Reserved as per section 4 of [RFC7012].

Reversible as reverseInitialTCPFlags (ElementID 16398).

TCP flags on the initial packet in the forward direction of the flow.

Reversible as reverseUnionTCPFlags (ElementID 16399).

Union of TCP flags of all packets other than the initial packet in the forward direction of the flow.

Reversible as reversePayload (ElementID 16402).

Initial bytes of flow payload in the forward direction.

Difference between the times of the first packet in forward direction and the first packet in the reverse direction, measured in milliseconds.

A value typically assigned by SiLK identifying the direction and related properties of the flow record. The flowtype may also be represented by a silkFlowtypeName (CERT/938) or by the pair silkClassName (CERT/939) and silkTypeName (CERT/940).

Prior to 2022-05-26, this element was named "silkFlowType".

A value typically assigned by SiLK identifying the sensor where the flow record was collected. The sensor may also be represented by a silkSensorName (CERT/941).

Prior to 2022-05-26, this element was named "silkFlowSensor".

Aspects of a flow record assigned by the SiLK rwflowpack tool.

Application label, defined as the primary well-known port associated with a given application.

Reversible as reversePayloadEntropy (ElementID 16419).

The Shannon Entropy value for the payload, converted from a floating point (range 0.0 to 8.0) to an 8-bit unsigned integer. Generally, numbers above 230 are compressed or encrypted, numbers centered around 140 are English text, and very low value may indicate zero-padding of packets (e.g. TLS).

Reversible as reverseOsName (ElementID 16420).

p0f OS Name for the forward flow based on the SYN packet and p0f SYN Fingerprints.

Reversible as reverseOsVersion (ElementID 16421).

p0f OS Version for the forward flow based on the SYN packet and p0f SYN Fingerprints.

Reversible as reverseFirstPacketBanner (ElementID 16422).

IP and transport headers for first packet in forward direction to be used for external OS Fingerprinters.

Reversible as reverseSecondPacketBanner (ElementID 16423).

IP and transport headers for first packet in forward direction to be used for external OS Fingerprinters.

Reversible as reverseFlowAttributes (ElementID 16424).

Bits indicating miscellaneous flow attributes for the forward direction of the flow:

Bit 1 (Least significant bit): All packets in the forward direction had the same size. For TCP flows, only packets having payload are considered (to avoid TCP handshakes and teardowns).

Bit 2: At least one packet in the forward direction was received out-of-sequence.

Bit 3: Host may be MP_CAPABLE (MPTCP-capable). For TCP flows, this bit will be set if a packet in the flow was seen that had the MP_CAPABLE TCP option or attempted an MP_JOIN operation.

Bit 4: The flow contains packets that were fragmented.

Difference between the times of the first packet in forward direction and the first packet in the reverse direction, measured in microseconds.

Difference between the times of the first packet in forward direction and the first packet in the reverse direction, measured in nanoseconds.

Total number of packet fragments that have been expired since yaf start time.

Prior to YAF 3.0, this element was named "expiredFragmentCount".

Total number of packets that been assembled from a series of fragments since yaf start time.

Prior to YAF 3.0, this element was named "assembledFragmentCount".

The mean flow rate of the yaf flow sensor since yaf start time, rounded to the nearest integer.

Prior to YAF 3.0, this element was named "meanFlowRate".

The mean packet rate of the yaf flow sensor since yaf start time, rounded to the nearest integer.

Prior to YAF 3.0, this element was named "meanPacketRate".

Total number of times the yaf flow table has been flushed since yaf start time.

Prior to YAF 3.0, this element was named "flowTableFlushEventCount".

The maximum number of flows in the yaf flow table at any one time since yaf start time.

Prior to YAF 3.0, this element was named "flowTablePeakCount".

The 32 bit hash of the 5-tuple and VLAN that is used as they key to YAF's internal flow table.

Reversible as reverseOsFingerprint (ElementID 16491).

p0f OS Fingerprint for the forward flow based on the SYN packet and p0f SYN fingerprints.

Prior to YAF 3.0, this element was named "osFingerPrint".

HTTP Server Response-header field. Contains information about the software used to handle the HTTP Request.

HTTP User-Agent Request-header field. Contains information about the user agent originating the request.

HTTP Method Command. Retrieves information identified by the following Request-URI.

HTTP Connection header fields. Contains options that are desired for a particular connection.

HTTP Version Number.

HTTP Referer request-header field. Address (URI) of the resource which the Request-URI was obtained.

HTTP Location response-header field. Used to redirect the recipient to a location to complete a request or identify a new resource.

HTTP Host Request-header. The Internet host and port number of the resource being requested.

HTTP Content-Length header. Indicates the size of the entity-body.

HTTP Age response-header. Argument is the sender's estimate of the time elapsed since the response.

HTTP Accept request-header field. Used to specify certain media types that are acceptable for the response.

HTTP Accept-Language Request-Header field. Restricts the set of natural languages that preferred.

HTTP Content Type entity-header field. Indicates the media type of the entity-body.

HTTP Response Status Code. Usually a three-digit number followed by text.

POP3 Command and Replies. Contains any command or reply message found in POP3 payload data.

IRC Chat or Join Message. This field contains any IRC Command and the following arguments.

TFTP Name of File being transferred.

Contains the mode of transfer. (netascii, octet, mail)

SLP Version Number.

SLP Message Type. This value should be between 1 and 11 and describes the type of SLP message.

Contains the text elements found in an SLP Service Request.

FTP Commands or Replies.

FTP User Command Argument. This command will normally be the first command transmitted by the user.

FTP Password Command Argument. This command must be preceded by the user name command, and is usually required to complete authentication.

FTP Data Representation Type.

FTP Reply. This consists of a three digit number followed by some text.

IMAP Capability Command and Response. Captures the listing of capabilities that the server supports.

IMAP Login Command. Arguments are user name and password.

IMAP STARTTLS Command. Captures this command only as no arguments or responses are related.

IMAP Authenticate Command. Captures the authentication mechanism name of the server following this command.

Captures a variety of IMAP Commands and their arguments.

IMAP Exists Response. Reports the number of messages in the mailbox.

IMAP Recent Response. Reports the number of message with the Recent flag set.

RTSP URL. Captures the address of the network resources requested.

RTSP Version Number.

RTSP Status-Line. Captures the RTSP Protocol version, numeric status code, and the textual phrase associated with the numeric code.

RTSP Content-Length Header Field. Contains the length of the content of the method.

RTSP Command. Captures the method to be performed and the Request-URI associated with the method.

RTSP Content Type.

RTSP Transport request header field. Captures the transport protocol used and the parameters that follow.

RTSP CSeq field. Contains the sequence number for an RTSP request-response pair.

RTSP Location header field.

RTSP User Agent field. Contains information about the user agent originating the request.

RTSP User Agent field. Contains information about the user agent originating the request.

RTSP Jitter Value.

SIP Invite Method. Contains the SIP address and SIP Version Number.

SIP Command. Contains a SIP Method, SIP address, and SIP Version Number.

SIP Via contains the SIP Version Number and the address the sender is expecting to receive responses.

SIP Max Forwards contains the limit of number of hops a request can make on the way to its destination.

SIP Address contains the argument of the To, From, or Contact Header Fields.

SIP Content Length header field. Contains the byte count of the message byte.

SIP User Agent Header Field. Contains information about the User Agent Client originating the request.

SMTP Hello or Extend Hello command. Captures the command and the domain name of the SMTP client.

SMTP Mail Command. Contains the reverse-path of the sender mailbox.

The SMTP Recipient (RCPT) Command. Captures the command and the forward-path of the recipient of the mail data.

SMTP Content Type Header Field.

SMTP Subject. Contains the subject of the mail data.

SMTP Filename. Contains the name of the file attached to the mail message.

SMTP Content-Disposition Header field.

SMTP Replies. Consists of a three digit number followed by text.

Enhanced SMTP. Contains the ESMTP command with the following argument.

SSH Version Number

NNTP Reply. This consists of a three digit status code and text message.

NNTP Command. Contains an NNTP Command and following argument(s).

DNS Query/Response header field. This corresponds with the DNS header one bit field, QR. If the message is a query (0), or a response (1).

DNS Query/Response Type. This corresponds with the QTYPE field in the DNS Question Section or the TYPE field in the DNS Resource Record Section. This field determines the type of records in the DNS DPI subTemplateList dnsDetailRecordList (CERT/431).

Prior to YAF 3.0, this element was named "dnsQRType".

DNS Authoritative header field. This corresponds with the DNS header one bit field, AA. This bit is only valid in responses (when dnsQueryResponse is 1), and specifies that the responding name server is an authority for the domain name in the question section.

DNS NXDomain or Response Code (RCODE). This corresponds with the DNS RCODE header field. This field will be set to 3 for a Name Error, 2 for a Server Failure, 1 for a Format Error, and 0 for No Error. See [dns-parameters] for other valid values.

Prior to YAF 3.0, this element was named "dnsNXDomain".

DNS Resource Record Section Field. This field will be set to 0 if the information is from the Question Section, 1 for the Answer Section, 2 for the Name Server Section, and 3 for the Additional Section.

Prior to YAF 3.0, this element was named "dnsRRSection".

A DNS Query or Response Name. This field corresponds with the QNAME field in the DNS Question Section or the NAME field in the DNS Resource Record Section.

Prior to YAF 3.0, this element was named "dnsQName".

A domain-name which specificies the canonical or primary name for the owner.

Prior to YAF 3.0, this element was named "dnsCName".

Corresponds to the DNS MX Preference field.

Corresponds to the DNS MX Exchange field.

An authoritative name server domain-name.

Corresponds to DNS PTR PTRDNAME Field.

sslCipher is a CipherSuite suggested by the client in the ClientHello Message.

sslClientVersion is the version it supports contained in the initial ClientHello message.

sslServerCipher is the CipherSuite chosen by the server in the ServerHello message.

sslCompressionMethod is the compression method chosen by the server in the ServerHello message.

The Certificate Version. This is the value contained in the certificate v1(0), v2(1), v3(2).

The signature contained in a SSL certificate. This is typically the hashing algorithm identifier.

Country name {id-at 6} of the issuer of an SSL certificate.

Organization name {id-at 10} of the issuer of an SSL certificate.

Organizational unit name {id-at 11} of the issuer of an SSL certificate.

Postal or zip code {id-at 17} of the issuer of an SSL certificate.

State or providence name {id-at 8} of the issuer of an SSL certificate.

Common name {id-at 3} of the issuer of an SSL certificate.

Locality name {id-at 7} of the issuer of an SSL certificate.

Street address {id-at 9} of the issuer of an SSL certificate.

DNS Time To Live. This is an unsigned integer that specifies the time interval, in seconds, that the resource record may be cached for. This will contain a value of zero for DNS Queries.

Country name {id-at 6} of the subject of an SSL certificate.

Prior to YAF 3.0, this element was named "sslCertSubCountryName".

Organization name {id-at 10} of the subject of an SSL certificate.

Prior to YAF 3.0, this element was named "sslCertSubOrgName".

Organizational unit name {id-at 11} of the subject of an SSL certificate.

Prior to YAF 3.0, this element was named "sslCertSubOrgUnitName".

Postal or zip code {id-at 17} of the subject of an SSL certificate.

Prior to YAF 3.0, this element was named "sslCertSubZipCode".

State or providence name {id-at 8} of the subject of an SSL certificate.

Prior to YAF 3.0, this element was named "sslCertSubState".

Common name {id-at 3} of the subject of an SSL certificate.

Prior to YAF 3.0, this element was named "sslCertSubCommonName".

Locality name {id-at 7} of the subject of an SSL certificate.

Prior to YAF 3.0, this element was named "sslCertSubLocalityName".

Street address {id-at 9} of the subject of an SSL certificate.

Prior to YAF 3.0, this element was named "sslCertSubStreetAddress".

Corresponds to DNS TXT TXT-DATA field.

Corresponds to DNS SOA SERIAL Field.

Corresponds to DNS SOA REFRESH Field.

Corresponds to DNS SOA RETRY Field.

Corresponds to DNS SOA EXPIRE Field.

Corresponds to DNS SOA MINIMUM Field.

Corresponds to DNS SOA MNAME Field.

Corresponds to DNS SOA RNAME Field.

Corresponds to the Priority Field in the DNS SRV Resource Record.

Corresponds to the Weight Field in the DNS SRV Resource Record.

Corresponds to the Port Field in the DNS SRV Resource Record.

Corresponds to the Target Field in the DNS SRV Resource Record.

HTTP Cookie Header Field.

HTTP Set Cookie Header Field.

SMTP Size Header Field. Contains the size in bytes of the mail data.

The username seen when authenticating to a MySQL server.

MySQL Command Code. This number should be between 0 and 28.

MySQL Command Text. For example, this can be a SELECT, INSERT, DELETE statement.

DNS Transaction ID. This identifier is used by the requester to match up replies to outstanding queries.

Prior to YAF 3.0, this element was named "dnsID".

Deprecated in favor of dnsDNSKEYAlgorithm (CERT/423), dnsDSAlgorithm (CERT/433), dnsNSEC3Algorithm (CERT/435), dnsNSEC3PARAMAlgorithm (CERT/441), and dnsRRSIGAlgorithm (CERT/447).

The Hash Algorithm field in various DNSSEC records.

Deprecated in favor of dnsDSKeyTag (CERT/434) and dnsRRSIGKeyTag (CERT/448).

The Key Tag field in the DS RR.

The Signer's Name field in the DNS RRSIG RR.

Prior to YAF 3.0, this element was named "dnsSigner".

The Signature field in the DNS RRSIG RR. Contains the cryptographic signature that covers the dnsName (CERT/179) field.

Prior to YAF 3.0, this element was named "dnsSignature".

The Digest field of the DNS DS RR.

Prior to YAF 3.0, this element was named "dnsDigest".

DNSSEC uses public key cryptography to sign and authenticate DNS resource record sets. This field holds the public key. The format depends on the algorithm of the key.

Prior to YAF 3.0, this element was named "dnsPublicKey".

Deprecated in favor of dnsNSEC3Salt (CERT/439) and dnsNSEC3PARAMSalt (CERT/444).

The Salt Field in the DNSSEC NSEC3 or NSEC3PARAM RR.

Deprecated in favor of dnsNSEC3NextHashedOwnerName (CERT/438) and dnsNSECNextDomainName (CERT/445).

The Next Hashed Owner Name in the DNSSEC NSEC3 RR and Next Domain Name field in the DNSNSEC RR.

Deprecated in favor of dnsNSEC3Iterations (CERT/437) and dnsNSEC3PARAMIterations (CERT/443).

The Iterations field in the DNSSEC NSEC3 or NSEC3PARAM RR.

The Signature Expiration field in a DNS RRSIG RR. The Expiration and Inception fields specify a validity period for the signature.

Prior to YAF 3.0, this element was named "dnsSignatureExpiration".

The Signature Inception field in a RRSIG RR. The Expiration and Inception fields specify a validity period for the signature.

Prior to YAF 3.0, this element was named "dnsSignatureInception".

The Digest Type field in a DNS DS RR which identifes the algorithm used to construct the digest.

Prior to YAF 3.0, this element was named "dnsDigestType".

The Labels field in a DNS RRSIG RR. Specifies the number of labels in the original RRSIG resource record owner name.

Prior to YAF 3.0, this element was named "dnsLabels".

The Type Covered field in a DNS RRSIG RR.

Prior to YAF 3.0, this element was named "dnsTypeCovered".

The Flags field in the DNS DNSKEY Resource Record. Certain bits determine if the key is a zone key or should be used for a secure entry point.

Prior to YAF 3.0, this element was named "dnsFlags".

Reversible as reverseDhcpFingerprint (ElementID 16626).

The DHCP fingerprint. This will be the description of the OS.

Prior to YAF 3.0, this element was named "dhcpFingerPrint".

Reversible as reverseDhcpVendorCode (ElementID 16627).

The DHCP vendor class ID found in Option 60 of the DHCP packet. This field may help further identify the operating system of the sender.

The Serial Number from the X.509 certificate.

The type of the value contained in the sslObjectValue (CERT/246) in a subrecord of an sslIssuerFieldList (CERT/426), sslSubjectFieldList (CERT/427), or sslExtensionFieldList (CERT/428).

For the sslIssuerFieldList (CERT/426) and sslSubjectFieldList (CERT/427) subTemplateLists, YAF only parses objects that are members of the id-at arc {joint-iso-ccitt(2) ds(5) 4}, pkcs-9 {iso(1) member-body (2) us(840) rsadsi(113459) pkcs(1) 9}, and LDAP dc 0.9.2342.19200300.100.1.25. This field will not contain the full object identfier, it will just contain the member id. For example, for an issuer common name, sslObjectType will contain 3. Below is a list of common objects in an X.509 RelativeDistinguishedName Sequence for X.509 Certificates:

pkcs-9-emailAddress          {pkcs-9 1}
id-at-commonName             {id-at 3}
id-at-countryName            {id-at 6}
id-at-localityName           {id-at 7}
id-at-stateOrProvinceName    {id-at 8}
id-at-streetAddress          {id-at 9}
id-at-organizationName       {id-at 10}
id-at-organizationalUnitName {id-at 11}
id-at-title                  {id-at 12}
id-at-postalCode             {id-at 17}
0.9.2342.19200300.100.1.25   {dc 25}
id-at-name                   {id-at 41}

The bit string value associated with an sslObjectType (CERT/245) in a subrecord of an sslIssuerFieldList (CERT/426), sslSubjectFieldList (CERT/427), or sslExtensionFieldList (CERT/428).

The notBefore field in the Validity Sequence of the X.509 Certificate.

The notAfter field in the Validity Sequence of the X.509 Certificate.

The algorithm, encoded in ASN.1, in the SubjectPublicKeyInfo Sequence of the X.509 Certificate.

The length of the public key in the X.509 Certificate.

SMTP Date Field.

HTTP Authorization Header Field.

HTTP Via Header Field.

HTTP X-Forwarded-For Header Field.

Prior to YAF 3.0, this element was named "httpX-Forwarded-For".

HTTP Expires Header Field.

HTTP Refresh Header Field.

HTTP International Mobile Station Equipment Identity ID.

HTTP International Mobile Subscriber Identity

HTTP MSISDN number, a telephone number for the SIM card in a mobile/cellular phone.

HTTP Mobile Subscriber Information.

HTTP Accept Charset Header Field.

HTTP Accept Encoding Header Field.

HTTP Allow Header Field.

HTTP Date Header Field.

HTTP Expect Header Field.

HTTP From Header Field.

HTTP Proxy Authentication Field.

HTTP Upgrade Header Field.

HTTP Warning Header Field.

HTTP DNT Header Field.

HTTP X-Forwarded-Proto Header Field.

Prior to YAF 3.0, this element was named "httpX-Forwarded-Proto".

HTTP X-Forwarded-Host Header Field.

Prior to YAF 3.0, this element was named "httpX-Forwarded-Host".

HTTP X-Forwarded-Server Header Field.

Prior to YAF 3.0, this element was named "httpX-Forwarded-Server".

HTTP X-Device ID Header Field.

Prior to YAF 3.0, this element was named "httpX-DeviceID".

HTTP X-Profile Header Field.

Prior to YAF 3.0, this element was named "httpX-Profile".

HTTP Last Modified Header Field.

HTTP Content Encoding Header Field.

HTTP Content Language Header Field.

HTTP Content Location Header Field.

HTTP X-UA-Compatible Header Field.

Prior to YAF 3.0, this element was named "httpX-UA-Compatible".

The DNP3 Source Address found in the Data Link Layer of the DNP Header.

The DNP3 Destination Address found in the Data Link Layer of the DNP Header.

The DNP3 Function Code found in the first byte of the Application Layer.

The pattern captured from the DNP3 regular expression.

Data associated with the Modbus protocol, a widely used network messaging protocol used in industrial manufacturing.

Data associated with EtherNet/IP (ENIP), a protocol used in industrial automation applications.

Prior to YAF 3.0, this element was named "ethernetIPData".

Reversible as reverseRtpPayloadType (ElementID 16671).

The payload type in the RTP header of the first payload in the forward direction.

sslRecordVersion is the version of ssl or tls that was used in the flow.

The initial data sequence number found in the MPTCP Data Sequence Signal (DSS) Option of a flow. (See Multipath TCP, [RFC8684].)

The token used to identify an MPTCP connection over multiple subflows. This value is found in the MP_JOIN TCP Option for the initial SYN of a subflow.

The maximum segment size reported in the Maximum Segment Size TCP Option captured from an MPTCP flow.

The address identifier of the subflow found in the SYN/ACK of an MP_JOIN operation captured from an MPTCP flow.

Prior to YAF 3.0, this element was named "mptcpAddressID".

Various MPTCP Values:

Bit 1: Priority was changed during the life of the subflow (MP_PRIO was seen).

Bit 2: Subflow has priority at setup (backup flag was not set at initialization).

Bit 3: Subflow failed. (MP_FAIL option was seen).

Bit 4: Subflow experienced fast close. (MP_FASTCLOSE options was seen).

The server name from the SSL/TLS Client Hello. This is typically the name of the server that the client is connecting to.

The hash of the X.509 certificate.

A binary dump of the full X.509 certificate.

Prior to YAF 3.0, this element was named "sslCertificate".

The list of requested parameters found in DHCP Option 55.

The SHA1 hash of a complete SSL certificate.

The MD5 hash of a complete SSL certificate.

The protocol as determined by analysis with nDPI, the ntop-maintained superset of the OpenDPI library.

Prior to YAF 3.0, this element was named "nDPIL7Protocol".

The subprotocol as determined by analysis with nDPI, the ntop-maintained superset of the OpenDPI library.

Prior to YAF 3.0, this element was named "nDPIL7SubProtocol".

An IPv4 address that specifies an address for a DNS host name.

Prior to YAF 3.0, this element was named "rrIPv4".

An IPv6 address that specifies an address for a DNS host name.

Prior to YAF 3.0, this element was named "rrIPv6".

The Protocol field from a DNS DNSKEY Resource Record.

Prior to YAF 3.0, this element was named "DNSKEY_protocolIdentifier".

Element holding an entire DNS A record, which is a subTemplateList when emitted from YAF. This is used in Analysis Pipeline for fast flux.

Prior to YAF 3.0, this element was named "DNS_A_Record".

Element holding an entire DNS AAAA record, which is a subTemplateList when emitted from YAF. This is used in Analysis Pipeline for fast flux.

Prior to YAF 3.0, this element was named "DNS_AAAA_Record".

Element holding an entire DNS resource record, which is a subTemplateList when emitted from YAF. This is used in Analysis Pipeline.

Prior to YAF 3.0, this element was named "DNS_RESOURCE_RECORD".

Title {id-at 12} of the issuer of an SSL certificate.

Title {id-at 12} of the subject of an SSL certificate.

Prior to YAF 3.0, this element was named "sslCertSubTitle".

Name {id-at 41} of the issuer of an SSL certificate.

Name {id-at 41} of the subject of an SSL certificate.

Prior to YAF 3.0, this element was named "sslCertSubName".

Email address {pkcs-9 1} of the issuer of an SSL certificate.

Email address {pkcs-9 1} of the subject of an SSL certificate.

Prior to YAF 3.0, this element was named "sslCertSubEmailAddress".

LDAP dc (domainComponent), 0.9.2342.19200300.100.1.25, holding one component, a label, of the DNS name of the issuer of an SSL certificate.

LDAP dc (domainComponent), 0.9.2342.19200300.100.1.25, holding one component, a label, of the DNS name of the subject of an SSL certificate.

Prior to YAF 3.0, this element was named "sslCertSubDomainComponent".

SSL extension value holding the subject key identifer, {id-ce 14} subjectKeyIdentifier.

SSL extension value holding the key usage, {id-ce 15} keyUsage.

SSL extension value holding the usage period for the private key, {id-ce 16} privateKeyUsagePeriod.

SSL extension value holding the subject's alternative names, {id-ce 17} subjectAltName.

SSL extension value holding the issuer's alternative names, {id-ce 18} issuerAltName.

SSL extension value holding the certificate issuer associated with an entry in an indirect CRL, {id-ce 29} certificateIssuer.

SSL extension value holding the certificate revocation list (CRL) distribution points, {id-ce 31} crlDistributionPoints.

SSL extension value holding the certificate policies, {id-ce 32} certificatePolicies.

SSL extension value holding the authority key identifier, {id-ce 35} authorityKeyIdentifier.

SSL extension value holding the extended key usage {id-ce 37}, extKeyUage.

Element indicating whether or not the SMTP session sent the START TLS command.

SMTP Header key string.

SMTP Header value string.

Element for URLs captured in the SMTP message body

Element containing the value of the SMTP message size.

A basicList of smtpResponse (CERT/169) elements.

A basicList of smtpTo (CERT/164) elements.

A basicList of smtpFrom (CERT/163) elements.

A basicList of smtpFilename (CERT/167) elements.

A basicList of smtpURL (CERT/329) elements.

A subTemplateList holding email data in smtpMessage templates.

A subTemplateList holding smtpKey (CERT/327), smtpValue (CERT/328) pairs describing email headers.

A basicList of httpServerString (CERT/110) elements.

A basicList of httpUserAgent (CERT/111) elements.

A basicList of httpGet (CERT/112) elements.

A basicList of httpConnection (CERT/113) elements.

A basicList of httpVersion (CERT/114) elements.

A basicList of httpReferer (CERT/115) elements.

A basicList of httpLocation (CERT/116) elements.

A basicList of httpHost (CERT/117) elements.

A basicList of httpContentLength (CERT/118) elements.

A basicList of httpAge (CERT/119) elements.

A basicList of httpAccept (CERT/120) elements.

A basicList of httpAcceptLanguage (CERT/121) elements.

A basicList of httpContentType (CERT/122) elements.

A basicList of httpResponse (CERT/123) elements.

A basicList of pop3TextMessage (CERT/124) elements.

A basicList of ircTextMessage (CERT/125) elements.

A basicList of slpString (CERT/130) elements.

A basicList of ftpReturn (CERT/131) elements.

A basicList of ftpUser (CERT/132) elements.

A basicList of ftpPass (CERT/133) elements.

A basicList of ftpType (CERT/134) elements.

A basicList of ftpRespCode (CERT/135) elements.

A basicList of imapCapability (CERT/136) elements.

A basicList of imapLogin (CERT/137) elements.

A basicList of imapStartTLS (CERT/138) elements.

A basicList of imapAuthenticate (CERT/139) elements.

A basicList of imapCommand (CERT/140) elements.

A basicList of imapExists (CERT/141) elements.

A basicList of imapRecent (CERT/142) elements.

A basicList of rtspURL (CERT/143) elements.

A basicList of rtspVersion (CERT/144) elements.

A basicList of rtspReturnCode (CERT/145) elements.

A basicList of rtspContentLength (CERT/146) elements.

A basicList of rtspCommand (CERT/147) elements.

A basicList of rtspContentType (CERT/148) elements.

A basicList of rtspTransport (CERT/149) elements.

A basicList of rtspCSeq (CERT/150) elements.

A basicList of rtspLocation (CERT/151) elements.

A basicList of rtspPacketsReceived (CERT/152) elements.

A basicList of rtspUserAgent (CERT/153) elements.

A basicList of rtspJitter (CERT/154) elements.

A basicList of sipInvite (CERT/155) elements.

A basicList of sipCommand (CERT/156) elements.

A basicList of sipVia (CERT/157) elements.

A basicList of sipMaxForwards (CERT/158) elements.

A basicList of sipAddress (CERT/159) elements.

A basicList of sipContentLength (CERT/160) elements.

A basicList of sipUserAgent (CERT/161) elements.

A basicList of sshVersion (CERT/171) elements.

A basicList of nntpResponse (CERT/172) elements.

A basicList of nntpCommand (CERT/173) elements.

A basicList of sslCipher (CERT/185) elements.

A basicList of httpCookie (CERT/220) elements.

A basicList of httpSetCookie (CERT/221) elements.

A basicList of httpAuthorization (CERT/252) elements.

A basicList of httpVia (CERT/253) elements.

A basicList of httpXForwardedFor (CERT/254) elements.

A basicList of httpExpires (CERT/255) elements.

A basicList of httpRefresh (CERT/256) elements.

A basicList of httpIMEI (CERT/257) elements.

A basicList of httpIMSI (CERT/258) elements.

A basicList of httpMSISDN (CERT/259) elements.

A basicList of httpSubscriber (CERT/260) elements.

A basicList of httpAcceptCharset (CERT/261) elements.

A basicList of httpAllow (CERT/263) elements.

A basicList of httpDate (CERT/264) elements.

A basicList of httpExpect (CERT/265) elements.

A basicList of httpFrom (CERT/266) elements.

A basicList of httpProxyAuthentication (CERT/267) elements.

A basicList of httpUpgrade (CERT/268) elements.

A basicList of httpWarning (CERT/269) elements.

A basicList of httpDNT (CERT/270) elements.

A basicList of httpXForwardedProto (CERT/271) elements.

A basicList of httpXForwardedHost (CERT/272) elements.

A basicList of httpXForwardedServer (CERT/273) elements.

A basicList of httpXDeviceId (CERT/274) elements.

A basicList of httpXProfile (CERT/275) elements.

A basicList of httpLastModified (CERT/276) elements.

A basicList of httpContentEncoding (CERT/277) elements.

A basicList of httpContentLanguage (CERT/278) elements.

A basicList of httpContentLocation (CERT/279) elements.

A basicList of httpXUaCompatible (CERT/280) elements.

A basicList of modbusData (CERT/285) elements.

A basicList of enipData (CERT/286) elements.

Reversible as reverseDhcpOptionList (ElementID 16806).

A basicList of dhcpOption (CERT/297) elements.

The cryptographic algorithm used for the public key in a DNS DNSKEY RR.

A subTemplateList of mysqlCommandText (CERT/225) mysqlCommandCode (CERT/224) pairs.

A subTemplateList of yaf_ssl_cert templates.

A subTemplateList containing pairs of sslObjectValue (CERT/246) and sslObjectType (CERT/245) values describing the issuer of an X.509 certificate.

A subTemplateList containing pairs of sslObjectValue (CERT/246) and sslObjectType (CERT/245) values describing the subject of an X.509 certificate.

A subTemplateList containing pairs of sslObjectValue (CERT/246) and sslObjectType (CERT/245) values describing some of the extensions present on an X.509 certificate.

A basicList of sslBinaryCertificate (CERT/296) elements.

A subTemplateList holding the DNP3 values dnp3ObjectData (CERT/284), dnp3SourceAddress (CERT/281), dnp3DestinationAddress (CERT/282), and dnp3Function (CERT/283).

A subTemplateList of yaf_dns_rr templates. The template used by this element varies depending on the type of DNS Resource Record specified in dnsRRType (CERT/175).

A subTemplateList of deep packet inspection data generated by YAF. The template used by this element varies depending on the type of DPI data YAF collected for the record.

The Algorithm field in a DNS DS RR. It holds the algorithm used by the DNS DNSKEY RR to which this DS RR refers.

The Key Tag field in a DNS DS RR.

The Algorithm field in a DNS NSEC3 RR.

The Flags field in a DNS NSEC3 RR.

The Iterations field in a DNS NSEC3 RR.

The Next Hashed Owner Name field in a DNS NSEC3 RR.

The Salt field in a DNS NSEC3 RR.

The Type Bit Maps field in a DNS NSEC3 RR.

The Algorithm field in a DNS NSEC3PARAM RR.

The Flags field in a DNS NSEC3PARAM RR.

The Iterations field in a DNS NSEC3PARAM RR.

The Salt field in a DNS NSEC3PARAM RR.

The Next Domain Name field in a DNS NSEC RR.

The Type Bit Maps field in a DNS NSEC RR.

The Algorithm field in a DNS RRSIG RR.

The Key Tag field in a DNS RRSIG RR.

The Original TTL field in a DNS RRSIG RR.

A basicList of sslCertIssuerOrgName (CERT/192) elements, each holding an organization name {id-at 10} of the issuer of an SSL certificate.

A basicList of sslCertIssuerOrgUnitName (CERT/193) elements, each holding an organizational unit name {id-at 11} of the issuer of an SSL certificate.

A basicList of sslCertIssuerCommonName (CERT/196) elements, each holding a common name {id-at 3} of the issuer of an SSL certificate.

A basicList of sslCertIssuerStreetAddress (CERT/198) elements, each holding a street address {id-at 9} of the issuer of an SSL certificate.

A basicList of sslCertSubjectOrgName (CERT/201) elements, each holding an organization name {id-at 10} of the subject of an SSL certificate.

A basicList of sslCertSubjectOrgUnitName (CERT/202) elements, each holding an organizational unit name {id-at 11} of the subject of an SSL certificate.

A basicList of sslCertSubjectCommonName (CERT/205) elements, each holding a common name {id-at 3} of the subject of an SSL certificate.

A basicList of sslCertSubjectStreetAddress (CERT/207) elements, each holding a street address {id-at 9} of the subject of an SSL certificate.

A basicList of sslCertIssuerDomainComponent (CERT/314) elements, each holding an LDAP dc (domainComponent), 0.9.2342.19200300.100.1.25, holding one component, a label, of the DNS name of the issuer of an SSL certificate.

A basicList of sslCertSubjectDomainComponent (CERT/315) elements, each holding an LDAP dc (domainComponent), 0.9.2342.19200300.100.1.25, holding one component, a label, of the DNS name of the subject of an SSL certificate.

The whole number of days the certificate was valid (sslCertValidityNotAfter - sslCertValidityNotBefore).

The whole number of days the certificate was valid at the time it was used (flowStartMilliseconds - sslCertValidityNotBefore).

The SHA256 hash of a complete SSL certificate.

The JA3 MD5 hash of the sslClientJA3Fingerprint (CERT/464) calculated on the client-side TLS/SSL fingerprint string.

The JA3 fingerprint string enumerated from the TLS/SSL ClientHello packet. Element sslClientJA3 (CERT/463) holds the MD5 of this.

The JA3S MD5 hash of the sslServerJA3SFingerprint (CERT/466) calculated on the server-side TLS/SSL fingerprint string.

The JA3S fingerprint string enumerated from the TLS/SSL ServerHello packet. Element sslServerJA3S (CERT/465) holds the MD5 of this.

The version of the HASSH algorithm used by sshHassh (CERT/468), sshHasshAlgorithms (CERT/469), sshServerHassh (CERT/470), and sshServerHasshAlgorithms (CERT/471).

The client HASSH MD5 hash of the sshHasshAlgorithms (CERT/469) fingerprint for an SSH client.

The SSH client hasshAlgorithms: the concatenated name-lists of the client-to-server algorithms delimited by a semicolon. Element sshHassh (CERT/468) holds the MD5 of this.

The server HASSH MD5 hash (hasshServer) of the sshServerHasshAlgorithms (CERT/471) fingerprint for an SSH server.

The SSH server hasshServerAlgoritms: the concatenated name-lists of the server-to-client algorithms delimited by a semicolon. Element sshServerHassh (CERT/470) holds the MD5 of this.

The version string from an SSH server.

The negotiated symmetric encryption algorithm used for an SSH session.

The negotiated MAC algorithm used for an SSH session.

The negotiated compression algorithm used for an SSH session.

The negotiated key exchange algorithm used for an SSH session.

The negotiated host key algorithm used for an SSH session.

The MD5 hash of the public key of the SSH server.

Element indicating whether the POP3 session sent the START TLS command.

Reversible as reverseSmallPacketCount (ElementID 16884).

The number of packets that contain less than 60 bytes of payload.

Reversible as reverseNonEmptyPacketCount (ElementID 16885).

The number of packets that contain at least 1 byte of payload.

Reversible as reverseDataByteCount (ElementID 16886).

Total bytes transferred as payload.

Reversible as reverseAverageInterarrivalTime (ElementID 16887).

Average number of milliseconds between packets.

Reversible as reverseStandardDeviationInterarrivalTime (ElementID 16888).

Standard deviation of the interarrival time for up to the first ten packets.

Reversible as reverseFirstNonEmptyPacketSize (ElementID 16889).

Payload length of the first non-empty packet.

Reversible as reverseMaxPacketSize (ElementID 16890).

The largest payload length transferred in the flow.

Reversible as reverseFirstEightNonEmptyPacketDirections (ElementID 16891).

Represents directionality for the first 8 non-empty packets. 0 for forward direction, 1 for reverse direction.

Reversible as reverseStandardDeviationPayloadLength (ElementID 16892).

The standard deviation of the payload length for up to the first 10 non empty packets.

Reversible as reverseTcpUrgentCount (ElementID 16893).

The number of TCP packets that have the URGENT Flag set.

Reversible as reverseLargePacketCount (ElementID 16894).

The number of packets that contain more than 225 bytes of payload.

An identifier of a tombstone record that is unique within the process that initially generates the record.

Prior to YAF 3.0, this element was named "tombstoneId".

An identifier for this process chosen by the user.

Prior to YAF 3.0, this element was named "exporterConfiguredId".

A pseudo-random number to identify this exporting process.

Prior to YAF 3.0, this element was named "exporterUniqueId".

An identifier for each CERT tool.

1 - YAF
2 - super_mediator
3 - SiLK rwflowpack
4 - SiLK rwflowappend
5 - Mothra IPFIX Packer
6 - Analysis Pipeline
        

A subTemplateList of records containing a certToolId (CERT/553) and the observationTimeSeconds when that tool accessed the tombstone record.

Prior to YAF 3.0, this element was named "tombstoneAccessList".

Field used by super_mediator to export DNS information.

Prior to YAF 3.0, this element was named "dnsRName".

Deprecated in favor of smDedupHitCount (CERT/929).

The number of times the deduplicated item was seen.

Prior to YAF 3.0, this element was named "observedDataTotalCount".

A representation of data that is being deduplicated.

Prior to YAF 3.0, this element was named "observedData".

Used by super_mediator to indicate that the record's source IP address matched an IPset. A value of 0 means the source address was not present in the IPset; a value of 1 means it was present.

Used by super_mediator to indicate that the record's destination IP address matched an IPset. A value of 0 means the destination address was not present in the IPset; a value of 1 means it was present.

Used by super_mediator to record the name of the IPset used to determine smIPSetMatchesSource (CERT/931) and smIPSetMatchesDestination (CERT/932).

Used by super_mediator to record the label for the source IP or protocol/source-port pair as defined by a SiLK Prefix Map.

Used by super_mediator to record the label for the destination IP or protocol/destination-port pair as defined by a SiLK Prefix Map.

Used by super_mediator to indicate the type of Prefix Map used to determine smPrefixMapLabelSource (CERT/934) and smPrefixMapLabelDestination (CERT/935), where 0 indicates a map from IPv4 addresses to names, 1 from protocol/port pairs, and 2 from IPv6 addresses.

Used by super_mediator to record the name of the Prefix Map used to determine smPrefixMapLabelSource (CERT/934) and smPrefixMapLabelDestination (CERT/935).

The unique flowtype name of the flowtype identified by silkFlowtypeId (CERT/30). The flowtype name may also be represented by the pair silkClassName (CERT/939) and silkTypeName (CERT/940).

The class name of the flowtype identified by silkFlowtypeId (CERT/30) and silkFlowtypeName (CERT/938). See also silkTypeName (CERT/940).

The type name of the flowtype identified by silkFlowtypeId (CERT/30) and silkFlowtypeName (CERT/938). The type name is unique within a silkClassName (CERT/939).

The name of the sensor identified by silkSensorId (CERT/31).

The description of the sensor identified by silkSensorId (CERT/31).

Identifier of a layer 2 network segment in an overlay network. The most significant byte identifies the layer 2 network overlay network encapsulation type: 0x00 reserved, 0x01 VxLAN, 0x02 NVGRE. The three lowest significant bytes hold the value of the layer 2 overlay network segment identfier.

This element is a four-byte version of the IANA-defined layer2SegmentId, elementId 351.

Specifies a human-friendly name for an IPFIX template.

Specifies a textual description for an IPFIX template.