CERT IE Registry

Created
2017-11-28
Last Updated
2022-05-26

Download

(SHA256=aaba7715e6850ef75c4cd62aa9989f1cdfa8efeec6fe893203a5a07f1f4be7ea)

CERT Enterprise IPFIX Elements (PEN 6871)

NOTES:

  • Obsolete element names are struck out and marked with ❌.
  • Deprecated element names are marked with ⚠️.
  • Reversible element names are marked with 🔄.
ElementIDNameData TypeSemanticsUnitsRangeDate
Description
0Reserved

Reserved as per section 4 of [RFC7012].

1-11Unassigned
12obsoleteReverseOctetTotalCountunsigned64totalCounter
13obsoleteReversePacketTotalCountunsigned64totalCounter
14initialTCPFlagsunsigned16flags2017-12-19

Reversible as reverseInitialTCPFlags (ElementID 16398).

TCP flags on the initial packet in the forward direction of the flow.

15unionTCPFlagsunsigned16flags2017-12-19

Reversible as reverseUnionTCPFlags (ElementID 16399).

Union of TCP flags of all packets other than the initial packet in the forward direction of the flow.

16obsoleteReverseInitialTCPFlagsunsigned8flags
17obsoleteReverseUnionTCPFlagsunsigned8flags
18payloadoctetArray

Reversible as reversePayload (ElementID 16402).

Initial bytes of flow payload in the forward direction.

19obsoleteReversePayloadoctetArray
20obsoleteReverseTcpSequenceNumberunsigned32
21reverseFlowDeltaMillisecondsunsigned32quantitymilliseconds

Difference in milliseconds between the times of the first packet in forward direction and the first packet in the reverse direction.

22-28Unassigned
29obsoleteReverseVlanIdunsigned16identifier
30silkFlowtypeIdunsigned8identifier2022-05-26

A value typically assigned by SiLK identifying the direction and related properties of the flow record. The flowtype may also be represented by a silkFlowtypeName (CERT/938) or by the pair silkClassName (CERT/939) and silkTypeName (CERT/940).

Prior to 2022-05-26, this element was named "silkFlowType".

31silkSensorIdunsigned16identifier2022-05-26

A value typically assigned by SiLK identifying the sensor where the flow record was collected. The sensor may also be represented by a silkSensorName (CERT/941).

Prior to 2022-05-26, this element was named "silkFlowSensor".

32silkTCPStateunsigned8flags

Aspects of a flow record assigned by the SiLK rwflowpack tool.

33silkAppLabelunsigned16identifier

Application label, defined as the primary well-known port associated with a given application.

34Unassigned
35payloadEntropyunsigned8

Reversible as reversePayloadEntropy (ElementID 16419).

The Shannon Entropy value for the payload, converted from a floating point (range 0.0 to 8.0) to an 8-bit unsigned integer. Generally, numbers above 230 are compressed or encrypted, numbers centered around 140 are English text, and very low value may indicate zero-padding of packets (e.g. TLS).

36osNamestring

Reversible as reverseOsName (ElementID 16420).

p0f OS Name for the forward flow based on the SYN packet and p0f SYN Fingerprints.

37osVersionstring

Reversible as reverseOsVersion (ElementID 16421).

p0f OS Version for the forward flow based on the SYN packet and p0f SYN Fingerprints.

38firstPacketBanneroctetArray

Reversible as reverseFirstPacketBanner (ElementID 16422).

IP and transport headers for first packet in forward direction to be used for external OS Fingerprinters.

39secondPacketBanneroctetArray

Reversible as reverseSecondPacketBanner (ElementID 16423).

IP and transport headers for first packet in forward direction to be used for external OS Fingerprinters.

40flowAttributesunsigned16flags

Reversible as reverseFlowAttributes (ElementID 16424).

Miscellaneous flow attributes for the forward direction of the flow.

41-99Unassigned
100yafExpiredFragmentCountunsigned32totalCounterpackets2021-06-07

Total number of packet fragments that have been expired since yaf start time.

Prior to YAF 3.0, this element was named "expiredFragmentCount".

101yafAssembledFragmentCountunsigned32totalCounterpackets2021-06-07

Total number of packets that been assembled from a series of fragments since yaf start time.

Prior to YAF 3.0, this element was named "assembledFragmentCount".

102yafMeanFlowRateunsigned32flows2021-06-07

The mean flow rate of the yaf flow sensor since yaf start time, rounded to the nearest integer.

Prior to YAF 3.0, this element was named "meanFlowRate".

103yafMeanPacketRateunsigned32packets2021-06-07

The mean packet rate of the yaf flow sensor since yaf start time, rounded to the nearest integer.

Prior to YAF 3.0, this element was named "meanPacketRate".

104yafFlowTableFlushEventCountunsigned32totalCounterflows2021-06-07

Total number of times the yaf flow table has been flushed since yaf start time.

Prior to YAF 3.0, this element was named "flowTableFlushEventCount".

105yafFlowTablePeakCountunsigned32flows2021-06-07

The maximum number of flows in the yaf flow table at any one time since yaf start time.

Prior to YAF 3.0, this element was named "flowTablePeakCount".

106yafFlowKeyHashunsigned32identifier

The 32 bit hash of the 5-tuple and VLAN that is used as they key to YAF's internal flow table.

107osFingerprintstring2021-06-07

Reversible as reverseOsFingerprint (ElementID 16491).

p0f OS Fingerprint for the forward flow based on the SYN packet and p0f SYN fingerprints.

Prior to YAF 3.0, this element was named "osFingerPrint".

108-109Unassigned
110httpServerStringstring

HTTP Server Response-header field. Contains information about the software used to handle the HTTP Request.

111httpUserAgentstring

HTTP User-Agent Request-header field. Contains information about the user agent originating the request.

112httpGetstring

HTTP Method Command. Retrieves information identified by the following Request-URI.

113httpConnectionstring

HTTP Connection header fields. Contains options that are desired for a particular connection.

114httpVersionstring

HTTP Version Number.

115httpRefererstring

HTTP Referer request-header field. Address (URI) of the resource which the Request-URI was obtained.

116httpLocationstring

HTTP Location response-header field. Used to redirect the recipient to a location to complete a request or identify a new resource.

117httpHoststring

HTTP Host Request-header. The Internet host and port number of the resource being requested.

118httpContentLengthstring

HTTP Content-Length header. Indicates the size of the entity-body.

119httpAgestring

HTTP Age response-header. Argument is the sender's estimate of the time elapsed since the response.

120httpAcceptstring

HTTP Accept request-header field. Used to specify certain media types that are acceptable for the response.

121httpAcceptLanguagestring

HTTP Accept-Language Request-Header field. Restricts the set of natural languages that preferred.

122httpContentTypestring

HTTP Content Type entity-header field. Indicates the media type of the entity-body.

123httpResponsestring

HTTP Response Status Code. Usually a three-digit number followed by text.

124pop3TextMessagestring

POP3 Command and Replies. Contains any command or reply message found in POP3 payload data.

125ircTextMessagestring

IRC Chat or Join Message. This field contains any IRC Command and the following arguments.

126tftpFilenamestring

TFTP Name of File being transferred.

127tftpModestring

Contains the mode of transfer. (netascii, octet, mail)

128slpVersionunsigned8

SLP Version Number.

129slpMessageTypeunsigned81-11

SLP Message Type. This value should be between 1 and 11 and describes the type of SLP message.

130slpStringstring

Contains the text elements found in an SLP Service Request.

131ftpReturnstring

FTP Commands or Replies.

132ftpUserstring

FTP User Command Argument. This command will normally be the first command transmitted by the user.

133ftpPassstring

FTP Password Command Argument. This command must be preceded by the user name command, and is usually required to complete authentication.

134ftpTypestring

FTP Data Representation Type.

135ftpRespCodestring

FTP Reply. This consists of a three digit number followed by some text.

136imapCapabilitystring

IMAP Capability Command and Response. Captures the listing of capabilities that the server supports.

137imapLoginstring

IMAP Login Command. Arguments are user name and password.

138imapStartTLSstring

IMAP STARTTLS Command. Captures this command only as no arguments or responses are related.

139imapAuthenticatestring

IMAP Authenticate Command. Captures the authentication mechanism name of the server following this command.

140imapCommandstring

Captures a variety of IMAP Commands and their arguments.

141imapExistsstring

IMAP Exists Response. Reports the number of messages in the mailbox.

142imapRecentstring

IMAP Recent Response. Reports the number of message with the Recent flag set.

143rtspURLstring

RTSP URL. Captures the address of the network resources requested.

144rtspVersionstring

RTSP Version Number.

145rtspReturnCodestring

RTSP Status-Line. Captures the RTSP Protocol version, numeric status code, and the textual phrase associated with the numeric code.

146rtspContentLengthstring

RTSP Content-Length Header Field. Contains the length of the content of the method.

147rtspCommandstring

RTSP Command. Captures the method to be performed and the Request-URI associated with the method.

148rtspContentTypestring

RTSP Content Type.

149rtspTransportstring

RTSP Transport request header field. Captures the transport protocol used and the parameters that follow.

150rtspCSeqstring

RTSP CSeq field. Contains the sequence number for an RTSP request-response pair.

151rtspLocationstring

RTSP Location header field.

152rtspPacketsReceivedstring

RTSP User Agent field. Contains information about the user agent originating the request.

153rtspUserAgentstring

RTSP User Agent field. Contains information about the user agent originating the request.

154rtspJitterstring

RTSP Jitter Value.

155sipInvitestring

SIP Invite Method. Contains the SIP address and SIP Version Number.

156sipCommandstring

SIP Command. Contains a SIP Method, SIP address, and SIP Version Number.

157sipViastring

SIP Via contains the SIP Version Number and the address the sender is expecting to receive responses.

158sipMaxForwardsstring

SIP Max Forwards contains the limit of number of hops a request can make on the way to its destination.

159sipAddressstring

SIP Address contains the argument of the To, From, or Contact Header Fields.

160sipContentLengthstring

SIP Content Length header field. Contains the byte count of the message byte.

161sipUserAgentstring

SIP User Agent Header Field. Contains information about the User Agent Client originating the request.

162smtpHellostring

SMTP Hello or Extend Hello command. Captures the command and the domain name of the SMTP client.

163smtpFromstring

SMTP Mail Command. Contains the reverse-path of the sender mailbox.

164smtpTostring

The SMTP Recipient (RCPT) Command. Captures the command and the forward-path of the recipient of the mail data.

165smtpContentTypestring

SMTP Content Type Header Field.

166smtpSubjectstring

SMTP Subject. Contains the subject of the mail data.

167smtpFilenamestring

SMTP Filename. Contains the name of the file attached to the mail message.

168smtpContentDispositionstring

SMTP Content-Disposition Header field.

169smtpResponsestring

SMTP Replies. Consists of a three digit number followed by text.

170smtpEnhancedstring

Enhanced SMTP. Contains the ESMTP command with the following argument.

171sshVersionstring

SSH Version Number

172nntpResponsestring

NNTP Reply. This consists of a three digit status code and text message.

173nntpCommandstring

NNTP Command. Contains an NNTP Command and following argument(s).

174dnsQueryResponseunsigned8

DNS Query/Response header field. This corresponds with the DNS header one bit field, QR. If the message is a query (0), or a response (1).

175dnsRRTypeunsigned162021-06-07

DNS Query/Response Type. This corresponds with the QTYPE field in the DNS Question Section or the TYPE field in the DNS Resource Record Section. This field determines the type of records in the DNS DPI subTemplateList dnsDetailRecordList (CERT/431).

Prior to YAF 3.0, this element was named "dnsQRType".

176dnsAuthoritativeunsigned8

DNS Authoritative header field. This corresponds with the DNS header one bit field, AA. This bit is only valid in responses (when dnsQueryResponse is 1), and specifies that the responding name server is an authority for the domain name in the question section.

177dnsResponseCodeunsigned82021-06-07

DNS NXDomain or Response Code (RCODE). This corresponds with the DNS RCODE header field. This field will be set to 3 for a Name Error, 2 for a Server Failure, 1 for a Format Error, and 0 for No Error. See [dns-parameters] for other valid values.

Prior to YAF 3.0, this element was named "dnsNXDomain".

178dnsSectionunsigned82021-06-07

DNS Resource Record Section Field. This field will be set to 0 if the information is from the Question Section, 1 for the Answer Section, 2 for the Name Server Section, and 3 for the Additional Section.

Prior to YAF 3.0, this element was named "dnsRRSection".

179dnsNamestring2021-06-07

A DNS Query or Response Name. This field corresponds with the QNAME field in the DNS Question Section or the NAME field in the DNS Resource Record Section.

Prior to YAF 3.0, this element was named "dnsQName".

180dnsCNAMEstring2021-06-07

A domain-name which specificies the canonical or primary name for the owner.

Prior to YAF 3.0, this element was named "dnsCName".

181dnsMXPreferenceunsigned16

Corresponds to the DNS MX Preference field.

182dnsMXExchangestring

Corresponds to the DNS MX Exchange field.

183dnsNSDNamestring

An authoritative name server domain-name.

184dnsPTRDNamestring

Corresponds to DNS PTR PTRDNAME Field.

185sslCipherunsigned32

sslCipher is a CipherSuite suggested by the client in the ClientHello Message.

186sslClientVersionunsigned8

sslClientVersion is the version it supports contained in the initial ClientHello message.

187sslServerCipherunsigned32

sslServerCipher is the CipherSuite chosen by the server in the ServerHello message.

188sslCompressionMethodunsigned8

sslCompressionMethod is the compression method chosen by the server in the ServerHello message.

189sslCertVersionunsigned8

The Certificate Version. This is the value contained in the certificate v1(0), v2(1), v3(2).

190sslCertSignatureoctetArray

The signature contained in a SSL certificate. This is typically the hashing algorithm identifier.

191sslCertIssuerCountryNamestring2019-10-31

Country name {id-at 6} of the issuer of an SSL certificate.

192sslCertIssuerOrgNamestring2019-10-31

Organization name {id-at 10} of the issuer of an SSL certificate.

193sslCertIssuerOrgUnitNamestring2019-10-31

Organizational unit name {id-at 11} of the issuer of an SSL certificate.

194sslCertIssuerZipCodestring2019-10-31

Postal or zip code {id-at 17} of the issuer of an SSL certificate.

195sslCertIssuerStatestring2019-10-31

State or providence name {id-at 8} of the issuer of an SSL certificate.

196sslCertIssuerCommonNamestring2019-10-31

Common name {id-at 3} of the issuer of an SSL certificate.

197sslCertIssuerLocalityNamestring2019-10-31

Locality name {id-at 7} of the issuer of an SSL certificate.

198sslCertIssuerStreetAddressstring2019-10-31

Street address {id-at 9} of the issuer of an SSL certificate.

199dnsTTLunsigned32

DNS Time To Live. This is an unsigned integer that specifies the time interval, in seconds, that the resource record may be cached for. This will contain a value of zero for DNS Queries.

200sslCertSubjectCountryNamestring2021-08-07

Country name {id-at 6} of the subject of an SSL certificate.

Prior to YAF 3.0, this element was named "sslCertSubCountryName".

201sslCertSubjectOrgNamestring2021-08-07

Organization name {id-at 10} of the subject of an SSL certificate.

Prior to YAF 3.0, this element was named "sslCertSubOrgName".

202sslCertSubjectOrgUnitNamestring2021-08-07

Organizational unit name {id-at 11} of the subject of an SSL certificate.

Prior to YAF 3.0, this element was named "sslCertSubOrgUnitName".

203sslCertSubjectZipCodestring2021-08-07

Postal or zip code {id-at 17} of the subject of an SSL certificate.

Prior to YAF 3.0, this element was named "sslCertSubZipCode".

204sslCertSubjectStatestring2021-08-07

State or providence name {id-at 8} of the subject of an SSL certificate.

Prior to YAF 3.0, this element was named "sslCertSubState".

205sslCertSubjectCommonNamestring2021-08-07

Common name {id-at 3} of the subject of an SSL certificate.

Prior to YAF 3.0, this element was named "sslCertSubCommonName".

206sslCertSubjectLocalityNamestring2021-08-07

Locality name {id-at 7} of the subject of an SSL certificate.

Prior to YAF 3.0, this element was named "sslCertSubLocalityName".

207sslCertSubjectStreetAddressstring2021-08-07

Street address {id-at 9} of the subject of an SSL certificate.

Prior to YAF 3.0, this element was named "sslCertSubStreetAddress".

208dnsTXTDatastring

Corresponds to DNS TXT TXT-DATA field.

209dnsSOASerialunsigned32

Corresponds to DNS SOA SERIAL Field.

210dnsSOARefreshunsigned32

Corresponds to DNS SOA REFRESH Field.

211dnsSOARetryunsigned32

Corresponds to DNS SOA RETRY Field.

212dnsSOAExpireunsigned32

Corresponds to DNS SOA EXPIRE Field.

213dnsSOAMinimumunsigned32

Corresponds to DNS SOA MINIMUM Field.

214dnsSOAMNamestring

Corresponds to DNS SOA MNAME Field.

215dnsSOARNamestring

Corresponds to DNS SOA RNAME Field.

216dnsSRVPriorityunsigned16

Corresponds to the Priority Field in the DNS SRV Resource Record.

217dnsSRVWeightunsigned16

Corresponds to the Weight Field in the DNS SRV Resource Record.

218dnsSRVPortunsigned16

Corresponds to the Port Field in the DNS SRV Resource Record.

219dnsSRVTargetstring

Corresponds to the Target Field in the DNS SRV Resource Record.

220httpCookiestring

HTTP Cookie Header Field.

221httpSetCookiestring

HTTP Set Cookie Header Field.

222smtpSizestring

SMTP Size Header Field. Contains the size in bytes of the mail data.

223mysqlUsernamestring

The username seen when authenticating to a MySQL server.

224mysqlCommandCodeunsigned80-28

MySQL Command Code. This number should be between 0 and 28.

225mysqlCommandTextstring

MySQL Command Text. For example, this can be a SELECT, INSERT, DELETE statement.

226dnsIdunsigned162021-06-07

DNS Transaction ID. This identifier is used by the requester to match up replies to outstanding queries.

Prior to YAF 3.0, this element was named "dnsID".

227dnsAlgorithmunsigned82021-06-07

Deprecated in favor of dnsDNSKEYAlgorithm (CERT/423), dnsDSAlgorithm (CERT/433), dnsNSEC3Algorithm (CERT/435), dnsNSEC3PARAMAlgorithm (CERT/441), and dnsRRSIGAlgorithm (CERT/447).

The Hash Algorithm field in various DNSSEC records.

228dnsKeyTagunsigned162021-06-07

Deprecated in favor of dnsDSKeyTag (CERT/434) and dnsRRSIGKeyTag (CERT/448).

The Key Tag field in the DS RR.

229dnsRRSIGSignerstring2021-06-07

The Signer's Name field in the DNS RRSIG RR.

Prior to YAF 3.0, this element was named "dnsSigner".

230dnsRRSIGSignatureoctetArray2021-06-07

The Signature field in the DNS RRSIG RR. Contains the cryptographic signature that covers the dnsName (CERT/179) field.

Prior to YAF 3.0, this element was named "dnsSignature".

231dnsDSDigestoctetArray2021-06-07

The Digest field of the DNS DS RR.

Prior to YAF 3.0, this element was named "dnsDigest".

232dnsDNSKEYPublicKeyoctetArray2021-06-07

DNSSEC uses public key cryptography to sign and authenticate DNS resource record sets. This field holds the public key. The format depends on the algorithm of the key.

Prior to YAF 3.0, this element was named "dnsPublicKey".

233dnsSaltoctetArray2021-06-07

Deprecated in favor of dnsNSEC3Salt (CERT/439) and dnsNSEC3PARAMSalt (CERT/444).

The Salt Field in the DNSSEC NSEC3 or NSEC3PARAM RR.

234dnsHashDataoctetArray2021-06-07

Deprecated in favor of dnsNSEC3NextHashedOwnerName (CERT/438) and dnsNSECNextDomainName (CERT/445).

The Next Hashed Owner Name in the DNSSEC NSEC3 RR and Next Domain Name field in the DNSNSEC RR.

235dnsIterationsunsigned162021-06-07

Deprecated in favor of dnsNSEC3Iterations (CERT/437) and dnsNSEC3PARAMIterations (CERT/443).

The Iterations field in the DNSSEC NSEC3 or NSEC3PARAM RR.

236dnsRRSIGSignatureExpirationunsigned322021-06-07

The Signature Expiration field in a DNS RRSIG RR. The Expiration and Inception fields specify a validity period for the signature.

Prior to YAF 3.0, this element was named "dnsSignatureExpiration".

237dnsRRSIGSignatureInceptionunsigned322021-06-07

The Signature Inception field in a RRSIG RR. The Expiration and Inception fields specify a validity period for the signature.

Prior to YAF 3.0, this element was named "dnsSignatureInception".

238dnsDSDigestTypeunsigned82021-06-07

The Digest Type field in a DNS DS RR which identifes the algorithm used to construct the digest.

Prior to YAF 3.0, this element was named "dnsDigestType".

239dnsRRSIGLabelsunsigned82021-06-07

The Labels field in a DNS RRSIG RR. Specifies the number of labels in the original RRSIG resource record owner name.

Prior to YAF 3.0, this element was named "dnsLabels".

240dnsRRSIGTypeCoveredunsigned162021-06-07

The Type Covered field in a DNS RRSIG RR.

Prior to YAF 3.0, this element was named "dnsTypeCovered".

241dnsDNSKEYFlagsunsigned16flags2021-06-07

The Flags field in the DNS DNSKEY Resource Record. Certain bits determine if the key is a zone key or should be used for a secure entry point.

Prior to YAF 3.0, this element was named "dnsFlags".

242dhcpFingerprintstring2021-06-07

Reversible as reverseDhcpFingerprint (ElementID 16626).

The DHCP fingerprint. This will be the description of the OS.

Prior to YAF 3.0, this element was named "dhcpFingerPrint".

243dhcpVendorCodestring

Reversible as reverseDhcpVendorCode (ElementID 16627).

The DHCP vendor class ID found in Option 60 of the DHCP packet. This field may help further identify the operating system of the sender.

244sslCertSerialNumberoctetArray

The Serial Number from the X.509 certificate.

245sslObjectTypeunsigned8

The type of the value contained in the sslObjectValue (CERT/246) in a subrecord of an sslIssuerFieldList (CERT/426), sslSubjectFieldList (CERT/427), or sslExtensionFieldList (CERT/428).

For the sslIssuerFieldList (CERT/426) and sslSubjectFieldList (CERT/427) subTemplateLists, YAF only parses objects that are members of the id-at arc {joint-iso-ccitt(2) ds(5) 4}, pkcs-9 {iso(1) member-body (2) us(840) rsadsi(113459) pkcs(1) 9}, and LDAP dc 0.9.2342.19200300.100.1.25. This field will not contain the full object identfier, it will just contain the member id. For example, for an issuer common name, sslObjectType will contain 3. Below is a list of common objects in an X.509 RelativeDistinguishedName Sequence for X.509 Certificates:

pkcs-9-emailAddress          {pkcs-9 1}
id-at-commonName             {id-at 3}
id-at-countryName            {id-at 6}
id-at-localityName           {id-at 7}
id-at-stateOrProvinceName    {id-at 8}
id-at-streetAddress          {id-at 9}
id-at-organizationName       {id-at 10}
id-at-organizationalUnitName {id-at 11}
id-at-title                  {id-at 12}
id-at-postalCode             {id-at 17}
0.9.2342.19200300.100.1.25   {dc 25}
id-at-name                   {id-at 41}
246sslObjectValueoctetArray

The bit string value associated with an sslObjectType (CERT/245) in a subrecord of an sslIssuerFieldList (CERT/426), sslSubjectFieldList (CERT/427), or sslExtensionFieldList (CERT/428).

247sslCertValidityNotBeforestring

The notBefore field in the Validity Sequence of the X.509 Certificate.

248sslCertValidityNotAfterstring

The notAfter field in the Validity Sequence of the X.509 Certificate.

249sslPublicKeyAlgorithmoctetArray

The algorithm, encoded in ASN.1, in the SubjectPublicKeyInfo Sequence of the X.509 Certificate.

250sslPublicKeyLengthunsigned16

The length of the public key in the X.509 Certificate.

251smtpDatestring

SMTP Date Field.

252httpAuthorizationstring

HTTP Authorization Header Field.

253httpViastring

HTTP Via Header Field.

254httpXForwardedForstring2021-06-07

HTTP X-Forwarded-For Header Field.

Prior to YAF 3.0, this element was named "httpX-Forwarded-For".

255httpExpiresstring

HTTP Expires Header Field.

256httpRefreshstring

HTTP Refresh Header Field.

257httpIMEIstring

HTTP International Mobile Station Equipment Identity ID.

258httpIMSIstring

HTTP International Mobile Subscriber Identity

259httpMSISDNstring

HTTP MSISDN number, a telephone number for the SIM card in a mobile/cellular phone.

260httpSubscriberstring

HTTP Mobile Subscriber Information.

261httpAcceptCharsetstring

HTTP Accept Charset Header Field.

262httpAcceptEncodingstring

HTTP Accept Encoding Header Field.

263httpAllowstring

HTTP Allow Header Field.

264httpDatestring

HTTP Date Header Field.

265httpExpectstring

HTTP Expect Header Field.

266httpFromstring

HTTP From Header Field.

267httpProxyAuthenticationstring

HTTP Proxy Authentication Field.

268httpUpgradestring

HTTP Upgrade Header Field.

269httpWarningstring

HTTP Warning Header Field.

270httpDNTstring

HTTP DNT Header Field.

271httpXForwardedProtostring2021-06-07

HTTP X-Forwarded-Proto Header Field.

Prior to YAF 3.0, this element was named "httpX-Forwarded-Proto".

272httpXForwardedHoststring2021-06-07

HTTP X-Forwarded-Host Header Field.

Prior to YAF 3.0, this element was named "httpX-Forwarded-Host".

273httpXForwardedServerstring2021-06-07

HTTP X-Forwarded-Server Header Field.

Prior to YAF 3.0, this element was named "httpX-Forwarded-Server".

274httpXDeviceIdstring2021-06-07

HTTP X-Device ID Header Field.

Prior to YAF 3.0, this element was named "httpX-DeviceID".

275httpXProfilestring2021-06-07

HTTP X-Profile Header Field.

Prior to YAF 3.0, this element was named "httpX-Profile".

276httpLastModifiedstring

HTTP Last Modified Header Field.

277httpContentEncodingstring

HTTP Content Encoding Header Field.

278httpContentLanguagestring

HTTP Content Language Header Field.

279httpContentLocationstring

HTTP Content Location Header Field.

280httpXUaCompatiblestring2021-06-07

HTTP X-UA-Compatible Header Field.

Prior to YAF 3.0, this element was named "httpX-UA-Compatible".

281dnp3SourceAddressunsigned16

The DNP3 Source Address found in the Data Link Layer of the DNP Header.

282dnp3DestinationAddressunsigned16

The DNP3 Destination Address found in the Data Link Layer of the DNP Header.

283dnp3Functionunsigned8

The DNP3 Function Code found in the first byte of the Application Layer.

284dnp3ObjectDataoctetArray

The pattern captured from the DNP3 regular expression.

285modbusDataoctetArray

Data associated with the Modbus protocol, a widely used network messaging protocol used in industrial manufacturing.

286enipDataoctetArray2021-06-07

Data associated with EtherNet/IP (ENIP), a protocol used in industrial automation applications.

Prior to YAF 3.0, this element was named "ethernetIPData".

287rtpPayloadTypeunsigned8

Reversible as reverseRtpPayloadType (ElementID 16671).

The payload type in the RTP header of the first payload in the forward direction.

288sslRecordVersionunsigned16

sslRecordVersion is the version of ssl or tls that was used in the flow.

289mptcpInitialDataSequenceNumberunsigned64

The initial data sequence number found in the MPTCP Data Sequence Signal (DSS) Option of a flow. (See Multipath TCP, [RFC8684].)

290mptcpReceiverTokenunsigned32identifier

The token used to identify an MPTCP connection over multiple subflows. This value is found in the MP_JOIN TCP Option for the initial SYN of a subflow.

291mptcpMaximumSegmentSizeunsigned16

The maximum segment size reported in the Maximum Segment Size TCP Option captured from an MPTCP flow.

292mptcpAddressIdunsigned8identifier2021-06-07

The address identifier of the subflow found in the SYN/ACK of an MP_JOIN operation captured from an MPTCP flow.

Prior to YAF 3.0, this element was named "mptcpAddressID".

293mptcpFlagsunsigned8flags

Various MPTCP Values:

Bit 1: Priority was changed during the life of the subflow (MP_PRIO was seen).

Bit 2: Subflow has priority at setup (backup flag was not set at initialization).

Bit 3: Subflow failed. (MP_FAIL option was seen).

Bit 4: Subflow experienced fast close. (MP_FASTCLOSE options was seen).

294sslServerNamestring

The server name from the SSL/TLS Client Hello. This is typically the name of the server that the client is connecting to.

295sslCertificateHashoctetArray

The hash of the X.509 certificate.

296sslBinaryCertificateoctetArray2020-05-29

A binary dump of the full X.509 certificate.

Prior to YAF 3.0, this element was named "sslCertificate".

297dhcpOptionunsigned8

The list of requested parameters found in DHCP Option 55.

298sslCertificateSHA1octetArray

The SHA1 hash of a complete SSL certificate.

299sslCertificateMD5octetArray

The MD5 hash of a complete SSL certificate.

300ndpiL7Protocolunsigned16identifier2021-06-07

The protocol as determined by analysis with nDPI, the ntop-maintained superset of the OpenDPI library.

Prior to YAF 3.0, this element was named "nDPIL7Protocol".

301ndpiL7SubProtocolunsigned16identifier2021-06-07

The subprotocol as determined by analysis with nDPI, the ntop-maintained superset of the OpenDPI library.

Prior to YAF 3.0, this element was named "nDPIL7SubProtocol".

302dnsAipv4Address2020-06-11

An IPv4 address that specifies an address for a DNS host name.

Prior to YAF 3.0, this element was named "rrIPv4".

303dnsAAAAipv6Address2020-06-11

An IPv6 address that specifies an address for a DNS host name.

Prior to YAF 3.0, this element was named "rrIPv6".

304dnsDNSKEYProtocolunsigned82021-06-07

The Protocol field from a DNS DNSKEY Resource Record.

Prior to YAF 3.0, this element was named "DNSKEY_protocolIdentifier".

305pipelineDNSARecordsubTemplateListlist2021-06-07

Element holding an entire DNS A record, which is a subTemplateList when emitted from YAF. This is used in Analysis Pipeline for fast flux.

Prior to YAF 3.0, this element was named "DNS_A_Record".

306pipelineDNSAAAARecordsubTemplateListlist2021-06-07

Element holding an entire DNS AAAA record, which is a subTemplateList when emitted from YAF. This is used in Analysis Pipeline for fast flux.

Prior to YAF 3.0, this element was named "DNS_AAAA_Record".

307pipelineDNSResourceRecordsubTemplateListlist2021-06-07

Element holding an entire DNS resource record, which is a subTemplateList when emitted from YAF. This is used in Analysis Pipeline.

Prior to YAF 3.0, this element was named "DNS_RESOURCE_RECORD".

308sslCertIssuerTitlestring2019-10-31

Title {id-at 12} of the issuer of an SSL certificate.

309sslCertSubjectTitlestring2021-08-07

Title {id-at 12} of the subject of an SSL certificate.

Prior to YAF 3.0, this element was named "sslCertSubTitle".

310sslCertIssuerNamestring2019-10-31

Name {id-at 41} of the issuer of an SSL certificate.

311sslCertSubjectNamestring2021-08-07

Name {id-at 41} of the subject of an SSL certificate.

Prior to YAF 3.0, this element was named "sslCertSubName".

312sslCertIssuerEmailAddressstring2019-10-31

Email address {pkcs-9 1} of the issuer of an SSL certificate.

313sslCertSubjectEmailAddressstring2021-08-07

Email address {pkcs-9 1} of the subject of an SSL certificate.

Prior to YAF 3.0, this element was named "sslCertSubEmailAddress".

314sslCertIssuerDomainComponentstring2019-10-31

LDAP dc (domainComponent), 0.9.2342.19200300.100.1.25, holding one component, a label, of the DNS name of the issuer of an SSL certificate.

315sslCertSubjectDomainComponentstring2021-08-07

LDAP dc (domainComponent), 0.9.2342.19200300.100.1.25, holding one component, a label, of the DNS name of the subject of an SSL certificate.

Prior to YAF 3.0, this element was named "sslCertSubDomainComponent".

316sslCertExtSubjectKeyIdentoctetArray2019-10-31

SSL extension value holding the subject key identifer, {id-ce 14} subjectKeyIdentifier.

317sslCertExtKeyUsageoctetArray2019-10-31

SSL extension value holding the key usage, {id-ce 15} keyUsage.

318sslCertExtPrivKeyUsagePeriodoctetArray2019-10-31

SSL extension value holding the usage period for the private key, {id-ce 16} privateKeyUsagePeriod.

319sslCertExtSubjectAltNameoctetArray2019-10-31

SSL extension value holding the subject's alternative names, {id-ce 17} subjectAltName.

320sslCertExtIssuerAltNameoctetArray2019-10-31

SSL extension value holding the issuer's alternative names, {id-ce 18} issuerAltName.

321sslCertExtCertIssueroctetArray2019-10-31

SSL extension value holding the certificate issuer associated with an entry in an indirect CRL, {id-ce 29} certificateIssuer.

322sslCertExtCrlDistributionoctetArray2019-10-31

SSL extension value holding the certificate revocation list (CRL) distribution points, {id-ce 31} crlDistributionPoints.

323sslCertExtCertPoliciesoctetArray2019-10-31

SSL extension value holding the certificate policies, {id-ce 32} certificatePolicies.

324sslCertExtAuthorityKeyIdentoctetArray2019-10-31

SSL extension value holding the authority key identifier, {id-ce 35} authorityKeyIdentifier.

325sslCertExtExtendedKeyUsageoctetArray2019-10-31

SSL extension value holding the extended key usage {id-ce 37}, extKeyUage.

326smtpStartTLSunsigned82020-01-31

Element indicating whether or not the SMTP session sent the START TLS command.

327smtpKeystring2020-01-31

SMTP Header key string.

328smtpValuestring2020-01-31

SMTP Header value string.

329smtpURLstring2020-01-31

Element for URLs captured in the SMTP message body

330smtpMessageSizeunsigned322020-01-31

Element containing the value of the SMTP message size.

331smtpResponseListbasicList2020-01-31

A basicList of smtpResponse (CERT/169) elements.

332smtpToListbasicList2020-01-31

A basicList of smtpTo (CERT/164) elements.

333smtpFromListbasicList2020-01-31

A basicList of smtpFrom (CERT/163) elements.

334smtpFilenameListbasicList2020-01-31

A basicList of smtpFilename (CERT/167) elements.

335smtpURLListbasicList2020-01-31

A basicList of smtpURL (CERT/329) elements.

336smtpMessageListsubTemplateListlist2020-01-31

A subTemplateList holding email data in smtpMessage templates.

337smtpHeaderListsubTemplateListlist2020-01-31

A subTemplateList holding smtpKey (CERT/327), smtpValue (CERT/328) pairs describing email headers.

338httpServerStringListbasicList2020-05-29

A basicList of httpServerString (CERT/110) elements.

339httpUserAgentListbasicList2020-05-29

A basicList of httpUserAgent (CERT/111) elements.

340httpGetListbasicList2020-05-29

A basicList of httpGet (CERT/112) elements.

341httpConnectionListbasicList2020-05-29

A basicList of httpConnection (CERT/113) elements.

342httpVersionListbasicList2020-05-29

A basicList of httpVersion (CERT/114) elements.

343httpRefererListbasicList2020-05-29

A basicList of httpReferer (CERT/115) elements.

344httpLocationListbasicList2020-05-29

A basicList of httpLocation (CERT/116) elements.

345httpHostListbasicList2020-05-29

A basicList of httpHost (CERT/117) elements.

346httpContentLengthListbasicList2020-05-29

A basicList of httpContentLength (CERT/118) elements.

347httpAgeListbasicList2020-05-29

A basicList of httpAge (CERT/119) elements.

348httpAcceptListbasicList2020-05-29

A basicList of httpAccept (CERT/120) elements.

349httpAcceptLanguageListbasicList2020-05-29

A basicList of httpAcceptLanguage (CERT/121) elements.

350httpContentTypeListbasicList2020-05-29

A basicList of httpContentType (CERT/122) elements.

351httpResponseListbasicList2020-05-29

A basicList of httpResponse (CERT/123) elements.

352pop3TextMessageListbasicList2020-05-29

A basicList of pop3TextMessage (CERT/124) elements.

353ircTextMessageListbasicList2020-05-29

A basicList of ircTextMessage (CERT/125) elements.

354slpStringListbasicList2020-05-29

A basicList of slpString (CERT/130) elements.

355ftpReturnListbasicList2020-05-29

A basicList of ftpReturn (CERT/131) elements.

356ftpUserListbasicList2020-05-29

A basicList of ftpUser (CERT/132) elements.

357ftpPassListbasicList2020-05-29

A basicList of ftpPass (CERT/133) elements.

358ftpTypeListbasicList2020-05-29

A basicList of ftpType (CERT/134) elements.

359ftpRespCodeListbasicList2020-05-29

A basicList of ftpRespCode (CERT/135) elements.

360imapCapabilityListbasicList2020-05-29

A basicList of imapCapability (CERT/136) elements.

361imapLoginListbasicList2020-05-29

A basicList of imapLogin (CERT/137) elements.

362imapStartTLSListbasicList2020-05-29

A basicList of imapStartTLS (CERT/138) elements.

363imapAuthenticateListbasicList2020-05-29

A basicList of imapAuthenticate (CERT/139) elements.

364imapCommandListbasicList2020-05-29

A basicList of imapCommand (CERT/140) elements.

365imapExistsListbasicList2020-05-29

A basicList of imapExists (CERT/141) elements.

366imapRecentListbasicList2020-05-29

A basicList of imapRecent (CERT/142) elements.

367rtspURLListbasicList2020-05-29

A basicList of rtspURL (CERT/143) elements.

368rtspVersionListbasicList2020-05-29

A basicList of rtspVersion (CERT/144) elements.

369rtspReturnCodeListbasicList2020-05-29

A basicList of rtspReturnCode (CERT/145) elements.

370rtspContentLengthListbasicList2020-05-29

A basicList of rtspContentLength (CERT/146) elements.

371rtspCommandListbasicList2020-05-29

A basicList of rtspCommand (CERT/147) elements.

372rtspContentTypeListbasicList2020-05-29

A basicList of rtspContentType (CERT/148) elements.

373rtspTransportListbasicList2020-05-29

A basicList of rtspTransport (CERT/149) elements.

374rtspCSeqListbasicList2020-05-29

A basicList of rtspCSeq (CERT/150) elements.

375rtspLocationListbasicList2020-05-29

A basicList of rtspLocation (CERT/151) elements.

376rtspPacketsReceivedListbasicList2020-05-29

A basicList of rtspPacketsReceived (CERT/152) elements.

377rtspUserAgentListbasicList2020-05-29

A basicList of rtspUserAgent (CERT/153) elements.

378rtspJitterListbasicList2020-05-29

A basicList of rtspJitter (CERT/154) elements.

379sipInviteListbasicList2020-05-29

A basicList of sipInvite (CERT/155) elements.

380sipCommandListbasicList2020-05-29

A basicList of sipCommand (CERT/156) elements.

381sipViaListbasicList2020-05-29

A basicList of sipVia (CERT/157) elements.

382sipMaxForwardsListbasicList2020-05-29

A basicList of sipMaxForwards (CERT/158) elements.

383sipAddressListbasicList2020-05-29

A basicList of sipAddress (CERT/159) elements.

384sipContentLengthListbasicList2020-05-29

A basicList of sipContentLength (CERT/160) elements.

385sipUserAgentListbasicList2020-05-29

A basicList of sipUserAgent (CERT/161) elements.

386sshVersionListbasicList2020-05-29

A basicList of sshVersion (CERT/171) elements.

387nntpResponseListbasicList2020-05-29

A basicList of nntpResponse (CERT/172) elements.

388nntpCommandListbasicList2020-05-29

A basicList of nntpCommand (CERT/173) elements.

389sslCipherListbasicList2020-05-29

A basicList of sslCipher (CERT/185) elements.

390httpCookieListbasicList2020-05-29

A basicList of httpCookie (CERT/220) elements.

391httpSetCookieListbasicList2020-05-29

A basicList of httpSetCookie (CERT/221) elements.

392httpAuthorizationListbasicList2020-05-29

A basicList of httpAuthorization (CERT/252) elements.

393httpViaListbasicList2020-05-29

A basicList of httpVia (CERT/253) elements.

394httpXForwardedForListbasicList2021-06-07

A basicList of httpXForwardedFor (CERT/254) elements.

395httpExpiresListbasicList2020-05-29

A basicList of httpExpires (CERT/255) elements.

396httpRefreshListbasicList2020-05-29

A basicList of httpRefresh (CERT/256) elements.

397httpIMEIListbasicList2020-05-29

A basicList of httpIMEI (CERT/257) elements.

398httpIMSIListbasicList2020-05-29

A basicList of httpIMSI (CERT/258) elements.

399httpMSISDNListbasicList2020-05-29

A basicList of httpMSISDN (CERT/259) elements.

400httpSubscriberListbasicList2020-05-29

A basicList of httpSubscriber (CERT/260) elements.

401httpAcceptCharsetListbasicList2020-05-29

A basicList of httpAcceptCharset (CERT/261) elements.

402httpAllowListbasicList2020-05-29

A basicList of httpAllow (CERT/263) elements.

403httpDateListbasicList2020-05-29

A basicList of httpDate (CERT/264) elements.

404httpExpectListbasicList2020-05-29

A basicList of httpExpect (CERT/265) elements.

405httpFromListbasicList2020-05-29

A basicList of httpFrom (CERT/266) elements.

406httpProxyAuthenticationListbasicList2020-05-29

A basicList of httpProxyAuthentication (CERT/267) elements.

407httpUpgradeListbasicList2020-05-29

A basicList of httpUpgrade (CERT/268) elements.

408httpWarningListbasicList2020-05-29

A basicList of httpWarning (CERT/269) elements.

409httpDNTListbasicList2020-05-29

A basicList of httpDNT (CERT/270) elements.

410httpXForwardedProtoListbasicList2021-06-07

A basicList of httpXForwardedProto (CERT/271) elements.

411httpXForwardedHostListbasicList2021-06-07

A basicList of httpXForwardedHost (CERT/272) elements.

412httpXForwardedServerListbasicList2021-06-07

A basicList of httpXForwardedServer (CERT/273) elements.

413httpXDeviceIdListbasicList2021-06-07

A basicList of httpXDeviceId (CERT/274) elements.

414httpXProfileListbasicList2021-06-07

A basicList of httpXProfile (CERT/275) elements.

415httpLastModifiedListbasicList2020-05-29

A basicList of httpLastModified (CERT/276) elements.

416httpContentEncodingListbasicList2020-05-29

A basicList of httpContentEncoding (CERT/277) elements.

417httpContentLanguageListbasicList2020-05-29

A basicList of httpContentLanguage (CERT/278) elements.

418httpContentLocationListbasicList2020-05-29

A basicList of httpContentLocation (CERT/279) elements.

419httpXUaCompatibleListbasicList2021-06-07

A basicList of httpXUaCompatible (CERT/280) elements.

420modbusDataListbasicList2020-05-29

A basicList of modbusData (CERT/285) elements.

421enipDataListbasicList2021-06-07

A basicList of enipData (CERT/286) elements.

422dhcpOptionListbasicList2020-05-29

Reversible as reverseDhcpOptionList (ElementID 16806).

A basicList of dhcpOption (CERT/297) elements.

423dnsDNSKEYAlgorithmunsigned82021-06-07

The cryptographic algorithm used for the public key in a DNS DNSKEY RR.

424mysqlCommandTextCodeListsubTemplateList2020-05-29

A subTemplateList of mysqlCommandText (CERT/225) mysqlCommandCode (CERT/224) pairs.

425sslCertListsubTemplateList2020-05-29

A subTemplateList of yaf_ssl_cert templates.

426sslIssuerFieldListsubTemplateList2020-05-29

A subTemplateList containing pairs of sslObjectValue (CERT/246) and sslObjectType (CERT/245) values describing the issuer of an X.509 certificate.

427sslSubjectFieldListsubTemplateList2020-05-29

A subTemplateList containing pairs of sslObjectValue (CERT/246) and sslObjectType (CERT/245) values describing the subject of an X.509 certificate.

428sslExtensionFieldListsubTemplateList2020-05-29

A subTemplateList containing pairs of sslObjectValue (CERT/246) and sslObjectType (CERT/245) values describing some of the extensions present on an X.509 certificate.

429sslBinaryCertificateListbasicList2020-05-29

A basicList of sslBinaryCertificate (CERT/296) elements.

430dnp3RecordListsubTemplateList2020-05-29

A subTemplateList holding the DNP3 values dnp3ObjectData (CERT/284), dnp3SourceAddress (CERT/281), dnp3DestinationAddress (CERT/282), and dnp3Function (CERT/283).

431dnsDetailRecordListsubTemplateList2021-06-07

A subTemplateList of yaf_dns_rr templates. The template used by this element varies depending on the type of DNS Resource Record specified in dnsRRType (CERT/175).

432yafDPIListsubTemplateList2020-05-29

A subTemplateList of deep packet inspection data generated by YAF. The template used by this element varies depending on the type of DPI data YAF collected for the record.

433dnsDSAlgorithmunsigned82021-06-07

The Algorithm field in a DNS DS RR. It holds the algorithm used by the DNS DNSKEY RR to which this DS RR refers.

434dnsDSKeyTagunsigned162021-06-07

The Key Tag field in a DNS DS RR.

435dnsNSEC3Algorithmunsigned82021-06-07

The Algorithm field in a DNS NSEC3 RR.

436dnsNSEC3Flagsunsigned82021-06-07

The Flags field in a DNS NSEC3 RR.

437dnsNSEC3Iterationsunsigned162021-06-07

The Iterations field in a DNS NSEC3 RR.

438dnsNSEC3NextHashedOwnerNameoctetArray2021-06-07

The Next Hashed Owner Name field in a DNS NSEC3 RR.

439dnsNSEC3SaltoctetArray2021-06-07

The Salt field in a DNS NSEC3 RR.

440dnsNSEC3TypeBitMapsoctetArray2021-06-07

The Type Bit Maps field in a DNS NSEC3 RR.

441dnsNSEC3PARAMAlgorithmunsigned82021-06-07

The Algorithm field in a DNS NSEC3PARAM RR.

442dnsNSEC3PARAMFlagsunsigned82021-06-07

The Flags field in a DNS NSEC3PARAM RR.

443dnsNSEC3PARAMIterationsunsigned162021-06-07

The Iterations field in a DNS NSEC3PARAM RR.

444dnsNSEC3PARAMSaltoctetArray2021-06-07

The Salt field in a DNS NSEC3PARAM RR.

445dnsNSECNextDomainNameoctetArray2021-06-07

The Next Domain Name field in a DNS NSEC RR.

446dnsNSECTypeBitMapsoctetArray2021-06-07

The Type Bit Maps field in a DNS NSEC RR.

447dnsRRSIGAlgorithmunsigned82021-06-07

The Algorithm field in a DNS RRSIG RR.

448dnsRRSIGKeyTagunsigned162021-06-07

The Key Tag field in a DNS RRSIG RR.

449dnsRRSIGOriginalTTLunsigned322021-06-07

The Original TTL field in a DNS RRSIG RR.

450sslCertIssuerOrgNameListbasicList2021-08-07

A basicList of sslCertIssuerOrgName (CERT/192) elements, each holding an organization name {id-at 10} of the issuer of an SSL certificate.

451sslCertIssuerOrgUnitNameListbasicList2021-08-07

A basicList of sslCertIssuerOrgUnitName (CERT/193) elements, each holding an organizational unit name {id-at 11} of the issuer of an SSL certificate.

452sslCertIssuerCommonNameListbasicList2021-08-07

A basicList of sslCertIssuerCommonName (CERT/196) elements, each holding a common name {id-at 3} of the issuer of an SSL certificate.

453sslCertIssuerStreetAddressListbasicList2021-08-07

A basicList of sslCertIssuerStreetAddress (CERT/198) elements, each holding a street address {id-at 9} of the issuer of an SSL certificate.

454sslCertSubjectOrgNameListbasicList2021-08-07

A basicList of sslCertSubjectOrgName (CERT/201) elements, each holding an organization name {id-at 10} of the subject of an SSL certificate.

455sslCertSubjectOrgUnitNameListbasicList2021-08-07

A basicList of sslCertSubjectOrgUnitName (CERT/202) elements, each holding an organizational unit name {id-at 11} of the subject of an SSL certificate.

456sslCertSubjectCommonNameListbasicList2021-08-07

A basicList of sslCertSubjectCommonName (CERT/205) elements, each holding a common name {id-at 3} of the subject of an SSL certificate.

457sslCertSubjectStreetAddressListbasicList2021-08-07

A basicList of sslCertSubjectStreetAddress (CERT/207) elements, each holding a street address {id-at 9} of the subject of an SSL certificate.

458sslCertIssuerDomainComponentListbasicList2021-08-07

A basicList of sslCertIssuerDomainComponent (CERT/314) elements, each holding an LDAP dc (domainComponent), 0.9.2342.19200300.100.1.25, holding one component, a label, of the DNS name of the issuer of an SSL certificate.

459sslCertSubjectDomainComponentListbasicList2021-08-07

A basicList of sslCertSubjectDomainComponent (CERT/315) elements, each holding an LDAP dc (domainComponent), 0.9.2342.19200300.100.1.25, holding one component, a label, of the DNS name of the subject of an SSL certificate.

460sslCertValidityTotalDayssigned322021-11-15

The whole number of days the certificate was valid (sslCertValidityNotAfter - sslCertValidityNotBefore).

461sslCertValidityDaysTimeOfUsesigned322021-11-15

The whole number of days the certificate was valid at the time it was used (flowStartMilliseconds - sslCertValidityNotBefore).

462sslCertificateSHA256octetArray2021-11-15

The SHA256 hash of a complete SSL certificate.

463-499Unassigned
500smallPacketCountunsigned32totalCounterpackets

Reversible as reverseSmallPacketCount (ElementID 16884).

The number of packets that contain less than 60 bytes of payload.

501nonEmptyPacketCountunsigned32totalCounterpackets

Reversible as reverseNonEmptyPacketCount (ElementID 16885).

The number of packets that contain at least 1 byte of payload.

502dataByteCountunsigned64totalCounteroctets

Reversible as reverseDataByteCount (ElementID 16886).

Total bytes transferred as payload.

503averageInterarrivalTimeunsigned64milliseconds

Reversible as reverseAverageInterarrivalTime (ElementID 16887).

Average number of milliseconds between packets.

504standardDeviationInterarrivalTimeunsigned64milliseconds

Reversible as reverseStandardDeviationInterarrivalTime (ElementID 16888).

Standard deviation of the interarrival time for up to the first ten packets.

505firstNonEmptyPacketSizeunsigned16quantityoctets

Reversible as reverseFirstNonEmptyPacketSize (ElementID 16889).

Payload length of the first non-empty packet.

506maxPacketSizeunsigned16quantityoctets

Reversible as reverseMaxPacketSize (ElementID 16890).

The largest payload length transferred in the flow.

507firstEightNonEmptyPacketDirectionsunsigned8flags

Reversible as reverseFirstEightNonEmptyPacketDirections (ElementID 16891).

Represents directionality for the first 8 non-empty packets. 0 for forward direction, 1 for reverse direction.

508standardDeviationPayloadLengthunsigned16octets

Reversible as reverseStandardDeviationPayloadLength (ElementID 16892).

The standard deviation of the payload length for up to the first 10 non empty packets.

509tcpUrgentCountunsigned32totalCounterpackets

Reversible as reverseTcpUrgentCount (ElementID 16893).

The number of TCP packets that have the URGENT Flag set.

510largePacketCountunsigned32totalCounterpackets

Reversible as reverseLargePacketCount (ElementID 16894).

The number of packets that contain at least 220 bytes of payload.

511-549Unassigned
550certToolTombstoneIdunsigned32identifier2021-06-07

An identifier of a tombstone record that is unique within the process that initially generates the record.

Prior to YAF 3.0, this element was named "tombstoneId".

551certToolExporterConfiguredIdunsigned16identifier2021-06-07

An identifier for this process chosen by the user.

Prior to YAF 3.0, this element was named "exporterConfiguredId".

552certToolExporterUniqueIdunsigned16identifier2021-06-07

A pseudo-random number to identify this exporting process.

Prior to YAF 3.0, this element was named "exporterUniqueId".

553certToolIdunsigned32identifier1-62019-02-20

An identifier for each CERT tool.

1 - YAF
2 - super_mediator
3 - SiLK rwflowpack
4 - SiLK rwflowappend
5 - Mothra IPFIX Packer
6 - Analysis Pipeline
        
554certToolTombstoneAccessListsubTemplateListlist2021-06-07

A subTemplateList of records containing a certToolId (CERT/553) and the observationTimeSeconds when that tool accessed the tombstone record.

Prior to YAF 3.0, this element was named "tombstoneAccessList".

555-926Unassigned
927smDNSDatastring2021-06-07

Field used by super_mediator to export DNS information.

Prior to YAF 3.0, this element was named "dnsRName".

928dnsHitCountunsigned162021-06-07

Deprecated in favor of smDedupHitCount (CERT/929).

929smDedupHitCountunsigned64totalCounter2021-06-07

The number of times the deduplicated item was seen.

Prior to YAF 3.0, this element was named "observedDataTotalCount".

930smDedupDataoctetArray2021-06-07

A representation of data that is being deduplicated.

Prior to YAF 3.0, this element was named "observedData".

931smIPSetMatchesSourceunsigned8flags2022-03-31

Used by super_mediator to indicate that the record's source IP address matched an IPset. A value of 0 means the source address was not present in the IPset; a value of 1 means it was present.

932smIPSetMatchesDestinationunsigned8flags2022-03-31

Used by super_mediator to indicate that the record's destination IP address matched an IPset. A value of 0 means the destination address was not present in the IPset; a value of 1 means it was present.

933smIPSetNamestringdefault2022-03-31

Used by super_mediator to record the name of the IPset used to determine smIPSetMatchesSource (CERT/931) and smIPSetMatchesDestination (CERT/932).

934smPrefixMapLabelSourcestringdefault2022-03-31

Used by super_mediator to record the label for the source IP or protocol/source-port pair as defined by a SiLK Prefix Map.

935smPrefixMapLabelDestinationstringdefault2022-03-31

Used by super_mediator to record the label for the destination IP or protocol/destination-port pair as defined by a SiLK Prefix Map.

936smPrefixMapTypeIdunsigned8identifier2022-03-31

Used by super_mediator to indicate the type of Prefix Map used to determine smPrefixMapLabelSource (CERT/934) and smPrefixMapLabelDestination (CERT/935), where 0 indicates a map from IPv4 addresses to names, 1 from protocol/port pairs, and 2 from IPv6 addresses.

937smPrefixMapNamestringdefault2022-03-31

Used by super_mediator to record the name of the Prefix Map used to determine smPrefixMapLabelSource (CERT/934) and smPrefixMapLabelDestination (CERT/935).

938silkFlowtypeNamestringdefault2022-05-26

The unique flowtype name of the flowtype identified by silkFlowtypeId (CERT/30). The flowtype name may also be represented by the pair silkClassName (CERT/939) and silkTypeName (CERT/940).

939silkClassNamestringdefault2022-05-26

The class name of the flowtype identified by silkFlowtypeId (CERT/30) and silkFlowtypeName (CERT/938). See also silkTypeName (CERT/940).

940silkTypeNamestringdefault2022-05-26

The type name of the flowtype identified by silkFlowtypeId (CERT/30) and silkFlowtypeName (CERT/938). The type name is unique within a silkClassName (CERT/939).

941silkSensorNamestringdefault2022-05-26

The name of the sensor identified by silkSensorId (CERT/31).

942silkSensorDescriptionstringdefault2022-05-26

The description of the sensor identified by silkSensorId (CERT/31).

943-999Unassigned
1000templateNamestring2020-05-29

Specifies a human-friendly name for an IPFIX template.

1001templateDescriptionstring2020-05-29

Specifies a textual description for an IPFIX template.

1002-16383Unassigned

People

IDNameContact URILast Updated
[Netsa_Tools]Netsa Tools Helpmailto:netsa-help@cert.org2018-05-01