named "flowTableFlushEventCount".

105yafFlowTablePeakCountunsigned32flows2021-06-07

The maximum number of flows in the yaf flow table at any one time since yaf start time.

This element previously was named "flowTablePeakCount".

106yafFlowKeyHashunsigned32identifier

The 32 bit hash of the 5-tuple and VLAN that is used as they key to YAF's internal flow table.

107osFingerprintstring2021-06-07

Reversible as reverseOsFingerprint (ElementID 16491).

p0f OS Fingerprint for the forward flow based on the SYN packet and p0f SYN fingerprints.

This element previously was named "osFingerPrint".

108-109Unassigned
110httpServerStringstring

HTTP Server Response-header field. Contains information about the software used to handle the HTTP Request.

111httpUserAgentstring

HTTP User-Agent Request-header field. Contains information about the user agent originating the request.

112httpGetstring

HTTP Method Command. Retrieves information identified by the following Request-URI.

113httpConnectionstring

HTTP Connection header fields. Contains options that are desired for a particular connection.

114httpVersionstring

HTTP Version Number.

115httpRefererstring

HTTP Referer request-header field. Address (URI) of the resource which the Request-URI was obtained.

116httpLocationstring

HTTP Location response-header field. Used to redirect the recipient to a location to complete a request or identify a new resource.

117httpHoststring

HTTP Host Request-header. The Internet host and port number of the resource being requested.

118httpContentLengthstring

HTTP Content-Length header. Indicates the size of the entity-body.

119httpAgestring

HTTP Age response-header. Argument is the sender's estimate of the time elapsed since the response.

120httpAcceptstring

HTTP Accept request-header field. Used to specify certain media types that are acceptable for the response.

121httpAcceptLanguagestring

HTTP Accept-Language Request-Header field. Restricts the set of natural languages that preferred.

122httpContentTypestring

HTTP Content Type entity-header field. Indicates the media type of the entity-body.

123httpResponsestring

HTTP Response Status Code. Usually a three-digit number followed by text.

124pop3TextMessagestring

POP3 Command and Replies. Contains any command or reply message found in POP3 payload data.

125ircTextMessagestring

IRC Chat or Join Message. This field contains any IRC Command and the following arguments.

126tftpFilenamestring

TFTP Name of File being transferred.

127tftpModestring

Contains the mode of transfer. (netascii, octet, mail)

128slpVersionunsigned8

SLP Version Number.

129slpMessageTypeunsigned81-11

SLP Message Type. This value should be between 1 and 11 and describes the type of SLP message.

130slpStringstring

Contains the text elements found in an SLP Service Request.

131ftpReturnstring

FTP Commands or Replies.

132ftpUserstring

FTP User Command Argument. This command will normally be the first command transmitted by the user.

133ftpPassstring

FTP Password Command Argument. This command must be preceded by the user name command, and is usually required to complete authentication.

134ftpTypestring

FTP Data Representation Type.

135ftpRespCodestring

FTP Reply. This consists of a three digit number followed by some text.

136imapCapabilitystring

IMAP Capability Command and Response. Captures the listing of capabilities that the server supports.

137imapLoginstring

IMAP Login Command. Arguments are user name and password.

138imapStartTLSstring

IMAP STARTTLS Command. Captures this command only as no arguments or responses are related.

139imapAuthenticatestring

IMAP Authenticate Command. Captures the authentication mechanism name of the server following this command.

140imapCommandstring

Captures a variety of IMAP Commands and their arguments.

141imapExistsstring

IMAP Exists Response. Reports the number of messages in the mailbox.

142imapRecentstring

IMAP Recent Response. Reports the number of message with the Recent flag set.

143rtspURLstring

RTSP URL. Captures the address of the network resources requested.

144rtspVersionstring

RTSP Version Number.

145rtspReturnCodestring

RTSP Status-Line. Captures the RTSP Protocol version, numeric status code, and the textual phrase associated with the numeric code.

146rtspContentLengthstring

RTSP Content-Length Header Field. Contains the length of the content of the method.

147rtspCommandstring

RTSP Command. Captures the method to be performed and the Request-URI associated with the method.

148rtspContentTypestring

RTSP Content Type.

149rtspTransportstring

RTSP Transport request header field. Captures the transport protocol used and the parameters that follow.

150rtspCSeqstring

RTSP CSeq field. Contains the sequence number for an RTSP request-response pair.

151rtspLocationstring

RTSP Location header field.

152rtspPacketsReceivedstring

RTSP User Agent field. Contains information about the user agent originating the request.

153rtspUserAgentstring

RTSP User Agent field. Contains information about the user agent originating the request.

154rtspJitterstring

RTSP Jitter Value.

155sipInvitestring

SIP Invite Method. Contains the SIP address and SIP Version Number.

156sipCommandstring

SIP Command. Contains a SIP Method, SIP address, and SIP Version Number.

157sipViastring

SIP Via contains the SIP Version Number and the address the sender is expecting to receive responses.

158sipMaxForwardsstring

SIP Max Forwards contains the limit of number of hops a request can make on the way to its destination.

159sipAddressstring

SIP Address contains the argument of the To, From, or Contact Header Fields.

160sipContentLengthstring

SIP Content Length header field. Contains the byte count of the message byte.

161sipUserAgentstring

SIP User Agent Header Field. Contains information about the User Agent Client originating the request.

162smtpHellostring

SMTP Hello or Extend Hello command. Captures the command and the domain name of the SMTP client.

163smtpFromstring

SMTP Mail Command. Contains the reverse-path of the sender mailbox.

164smtpTostring

The SMTP Recipient (RCPT) Command. Captures the command and the forward-path of the recipient of the mail data.

165smtpContentTypestring

SMTP Content Type Header Field.

166smtpSubjectstring

SMTP Subject. Contains the subject of the mail data.

167smtpFilenamestring

SMTP Filename. Contains the name of the file attached to the mail message.

168smtpContentDispositionstring

SMTP Content-Disposition Header field.

169smtpResponsestring

SMTP Replies. Consists of a three digit number followed by text.

170smtpEnhancedstring

Enhanced SMTP. Contains the ESMTP command with the following argument.

171sshVersionstring

SSH Version Number

172nntpResponsestring

NNTP Reply. This consists of a three digit status code and text message.

173nntpCommandstring

NNTP Command. Contains an NNTP Command and following argument(s).

174dnsQueryResponseunsigned8

DNS Query/Response header field. This corresponds with the DNS header one bit field, QR. If the message is a query (0), or a response (1).

175dnsRRTypeunsigned162021-06-07

DNS Query/Response Type. This corresponds with the QTYPE field in the DNS Question Section or the TYPE field in the DNS Resource Record Section. This field determines the type of records in the DNS DPI subTemplateList.

This element previously was named "dnsQRType".

176dnsAuthoritativeunsigned8

DNS Authoritative header field. This corresponds with the DNS header one bit field, AA. This bit is only valid in responses (when dnsQueryResponse is 1), and specifies that the responding name server is an authority for the domain name in the question section.

177dnsResponseCodeunsigned82021-06-07

DNS NXDomain or Response Code (RCODE). This corresponds with the DNS RCODE header field. This field will be set to 3 for a Name Error, 2 for a Server Failure, 1 for a Format Error, and 0 for No Error. See [dns-parameters] for other valid values.

This element previously was named "dnsNXDomain".

178dnsSectionunsigned82021-06-07

DNS Resource Record Section Field. This field will be set to 0 if the information is from the Question Section, 1 for the Answer Section, 2 for the Name Server Section, and 3 for the Additional Section.

This element previously was named "dnsRRSection".

179dnsNamestring2021-06-07

A DNS Query or Response Name. This field corresponds with the QNAME field in the DNS Question Section or the NAME field in the DNS Resource Record Section.

This element previously was named "dnsQName".

180dnsCNAMEstring2021-06-07

A domain-name which specificies the canonical or primary name for the owner.

This element previously was named "dnsCName".

181dnsMXPreferenceunsigned16

Corresponds to the DNS MX Preference field.

182dnsMXExchangestring

Corresponds to the DNS MX Exchange field.

183dnsNSDNamestring

An authoritative name server domain-name.

184dnsPTRDNamestring

Corresponds to DNS PTR PTRDNAME Field.

185sslCipherunsigned32

sslCipher is a CipherSuite suggested by the client in the ClientHello Message.

186sslClientVersionunsigned8

sslClientVersion is the version it supports contained in the initial ClientHello message.

187sslServerCipherunsigned32

sslServerCipher is the CipherSuite chosen by the server in the ServerHello message.

188sslCompressionMethodunsigned8

sslCompressionMethod is the compression method chosen by the server in the ServerHello message.

189sslCertVersionunsigned8

The Certificate Version. This is the value contained in the certificate v1(0), v2(1), v3(2).

190sslCertSignatureoctetArray

The signature contained in a SSL certificate. This is typically the hashing algorithm identifier.

191sslCertIssuerCountryNamestring2019-10-31

Country name {id-at 6} of the issuer of an SSL certificate.

192sslCertIssuerOrgNamestring2019-10-31

Organization name {id-at 10} of the issuer of an SSL certificate.

193sslCertIssuerOrgUnitNamestring2019-10-31

Organizational unit name {id-at 11} of the issuer of an SSL certificate.

194sslCertIssuerZipCodestring2019-10-31

Postal or zip code {id-at 17} of the issuer of an SSL certificate.

195sslCertIssuerStatestring2019-10-31

State or providence name {id-at 8} of the issuer of an SSL certificate.

196sslCertIssuerCommonNamestring2019-10-31

Common name {id-at 3} of the issuer of an SSL certificate.

197sslCertIssuerLocalityNamestring2019-10-31

Locality name {id-at 7} of the issuer of an SSL certificate.

198sslCertIssuerStreetAddressstring2019-10-31

Street address {id-at 9} of the issuer of an SSL certificate.

199dnsTTLunsigned32

DNS Time To Live. This is an unsigned integer that specifies the time interval, in seconds, that the resource record may be cached for. This will contain a value of zero for DNS Queries.

200sslCertSubjectCountryNamestring2021-08-07

Country name {id-at 6} of the subject of an SSL certificate.

This element previously was named "sslCertSubCountryName".

201sslCertSubjectOrgNamestring2021-08-07

Organization name {id-at 10} of the subject of an SSL certificate.

This element previously was named "sslCertSubOrgName".

202sslCertSubjectOrgUnitNamestring2021-08-07

Organizational unit name {id-at 11} of the subject of an SSL certificate.

This element previously was named "sslCertSubOrgUnitName".

203sslCertSubjectZipCodestring2021-08-07

Postal or zip code {id-at 17} of the subject of an SSL certificate.

This element previously was named "sslCertSubZipCode".

204sslCertSubjectStatestring2021-08-07

State or providence name {id-at 8} of the subject of an SSL certificate.

This element previously was named "sslCertSubState".

205sslCertSubjectCommonNamestring2021-08-07

Common name {id-at 3} of the subject of an SSL certificate.

This element previously was named "sslCertSubCommonName".

206sslCertSubjectLocalityNamestring2021-08-07

Locality name {id-at 7} of the subject of an SSL certificate.

This element previously was named "sslCertSubLocalityName".

207sslCertSubjectStreetAddressstring2021-08-07

Street address {id-at 9} of the subject of an SSL certificate.

This element previously was named "sslCertSubStreetAddress".

208dnsTXTDatastring

Corresponds to DNS TXT TXT-DATA field.

209dnsSOASerialunsigned32

Corresponds to DNS SOA SERIAL Field.

210dnsSOARefreshunsigned32

Corresponds to DNS SOA REFRESH Field.

211dnsSOARetryunsigned32

Corresponds to DNS SOA RETRY Field.

212dnsSOAExpireunsigned32

Corresponds to DNS SOA EXPIRE Field.

213dnsSOAMinimumunsigned32

Corresponds to DNS SOA MINIMUM Field.

214dnsSOAMNamestring

Corresponds to DNS SOA MNAME Field.

215dnsSOARNamestring

Corresponds to DNS SOA RNAME Field.

216dnsSRVPriorityunsigned16

Corresponds to the Priority Field in the DNS SRV Resource Record.

217dnsSRVWeightunsigned16

Corresponds to the Weight Field in the DNS SRV Resource Record.

218dnsSRVPortunsigned16

Corresponds to the Port Field in the DNS SRV Resource Record.

219dnsSRVTargetstring

Corresponds to the Target Field in the DNS SRV Resource Record.

220httpCookiestring

HTTP Cookie Header Field.

221httpSetCookiestring

HTTP Set Cookie Header Field.

222smtpSizestring

SMTP Size Header Field. Contains the size in bytes of the mail data.

223mysqlUsernamestring

The username seen when authenticating to a MySQL server.

224mysqlCommandCodeunsigned80-28

MySQL Command Code. This number should be between 0 and 28.

225mysqlCommandTextstring

MySQL Command Text. For example, this can be a SELECT, INSERT, DELETE statement.

226dnsIdunsigned162021-06-07

DNS Transaction ID. This identifier is used by the requester to match up replies to outstanding queries.

This element previously was named "dnsID".

227dnsAlgorithmunsigned82021-06-07

Deprecated in favor of ID 6871/423 dnsDNSKEYAlgorithm, 6871/433 dnsDSAlgorithm, 6871/435 dnsNSEC3Algorithm, 6871/441 dnsNSEC3PARAMAlgorithm, and 6871/447 dnsRRSIGAlgorithm.

The Hash Algorithm field in various DNSSEC records.

228dnsKeyTagunsigned162021-06-07

Deprecated in favor of 6871/434 dnsDSKeyTag and 6871/448 dnsRRSIGKeyTag.

The Key Tag field in the DS RR.

229dnsRRSIGSignerstring2021-06-07

The Signer's Name field in the DNS RRSIG RR.

This element previously was named "dnsSigner".

230dnsRRSIGSignatureoctetArray2021-06-07

The Signature field in the DNS RRSIG RR. Contains the cryptographic signature that covers the dnsName (6871/179) field.

This element previously was named "dnsSignature".

231dnsDSDigestoctetArray2021-06-07

The Digest field of the DNS DS RR.

This element previously was named "dnsDigest".

232dnsDNSKEYPublicKeyoctetArray2021-06-07

DNSSEC uses public key cryptography to sign and authenticate DNS resource record sets. This field holds the public key. The format depends on the algorithm of the key.

This element previously was named "dnsPublicKey".

233dnsSaltoctetArray2021-06-07

Deprecated in favor of 6871/439 dnsNSEC3Salt and 6871/444 dnsNSEC3PARAMSalt.

The Salt Field in the DNSSEC NSEC3 or NSEC3PARAM RR.

234dnsHashDataoctetArray2021-06-07

Deprecated in favor of 6871/438 dnsNSEC3NextHashedOwnerName and 6871/445 dnsNSECNextDomainName.

The Next Hashed Owner Name in the DNSSEC NSEC3 RR and Next Domain Name field in the DNSNSEC RR.

235dnsIterationsunsigned162021-06-07

Deprecated in favor of 6871/437 dnsNSEC3Iterations and 6871/443 dnsNSEC3PARAMIterations.

The Iterations field in the DNSSEC NSEC3 or NSEC3PARAM RR.

236dnsRRSIGSignatureExpirationunsigned322021-06-07

The Signature Expiration field in a DNS RRSIG RR. The Expiration and Inception fields specify a validity period for the signature.

This element previously was named "dnsSignatureExpiration".

237dnsRRSIGSignatureInceptionunsigned322021-06-07

The Signature Inception field in a RRSIG RR. The Expiration and Inception fields specify a validity period for the signature.

This element previously was named "dnsSignatureInception".

238dnsDSDigestTypeunsigned82021-06-07

The Digest Type field in a DNS DS RR which identifes the algorithm used to construct the digest.

This element previously was named "dnsDigestType".

239dnsRRSIGLabelsunsigned82021-06-07

The Labels field in a DNS RRSIG RR. Specifies the number of labels in the original RRSIG resource record owner name.

This element previously was named "dnsLabels".

240dnsRRSIGTypeCoveredunsigned162021-06-07

The Type Covered field in a DNS RRSIG RR.

This element previously was named "dnsTypeCovered".

241dnsDNSKEYFlagsunsigned16flags2021-06-07

The Flags field in the DNS DNSKEY Resource Record. Certain bits determine if the key is a zone key or should be used for a secure entry point.

This element previously was named "dnsFlags".

242dhcpFingerprintstring2021-06-07

Reversible as reverseDhcpFingerprint (ElementID 16626).

The DHCP fingerprint. This will be the description of the OS.

This element previously was named "dhcpFingerPrint".

243dhcpVendorCodestring

Reversible as reverseDhcpVendorCode (ElementID 16627).

The DHCP vendor class ID found in Option 60 of the DHCP packet. This field may help further identify the operating system of the sender.

244sslCertSerialNumberoctetArray

The Serial Number from the X.509 certificate.

245sslObjectTypeunsigned8

For the Issuer and Subject subTemplateLists, yaf only parses objects that are members of the id-at arc {joint-iso-ccitt(2) ds(5) 4}, pkcs-9 {iso(1) member-body (2) us(840) rsadsi(113459) pkcs(1) 9}, and LDAP dc 0.9.2342.19200300.100.1.25. This field will not contain the full object identfier, it will just contain the member id. For example, for an issuer common name, sslObjectType will contain 3. Below is a list of common objects in an X.509 RelativeDistinguishedName Sequence for X.509 Certificates:

pkcs-9-emailAddress          {pkcs-9 1}
id-at-commonName             {id-at 3}
id-at-countryName            {id-at 6}
id-at-localityName           {id-at 7}
id-at-stateOrProvinceName    {id-at 8}
id-at-streetAddress          {id-at 9}
id-at-organizationName       {id-at 10}
id-at-organizationalUnitName {id-at 11}
id-at-title                  {id-at 12}
id-at-postalCode             {id-at 17}
0.9.2342.19200300.100.1.25   {dc 25}
id-at-name                   {id-at 41}
246sslObjectValueoctetArray

The bit strings associated with sslObjectType.

247sslCertValidityNotBeforestring

The notBefore field in the Validity Sequence of the X.509 Certificate.

248sslCertValidityNotAfterstring

The notAfter field in the Validity Sequence of the X.509 Certificate.

249sslPublicKeyAlgorithmoctetArray

The algorithm, encoded in ASN.1, in the SubjectPublicKeyInfo Sequence of the X.509 Certificate.

250sslPublicKeyLengthunsigned16

The length of the public key in the X.509 Certificate.

251smtpDatestring

SMTP Date Field.

252httpAuthorizationstring

HTTP Authorization Header Field.

253httpViastring

HTTP Via Header Field.

254httpXForwardedForstring2021-06-07

HTTP X-Forwarded-For Header Field.

This element previously was named "httpX-Forwarded-For".

255httpExpiresstring

HTTP Expires Header Field.

256httpRefreshstring

HTTP Refresh Header Field.

257httpIMEIstring

HTTP International Mobile Station Equipment Identity ID.

258httpIMSIstring

HTTP International Mobile Subscriber Identity

259httpMSISDNstring

HTTP MSISDN number, a telephone number for the SIM card in a mobile/cellular phone.

260httpSubscriberstring

HTTP Mobile Subscriber Information.

261httpAcceptCharsetstring

HTTP Accept Charset Header Field.

262httpAcceptEncodingstring

HTTP Accept Encoding Header Field.

263httpAllowstring

HTTP Allow Header Field.

264httpDatestring

HTTP Date Header Field.

265httpExpectstring

HTTP Expect Header Field.

266httpFromstring

HTTP From Header Field.

267httpProxyAuthenticationstring

HTTP Proxy Authentication Field.

268httpUpgradestring

HTTP Upgrade Header Field.

269httpWarningstring

HTTP Warning Header Field.

270httpDNTstring

HTTP DNT Header Field.

271httpXForwardedProtostring2021-06-07

HTTP X-Forwarded-Proto Header Field.

This element previously was named "httpX-Forwarded-Proto".

272httpXForwardedHoststring2021-06-07

HTTP X-Forwarded-Host Header Field.

This element previously was named "httpX-Forwarded-Host".

273httpXForwardedServerstring2021-06-07

HTTP X-Forwarded-Server Header Field.

This element previously was named "httpX-Forwarded-Server".

274httpXDeviceIdstring2021-06-07

HTTP X-Device ID Header Field.

This element previously was named "httpX-DeviceID".

275httpXProfilestring2021-06-07

HTTP X-Profile Header Field.

This element previously was named "httpX-Profile".

276httpLastModifiedstring

HTTP Last Modified Header Field.

277httpContentEncodingstring

HTTP Content Encoding Header Field.

278httpContentLanguagestring

HTTP Content Language Header Field.

279httpContentLocationstring

HTTP Content Location Header Field.

280httpXUaCompatiblestring2021-06-07

HTTP X-UA-Compatible Header Field.

This element previously was named "httpX-UA-Compatible".

281dnp3SourceAddressunsigned16

The DNP3 Source Address found in the Data Link Layer of the DNP Header.

282dnp3DestinationAddressunsigned16

The DNP3 Destination Address found in the Data Link Layer of the DNP Header.

283dnp3Functionunsigned8

The DNP3 Function Code found in the first byte of the Application Layer.

284dnp3ObjectDataoctetArray

The pattern captured from the DNP3 regular expression.

285modbusDataoctetArray

Data associated with the Modbus protocol, a widely used network messaging protocol used in industrial manufacturing.

286enipDataoctetArray2021-06-07

Data associated with EtherNet/IP (ENIP), a protocol used in industrial automation applications.

This element previously was named "ethernetIPData".

287rtpPayloadTypeunsigned8

Reversible as reverseRtpPayloadType (ElementID 16671).

The payload type in the RTP header of the first payload in the forward direction.

288sslRecordVersionunsigned16

sslRecordVersion is the version of ssl or tls that was used in the flow.

289mptcpInitialDataSequenceNumberunsigned64

The initial data sequence number found in the MPTCP Data Sequence Signal (DSS) Option of a flow. (See Multipath TCP, [RFC8684].)

290mptcpReceiverTokenunsigned32identifier

The token used to identify an MPTCP connection over multiple subflows. This value is found in the MP_JOIN TCP Option for the initial SYN of a subflow.

291mptcpMaximumSegmentSizeunsigned16

The maximum segment size reported in the Maximum Segment Size TCP Option captured from an MPTCP flow.

292mptcpAddressIdunsigned8identifier2021-06-07

The address identifier of the subflow found in the SYN/ACK of an MP_JOIN operation captured from an MPTCP flow.

This element previously was named "mptcpAddressID".

293mptcpFlagsunsigned8flags

Various MPTCP Values:

Bit 1: Priority was changed during the life of the subflow (MP_PRIO was seen).

Bit 2: Subflow has priority at setup (backup flag was not set at initialization).

Bit 3: Subflow failed. (MP_FAIL option was seen).

Bit 4: Subflow experienced fast close. (MP_FASTCLOSE options was seen).

294sslServerNamestring

The server name from the SSL/TLS Client Hello. This is typically the name of the server that the client is connecting to.

295sslCertificateHashoctetArray

The hash of the X.509 certificate.

296sslBinaryCertificateoctetArray2020-05-29

A binary dump of the full X.509 certificate.

This element previously was named "sslCertificate".

297dhcpOptionunsigned8

The list of requested parameters found in DHCP Option 55.

298sslCertificateSHA1octetArray

The SHA1 hash of a complete SSL certificate.

299sslCertificateMD5octetArray

The MD5 hash of a complete SSL certificate.

300ndpiL7Protocolunsigned16identifier2021-06-07

The protocol as determined by analysis with nDPI, the ntop-maintained superset of the OpenDPI library.

This element previously was named "nDPIL7Protocol".

301ndpiL7SubProtocolunsigned16identifier2021-06-07

The subprotocol as determined by analysis with nDPI, the ntop-maintained superset of the OpenDPI library.

This element previously was named "nDPIL7SubProtocol".

302dnsAipv4Address2020-06-11

An IPv4 address that specifies an address for a DNS host name.

This element previously was named "rrIPv4".

303dnsAAAAipv6Address2020-06-11

An IPv6 address that specifies an address for a DNS host name.

This element previously was named "rrIPv6".

304dnsDNSKEYProtocolunsigned82021-06-07

The Protocol field from a DNS DNSKEY Resource Record.

This element previously was named "DNSKEY_protocolIdentifier" and "dnsKeyProtocolIdentifier".

305pipelineDNSARecordsubTemplateListlist2021-06-07

Element holding an entire DNS A record, which is a sub template list when emitted from YAF. This is used in Analysis Pipeline for fast flux.

This element previously was named "DNS_A_Record".

306pipelineDNSAAAARecordsubTemplateListlist2021-06-07

Element holding an entire DNS AAAA record, which is a sub template list when emitted from YAF. This is used in Analysis Pipeline for fast flux.

This element previously was named "DNS_AAAA_Record".

307pipelineDNSResourceRecordsubTemplateListlist2021-06-07

Element holding an entire DNS resource record, which is a sub template list when emitted from YAF. This is used in Analysis Pipeline.

This element previously was named "DNS_RESOURCE_RECORD".

308sslCertIssuerTitlestring2019-10-31

Title {id-at 12} of the issuer of an SSL certificate.

309sslCertSubjectTitlestring2021-08-07

Title {id-at 12} of the subject of an SSL certificate.

This element previously was named "sslCertSubTitle".

310sslCertIssuerNamestring2019-10-31

Name {id-at 41} of the issuer of an SSL certificate.

311sslCertSubjectNamestring2021-08-07

Name {id-at 41} of the subject of an SSL certificate.

This element previously was named "sslCertSubName".

312sslCertIssuerEmailAddressstring2019-10-31

Email address {pkcs-9 1} of the issuer of an SSL certificate.

313sslCertSubjectEmailAddressstring2021-08-07

Email address {pkcs-9 1} of the subject of an SSL certificate.

This element previously was named "sslCertSubEmailAddress".

314sslCertIssuerDomainComponentstring2019-10-31

LDAP dc (domainComponent), 0.9.2342.19200300.100.1.25, holding one component, a label, of the DNS name of the issuer of an SSL certificate.

315sslCertSubjectDomainComponentstring2021-08-07

LDAP dc (domainComponent), 0.9.2342.19200300.100.1.25, holding one component, a label, of the DNS name of the subject of an SSL certificate.

This element previously was named "sslCertSubDomainComponent".

316sslCertExtSubjectKeyIdentoctetArray2019-10-31

SSL extension value holding the subject key identifer, {id-ce 14} subjectKeyIdentifier.

317sslCertExtKeyUsageoctetArray2019-10-31

SSL extension value holding the key usage, {id-ce 15} keyUsage.

318sslCertExtPrivKeyUsagePeriodoctetArray2019-10-31

SSL extension value holding the usage period for the private key, {id-ce 16} privateKeyUsagePeriod.

319sslCertExtSubjectAltNameoctetArray2019-10-31

SSL extension value holding the subject's alternative names, {id-ce 17} subjectAltName.

320sslCertExtIssuerAltNameoctetArray2019-10-31

SSL extension value holding the issuer's alternative names, {id-ce 18} issuerAltName.

321sslCertExtCertIssueroctetArray2019-10-31

SSL extension value holding the certificate issuer associated with an entry in an indirect CRL, {id-ce 29} certificateIssuer.

322sslCertExtCrlDistributionoctetArray2019-10-31

SSL extension value holding the certificate revocation list (CRL) distribution points, {id-ce 31} crlDistributionPoints.

323sslCertExtCertPoliciesoctetArray2019-10-31

SSL extension value holding the certificate policies, {id-ce 32} certificatePolicies.

324sslCertExtAuthorityKeyIdentoctetArray2019-10-31

SSL extension value holding the authority key identifier, {id-ce 35} authorityKeyIdentifier.

325sslCertExtExtendedKeyUsageoctetArray2019-10-31

SSL extension value holding the extended key usage {id-ce 37}, extKeyUage.

326smtpStartTLSunsigned82020-01-31

Element indicating whether or not the SMTP session sent the START TLS command.

327smtpKeystring2020-01-31

SMTP Header key string.

328smtpValuestring2020-01-31

SMTP Header value string.

329smtpURLstring2020-01-31

Element for URLs captured in the SMTP message body

330smtpMessageSizeunsigned322020-01-31

Element containing the value of the SMTP message size.

331smtpResponseListbasicList2020-01-31

A basicList of smtpResponse (CERT/169) elements.

332smtpToListbasicList2020-01-31

A basicList of smtpTo (CERT/164) elements.

333smtpFromListbasicList2020-01-31

A basicList of smtpFrom (CERT/163) elements.

334smtpFilenameListbasicList2020-01-31

A basicList of smtpFilename (CERT/167) elements.

335smtpURLListbasicList2020-01-31

A basicList of smtpURL (CERT/329) elements.

336smtpMessageListsubTemplateListlist2020-01-31

A sub template list holding email data in smtpMessage templates.

337smtpHeaderListsubTemplateListlist2020-01-31

A sub template list holding email header data in smtpHeader templates.

338httpServerStringListbasicList2020-05-29

A basicList of httpServerString (CERT/110) elements.

339httpUserAgentListbasicList2020-05-29

A basicList of httpUserAgent (CERT/111) elements.

340httpGetListbasicList2020-05-29

A basicList of httpGet (CERT/112) elements.

341httpConnectionListbasicList2020-05-29

A basicList of httpConnection (CERT/113) elements.

342httpVersionListbasicList2020-05-29

A basicList of httpVersion (CERT/114) elements.

343httpRefererListbasicList2020-05-29

A basicList of httpReferer (CERT/115) elements.

344httpLocationListbasicList2020-05-29

A basicList of httpLocation (CERT/116) elements.

345httpHostListbasicList2020-05-29

A basicList of httpHost (CERT/117) elements.

346httpContentLengthListbasicList2020-05-29

A basicList of httpContentLength (CERT/118) elements.

347httpAgeListbasicList2020-05-29

A basicList of httpAge (CERT/119) elements.

348httpAcceptListbasicList2020-05-29

A basicList of httpAccept (CERT/120) elements.

349httpAcceptLanguageListbasicList2020-05-29

A basicList of httpAcceptLanguage (CERT/121) elements.

350httpContentTypeListbasicList2020-05-29

A basicList of httpContentType (CERT/122) elements.

351httpResponseListbasicList2020-05-29

A basicList of httpResponse (CERT/123) elements.

352pop3TextMessageListbasicList2020-05-29

A basicList of pop3TextMessage (CERT/124) elements.

353ircTextMessageListbasicList2020-05-29

A basicList of ircTextMessage (CERT/125) elements.

354slpStringListbasicList2020-05-29

A basicList of slpString (CERT/130) elements.

355ftpReturnListbasicList2020-05-29

A basicList of ftpReturn (CERT/131) elements.

356ftpUserListbasicList2020-05-29

A basicList of ftpUser (CERT/132) elements.

357ftpPassListbasicList2020-05-29

A basicList of ftpPass (CERT/133) elements.

358ftpTypeListbasicList2020-05-29

A basicList of ftpType (CERT/134) elements.

359ftpRespCodeListbasicList2020-05-29

A basicList of ftpRespCode (CERT/135) elements.

360imapCapabilityListbasicList2020-05-29

A basicList of imapCapability (CERT/136) elements.

361imapLoginListbasicList2020-05-29

A basicList of imapLogin (CERT/137) elements.

362imapStartTLSListbasicList2020-05-29

A basicList of imapStartTLS (CERT/138) elements.

363imapAuthenticateListbasicList2020-05-29

A basicList of imapAuthenticate (CERT/139) elements.

364imapCommandListbasicList2020-05-29

A basicList of imapCommand (CERT/140) elements.

365imapExistsListbasicList2020-05-29

A basicList of imapExists (CERT/141) elements.

366imapRecentListbasicList2020-05-29

A basicList of imapRecent (CERT/142) elements.

367rtspURLListbasicList2020-05-29

A basicList of rtspURL (CERT/143) elements.

368rtspVersionListbasicList2020-05-29

A basicList of rtspVersion (CERT/144) elements.

369rtspReturnCodeListbasicList2020-05-29

A basicList of rtspReturnCode (CERT/145) elements.

370rtspContentLengthListbasicList2020-05-29

A basicList of rtspContentLength (CERT/146) elements.

371rtspCommandListbasicList2020-05-29

A basicList of rtspCommand (CERT/147) elements.

372rtspContentTypeListbasicList2020-05-29

A basicList of rtspContentType (CERT/148) elements.

373rtspTransportListbasicList2020-05-29

A basicList of rtspTransport (CERT/149) elements.

374rtspCSeqListbasicList2020-05-29

A basicList of rtspCSeq (CERT/150) elements.

375rtspLocationListbasicList2020-05-29

A basicList of rtspLocation (CERT/151) elements.

376rtspPacketsReceivedListbasicList2020-05-29

A basicList of rtspPacketsReceived (CERT/152) elements.

377rtspUserAgentListbasicList2020-05-29

A basicList of rtspUserAgent (CERT/153) elements.

378rtspJitterListbasicList2020-05-29

A basicList of rtspJitter (CERT/154) elements.

379sipInviteListbasicList2020-05-29

A basicList of sipInvite (CERT/155) elements.

380sipCommandListbasicList2020-05-29

A basicList of sipCommand (CERT/156) elements.

381sipViaListbasicList2020-05-29

A basicList of sipVia (CERT/157) elements.

382sipMaxForwardsListbasicList2020-05-29

A basicList of sipMaxForwards (CERT/158) elements.

383sipAddressListbasicList2020-05-29

A basicList of sipAddress (CERT/159) elements.

384sipContentLengthListbasicList2020-05-29

A basicList of sipContentLength (CERT/160) elements.

385sipUserAgentListbasicList2020-05-29

A basicList of sipUserAgent (CERT/161) elements.

386sshVersionListbasicList2020-05-29

A basicList of sshVersion (CERT/171) elements.

387nntpResponseListbasicList2020-05-29

A basicList of nntpResponse (CERT/172) elements.

388nntpCommandListbasicList2020-05-29

A basicList of nntpCommand (CERT/173) elements.

389sslCipherListbasicList2020-05-29

A basicList of sslCipher (CERT/185) elements.

390httpCookieListbasicList2020-05-29

A basicList of httpCookie (CERT/220) elements.

391httpSetCookieListbasicList2020-05-29

A basicList of httpSetCookie (CERT/221) elements.

392httpAuthorizationListbasicList2020-05-29

A basicList of httpAuthorization (CERT/252) elements.

393httpViaListbasicList2020-05-29

A basicList of httpVia (CERT/253) elements.

394httpXForwardedForListbasicList2021-06-07

A basicList of httpX-Forwarded-For (CERT/254) elements.

This element previously was named "httpX-Forwarded-ForList".

395httpExpiresListbasicList2020-05-29

A basicList of httpExpires (CERT/255) elements.

396httpRefreshListbasicList2020-05-29

A basicList of httpRefresh (CERT/256) elements.

397httpIMEIListbasicList2020-05-29

A basicList of httpIMEI (CERT/257) elements.

398httpIMSIListbasicList2020-05-29

A basicList of httpIMSI (CERT/258) elements.

399httpMSISDNListbasicList2020-05-29

A basicList of httpMSISDN (CERT/259) elements.

400httpSubscriberListbasicList2020-05-29

A basicList of httpSubscriber (CERT/260) elements.

401httpAcceptCharsetListbasicList2020-05-29

A basicList of httpAcceptCharset (CERT/261) elements.

402httpAllowListbasicList2020-05-29

A basicList of httpAllow (CERT/263) elements.

403httpDateListbasicList2020-05-29

A basicList of httpDate (CERT/264) elements.

404httpExpectListbasicList2020-05-29

A basicList of httpExpect (CERT/265) elements.

405httpFromListbasicList2020-05-29

A basicList of httpFrom (CERT/266) elements.

406httpProxyAuthenticationListbasicList2020-05-29

A basicList of httpProxyAuthentication (CERT/267) elements.

407httpUpgradeListbasicList2020-05-29

A basicList of httpUpgrade (CERT/268) elements.

408httpWarningListbasicList2020-05-29

A basicList of httpWarning (CERT/269) elements.

409httpDNTListbasicList2020-05-29

A basicList of httpDNT (CERT/270) elements.

410httpXForwardedProtoListbasicList2021-06-07

A basicList of httpXForwardedProto (CERT/271) elements.

This element previously was named "httpX-Forwarded-ProtoList".

411httpXForwardedHostListbasicList2021-06-07

A basicList of httpXForwardedHost (CERT/272) elements.

This element previously was named "httpX-Forwarded-HostList".

412httpXForwardedServerListbasicList2021-06-07

A basicList of httpXForwardedServer (CERT/273) elements.

This element previously was named "httpX-Forwarded-ServerList".

413httpXDeviceIdListbasicList2021-06-07

A basicList of httpXDeviceId (CERT/274) elements.

This element previously was named "httpX-DeviceIDList".

414httpXProfileListbasicList2021-06-07

A basicList of httpXProfile (CERT/275) elements.

This element previously was named "httpX-ProfileList".

415httpLastModifiedListbasicList2020-05-29

A basicList of httpLastModified (CERT/276) elements.

416httpContentEncodingListbasicList2020-05-29

A basicList of httpContentEncoding (CERT/277) elements.

417httpContentLanguageListbasicList2020-05-29

A basicList of httpContentLanguage (CERT/278) elements.

418httpContentLocationListbasicList2020-05-29

A basicList of httpContentLocation (CERT/279) elements.

419httpXUaCompatibleListbasicList2021-06-07

A basicList of httpXUACompatible (CERT/280) elements.

This element previously was named "httpX-UA-CompatibleList".

420modbusDataListbasicList2020-05-29

A basicList of modbusData (CERT/285) elements.

421enipDataListbasicList2021-06-07

A basicList of enipData (6871/286) elements.

This element previously was named "ethernetIPDataList".

422dhcpOptionListbasicList2020-05-29

Reversible as reverseDhcpOptionList (ElementID 16806).

A basicList of dhcpOption (6871/297) elements.

423dnsDNSKEYAlgorithmunsigned82021-06-07

The cryptographic algorithm used for the public key in a DNS DNSKEY RR.

424mysqlCommandTextCodeListsubTemplateList2020-05-29

A subTemplateList of mysqlCommandText mysqlCommandCode pairs.

425sslCertListsubTemplateList2020-05-29

A subTemplateList of yaf_ssl_cert templates.

426sslIssuerFieldListsubTemplateList2020-05-29

A subTemplateList of sslCertificate values.

427sslSubjectFieldListsubTemplateList2020-05-29

A subTemplateList of sslCertificate values.

428sslExtensionFieldListsubTemplateList2020-05-29

A subTemplateList of sslCertificate values.

429sslBinaryCertificateListbasicList2020-05-29

A basicList of sslBinaryCertificate (CERT/296) elements.

430dnp3RecordListsubTemplateList2020-05-29

A subTemplateList holding the DNP3 values

431dnsDetailRecordListsubTemplateList2021-06-07

A subTemplateList of yaf_dns_rr templates.

This element previously was named "dnsQRDetailRecordList".

432yafDPIListsubTemplateList2020-05-29

A subTemplateList of deep packet inspection data generated by yaf.

433dnsDSAlgorithmunsigned82021-06-07

The Algorithm field in a DNS DS RR. It holds the algorithm used by the DNS DNSKEY RR to which this DS RR refers.

434dnsDSKeyTagunsigned162021-06-07

The Key Tag field in a DNS DS RR.

435dnsNSEC3Algorithmunsigned82021-06-07

The Algorithm field in a DNS NSEC3 RR.

436dnsNSEC3Flagsunsigned82021-06-07

The Flags field in a DNS NSEC3 RR.

437dnsNSEC3Iterationsunsigned162021-06-07

The Iterations field in a DNS NSEC3 RR.

438dnsNSEC3NextHashedOwnerNameoctetArray2021-06-07

The Next Hashed Owner Name field in a DNS NSEC3 RR.

439dnsNSEC3SaltoctetArray2021-06-07

The Salt field in a DNS NSEC3 RR.

440dnsNSEC3TypeBitMapsoctetArray2021-06-07

The Type Bit Maps field in a DNS NSEC3 RR.

441dnsNSEC3PARAMAlgorithmunsigned82021-06-07

The Algorithm field in a DNS NSEC3PARAM RR.

442dnsNSEC3PARAMFlagsunsigned82021-06-07

The Flags field in a DNS NSEC3PARAM RR.

443dnsNSEC3PARAMIterationsunsigned162021-06-07

The Iterations field in a DNS NSEC3PARAM RR.

444dnsNSEC3PARAMSaltoctetArray2021-06-07

The Salt field in a DNS NSEC3PARAM RR.

445dnsNSECNextDomainNameoctetArray2021-06-07

The Next Domain Name field in a DNS NSEC RR.

446dnsNSECTypeBitMapsoctetArray2021-06-07

The Type Bit Maps field in a DNS NSEC RR.

447dnsRRSIGAlgorithmunsigned82021-06-07

The Algorithm field in a DNS RRSIG RR.

448dnsRRSIGKeyTagunsigned162021-06-07

The Key Tag field in a DNS RRSIG RR.

449dnsRRSIGOriginalTTLunsigned322021-06-07

The Original TTL field in a DNS RRSIG RR.

450sslCertIssuerOrgNameListbasicList2021-08-07

A basicList of sslCertIssuerOrgName (CERT/192) elements, each holding an organization name {id-at 10} of the issuer of an SSL certificate.

451sslCertIssuerOrgUnitNameListbasicList2021-08-07

A basicList of sslCertIssuerOrgUnitName (CERT/193) elements, each holding an organizational unit name {id-at 11} of the issuer of an SSL certificate.

452sslCertIssuerCommonNameListbasicList2021-08-07

A basicList of sslCertIssuerCommonName (CERT/196) elements, each holding a common name {id-at 3} of the issuer of an SSL certificate.

453sslCertIssuerStreetAddressListbasicList2021-08-07

A basicList of sslCertIssuerStreetAddress (CERT/198) elements, each holding a street address {id-at 9} of the issuer of an SSL certificate.

454sslCertSubjectOrgNameListbasicList2021-08-07

A basicList of sslCertSubjectOrgName (CERT/201) elements, each holding an organization name {id-at 10} of the subject of an SSL certificate.

455sslCertSubjectOrgUnitNameListbasicList2021-08-07

A basicList of sslCertSubjectOrgUnitName (CERT/202) elements, each holding an organizational unit name {id-at 11} of the subject of an SSL certificate.

456sslCertSubjectCommonNameListbasicList2021-08-07

A basicList of sslCertSubjectCommonName (CERT/205) elements, each holding a common name {id-at 3} of the subject of an SSL certificate.

457sslCertSubjectStreetAddressListbasicList2021-08-07

A basicList of sslCertSubjectStreetAddress (CERT/207) elements, each holding a street address {id-at 9} of the subject of an SSL certificate.

458sslCertIssuerDomainComponentListbasicList2021-08-07

A basicList of sslCertIssuerDomainComponent (CERT/314) elements, each holding an LDAP dc (domainComponent), 0.9.2342.19200300.100.1.25, holding one component, a label, of the DNS name of the issuer of an SSL certificate.

459sslCertSubjectDomainComponentListbasicList2021-08-07

A basicList of sslCertSubjectDomainComponent (CERT/315) elements, each holding an LDAP dc (domainComponent), 0.9.2342.19200300.100.1.25, holding one component, a label, of the DNS name of the subject of an SSL certificate.

460sslCertValidityTotalDayssigned322021-11-15

The whole number of days the certificate was valid (sslCertValidityNotAfter - sslCertValidityNotBefore).

461sslCertValidityDaysTimeOfUsesigned322021-11-15

The whole number of days the certificate was valid at the time it was used (flowStartMilliseconds - sslCertValidityNotBefore).

462sslCertificateSHA256octetArray2021-11-15

The SHA256 hash of a complete SSL certificate.

463-499Unassigned
500smallPacketCountunsigned32totalCounterpackets

Reversible as reverseSmallPacketCount (ElementID 16884).

The number of packets that contain less than 60 bytes of payload.

501nonEmptyPacketCountunsigned32totalCounterpackets

Reversible as reverseNonEmptyPacketCount (ElementID 16885).

The number of packets that contain at least 1 byte of payload.

502dataByteCountunsigned64totalCounteroctets

Reversible as reverseDataByteCount (ElementID 16886).

Total bytes transferred as payload.

503averageInterarrivalTimeunsigned64milliseconds

Reversible as reverseAverageInterarrivalTime (ElementID 16887).

Average number of milliseconds between packets.

504standardDeviationInterarrivalTimeunsigned64milliseconds

Reversible as reverseStandardDeviationInterarrivalTime (ElementID 16888).

Standard deviation of the interarrival time for up to the first ten packets.

505firstNonEmptyPacketSizeunsigned16quantityoctets

Reversible as reverseFirstNonEmptyPacketSize (ElementID 16889).

Payload length of the first non-empty packet.

506maxPacketSizeunsigned16quantityoctets

Reversible as reverseMaxPacketSize (ElementID 16890).

The largest payload length transferred in the flow.

507firstEightNonEmptyPacketDirectionsunsigned8flags

Reversible as reverseFirstEightNonEmptyPacketDirections (ElementID 16891).

Represents directionality for the first 8 non-empty packets. 0 for forward direction, 1 for reverse direction.

508standardDeviationPayloadLengthunsigned16octets

Reversible as reverseStandardDeviationPayloadLength (ElementID 16892).

The standard deviation of the payload length for up to the first 10 non empty packets.

509tcpUrgentCountunsigned32totalCounterpackets

Reversible as reverseTcpUrgentCount (ElementID 16893).

The number of TCP packets that have the URGENT Flag set.

510largePacketCountunsigned32totalCounterpackets

Reversible as reverseLargePacketCount (ElementID 16894).

The number of packets that contain at least 220 bytes of payload.

511-549Unassigned
550certToolTombstoneIdunsigned32identifier2021-06-07

An identifier of a tombstone record that is unique within the process that initially generates the record.

This element previously was named "tombstoneId".

551certToolExporterConfiguredIdunsigned16identifier2021-06-07

An identifier for this process chosen by the user.

This element previously was named "exporterConfiguredId".

552certToolExporterUniqueIdunsigned16identifier2021-06-07

A pseudo-random number to identify this exporting process.

This element previously was named "exporterUniqueId".

553certToolIdunsigned32identifier1-62019-02-20

An identifier for each CERT tool.

1 - YAF
2 - super_mediator
3 - SiLK rwflowpack
4 - SiLK rwflowappend
5 - Mothra IPFIX Packer
6 - Analysis Pipeline
        
554certToolTombstoneAccessListsubTemplateListlist2021-06-07

A list containing a certToolId and the time when that tool accessed the tombstone record.

This element previously was named "tombstoneAccessList".

555-926Unassigned
927smDNSDatastring2021-06-07

Field used by super_mediator to export DNS information.

This element previously was named "dnsRName".

928dnsHitCountunsigned162021-06-07

Deprecated in favor of 6871/929 smDedupHitCount.

929smDedupHitCountunsigned64totalCounter2021-06-07

The number of times the deduplicated item was seen.

This element previously was named "observedDataTotalCount".

930smDedupDataoctetArray2021-06-07

A representation of data that is being deduplicated.

This element previously was named "observedData".

931smIpsetMatchesSrcunsigned8flags2021-06-07

Used by super_mediator to indicate that the record's source IP address matched an IPset.

932smIpsetMatchesDstunsigned8flags2021-06-07

Used by super_mediator to indicate that the record's destination IP address matched an IPset.

933-999Unassigned
1000templateNamestring2020-05-29

Specifies a human-friendly name for an IPFIX template.

1001templateDescriptionstring2020-05-29

Specifies a textual description for an IPFIX template.

1002-16383Unassigned

People

IDNameContact URILast Updated
[Netsa_Tools]Netsa Tools Helpmailto:netsa-help@cert.org2018-05-01