Reserved as per section 4 of [RFC7012].

Reversible as reverseInitialTCPFlags (ElementID 16398).

TCP flags on the initial packet in the forward direction of the flow.

Reversible as reverseUnionTCPFlags (ElementID 16399).

Union of TCP flags of all packets other than the initial packet in the forward direction of the flow.

Reversible as reversePayload (ElementID 16402).

Initial bytes of flow payload in the forward direction.

Difference in milliseconds between the times of the first packet in forward direction and the first packet in the reverse direction.

The type of flow as assigned by the SiLK rwflowpack tool.

The sensor where a flow was collected as assigned by the SiLK rwflowpack tool.

Aspects of a flow record assigned by the SiLK rwflowpack tool.

Application label, defined as the primary well-known port associated with a given application.

Reversible as reversePayloadEntropy (ElementID 16419).

The Shannon Entropy value for the payload, converted from a floating point (range 0.0 to 8.0) to an 8-bit unsigned integer. Generally, numbers above 230 are compressed or encrypted, numbers centered around 140 are English text, and very low value may indicate zero-padding of packets (e.g. TLS).

Reversible as reverseOsName (ElementID 16420).

p0f OS Name for the forward flow based on the SYN packet and p0f SYN Fingerprints.

Reversible as reverseOsVersion (ElementID 16421).

p0f OS Version for the forward flow based on the SYN packet and p0f SYN Fingerprints.

Reversible as reverseFirstPacketBanner (ElementID 16422).

IP and transport headers for first packet in forward direction to be used for external OS Fingerprinters.

Reversible as reverseSecondPacketBanner (ElementID 16423).

IP and transport headers for first packet in forward direction to be used for external OS Fingerprinters.

Reversible as reverseFlowAttributes (ElementID 16424).

Miscellaneous flow attributes for the forward direction of the flow.

Total number of packet fragments that have been expired since yaf start time.

This element previously was named "expiredFragmentCount".

Total number of packets that been assembled from a series of fragments since yaf start time.

This element previously was named "assembledFragmentCount".

The mean flow rate of the yaf flow sensor since yaf start time, rounded to the nearest integer.

This element previously was named "meanFlowRate".

The mean packet rate of the yaf flow sensor since yaf start time, rounded to the nearest integer.

This element previously was named "meanPacketRate".

Total number of times the yaf flow table has been flushed since yaf start time.

This element previously was named "flowTableFlushEventCount".

The maximum number of flows in the yaf flow table at any one time since yaf start time.

This element previously was named "flowTablePeakCount".

The 32 bit hash of the 5-tuple and VLAN that is used as they key to YAF's internal flow table.

Reversible as reverseOsFingerprint (ElementID 16491).

p0f OS Fingerprint for the forward flow based on the SYN packet and p0f SYN fingerprints.

This element previously was named "osFingerPrint".

HTTP Server Response-header field. Contains information about the software used to handle the HTTP Request.

HTTP User-Agent Request-header field. Contains information about the user agent originating the request.

HTTP Method Command. Retrieves information identified by the following Request-URI.

HTTP Connection header fields. Contains options that are desired for a particular connection.

HTTP Version Number.

HTTP Referer request-header field. Address (URI) of the resource which the Request-URI was obtained.

HTTP Location response-header field. Used to redirect the recipient to a location to complete a request or identify a new resource.

HTTP Host Request-header. The Internet host and port number of the resource being requested.

HTTP Content-Length header. Indicates the size of the entity-body.

HTTP Age response-header. Argument is the sender's estimate of the time elapsed since the response.

HTTP Accept request-header field. Used to specify certain media types that are acceptable for the response.

HTTP Accept-Language Request-Header field. Restricts the set of natural languages that preferred.

HTTP Content Type entity-header field. Indicates the media type of the entity-body.

HTTP Response Status Code. Usually a three-digit number followed by text.

POP3 Command and Replies. Contains any command or reply message found in POP3 payload data.

IRC Chat or Join Message. This field contains any IRC Command and the following arguments.

TFTP Name of File being transferred.

Contains the mode of transfer. (netascii, octet, mail)

SLP Version Number.

SLP Message Type. This value should be between 1 and 11 and describes the type of SLP message.

Contains the text elements found in an SLP Service Request.

FTP Commands or Replies.

FTP User Command Argument. This command will normally be the first command transmitted by the user.

FTP Password Command Argument. This command must be preceded by the user name command, and is usually required to complete authentication.

FTP Data Representation Type.

FTP Reply. This consists of a three digit number followed by some text.

IMAP Capability Command and Response. Captures the listing of capabilities that the server supports.

IMAP Login Command. Arguments are user name and password.

IMAP STARTTLS Command. Captures this command only as no arguments or responses are related.

IMAP Authenticate Command. Captures the authentication mechanism name of the server following this command.

Captures a variety of IMAP Commands and their arguments.

IMAP Exists Response. Reports the number of messages in the mailbox.

IMAP Recent Response. Reports the number of message with the Recent flag set.

RTSP URL. Captures the address of the network resources requested.

RTSP Version Number.

RTSP Status-Line. Captures the RTSP Protocol version, numeric status code, and the textual phrase associated with the numeric code.

RTSP Content-Length Header Field. Contains the length of the content of the method.

RTSP Command. Captures the method to be performed and the Request-URI associated with the method.

RTSP Content Type.

RTSP Transport request header field. Captures the transport protocol used and the parameters that follow.

RTSP CSeq field. Contains the sequence number for an RTSP request-response pair.

RTSP Location header field.

RTSP User Agent field. Contains information about the user agent originating the request.

RTSP User Agent field. Contains information about the user agent originating the request.

RTSP Jitter Value.

SIP Invite Method. Contains the SIP address and SIP Version Number.

SIP Command. Contains a SIP Method, SIP address, and SIP Version Number.

SIP Via contains the SIP Version Number and the address the sender is expecting to receive responses.

SIP Max Forwards contains the limit of number of hops a request can make on the way to its destination.

SIP Address contains the argument of the To, From, or Contact Header Fields.

SIP Content Length header field. Contains the byte count of the message byte.

SIP User Agent Header Field. Contains information about the User Agent Client originating the request.

SMTP Hello or Extend Hello command. Captures the command and the domain name of the SMTP client.

SMTP Mail Command. Contains the reverse-path of the sender mailbox.

The SMTP Recipient (RCPT) Command. Captures the command and the forward-path of the recipient of the mail data.

SMTP Content Type Header Field.

SMTP Subject. Contains the subject of the mail data.

SMTP Filename. Contains the name of the file attached to the mail message.

SMTP Content-Disposition Header field.

SMTP Replies. Consists of a three digit number followed by text.

Enhanced SMTP. Contains the ESMTP command with the following argument.

SSH Version Number

NNTP Reply. This consists of a three digit status code and text message.

NNTP Command. Contains an NNTP Command and following argument(s).

DNS Query/Response header field. This corresponds with the DNS header one bit field, QR. If the message is a query (0), or a response (1).

DNS Query/Response Type. This corresponds with the QTYPE field in the DNS Question Section or the TYPE field in the DNS Resource Record Section. This field determines the type of records in the DNS DPI subTemplateList.

This element previously was named "dnsQRType".

DNS Authoritative header field. This corresponds with the DNS header one bit field, AA. This bit is only valid in responses (when dnsQueryResponse is 1), and specifies that the responding name server is an authority for the domain name in the question section.

DNS NXDomain or Response Code (RCODE). This corresponds with the DNS RCODE header field. This field will be set to 3 for a Name Error, 2 for a Server Failure, 1 for a Format Error, and 0 for No Error. See [dns-parameters] for other valid values.

This element previously was named "dnsNXDomain".

DNS Resource Record Section Field. This field will be set to 0 if the information is from the Question Section, 1 for the Answer Section, 2 for the Name Server Section, and 3 for the Additional Section.

This element previously was named "dnsRRSection".

A DNS Query or Response Name. This field corresponds with the QNAME field in the DNS Question Section or the NAME field in the DNS Resource Record Section.

This element previously was named "dnsQName".

A domain-name which specificies the canonical or primary name for the owner.

This element previously was named "dnsCName".

Corresponds to the DNS MX Preference field.

Corresponds to the DNS MX Exchange field.

An authoritative name server domain-name.

Corresponds to DNS PTR PTRDNAME Field.

sslCipher is a CipherSuite suggested by the client in the ClientHello Message.

sslClientVersion is the version it supports contained in the initial ClientHello message.

sslServerCipher is the CipherSuite chosen by the server in the ServerHello message.

sslCompressionMethod is the compression method chosen by the server in the ServerHello message.

The Certificate Version. This is the value contained in the certificate v1(0), v2(1), v3(2).

The signature contained in a SSL certificate. This is typically the hashing algorithm identifier.

Country name {id-at 6} of the issuer of an SSL certificate.

Organization name {id-at 10} of the issuer of an SSL certificate.

Organizational unit name {id-at 11} of the issuer of an SSL certificate.

Postal or zip code {id-at 17} of the issuer of an SSL certificate.

State or providence name {id-at 8} of the issuer of an SSL certificate.

Common name {id-at 3} of the issuer of an SSL certificate.

Locality name {id-at 7} of the issuer of an SSL certificate.

Street address {id-at 9} of the issuer of an SSL certificate.

DNS Time To Live. This is an unsigned integer that specifies the time interval, in seconds, that the resource record may be cached for. This will contain a value of zero for DNS Queries.

Country name {id-at 6} of the subject of an SSL certificate.

This element previously was named "sslCertSubCountryName".

Organization name {id-at 10} of the subject of an SSL certificate.

This element previously was named "sslCertSubOrgName".

Organizational unit name {id-at 11} of the subject of an SSL certificate.

This element previously was named "sslCertSubOrgUnitName".

Postal or zip code {id-at 17} of the subject of an SSL certificate.

This element previously was named "sslCertSubZipCode".

State or providence name {id-at 8} of the subject of an SSL certificate.

This element previously was named "sslCertSubState".

Common name {id-at 3} of the subject of an SSL certificate.

This element previously was named "sslCertSubCommonName".

Locality name {id-at 7} of the subject of an SSL certificate.

This element previously was named "sslCertSubLocalityName".

Street address {id-at 9} of the subject of an SSL certificate.

This element previously was named "sslCertSubStreetAddress".

Corresponds to DNS TXT TXT-DATA field.

Corresponds to DNS SOA SERIAL Field.

Corresponds to DNS SOA REFRESH Field.

Corresponds to DNS SOA RETRY Field.

Corresponds to DNS SOA EXPIRE Field.

Corresponds to DNS SOA MINIMUM Field.

Corresponds to DNS SOA MNAME Field.

Corresponds to DNS SOA RNAME Field.

Corresponds to the Priority Field in the DNS SRV Resource Record.

Corresponds to the Weight Field in the DNS SRV Resource Record.

Corresponds to the Port Field in the DNS SRV Resource Record.

Corresponds to the Target Field in the DNS SRV Resource Record.

HTTP Cookie Header Field.

HTTP Set Cookie Header Field.

SMTP Size Header Field. Contains the size in bytes of the mail data.

The username seen when authenticating to a MySQL server.

MySQL Command Code. This number should be between 0 and 28.

MySQL Command Text. For example, this can be a SELECT, INSERT, DELETE statement.

DNS Transaction ID. This identifier is used by the requester to match up replies to outstanding queries.

This element previously was named "dnsID".

Deprecated in favor of ID 6871/423 dnsDNSKEYAlgorithm, 6871/433 dnsDSAlgorithm, 6871/435 dnsNSEC3Algorithm, 6871/441 dnsNSEC3PARAMAlgorithm, and 6871/447 dnsRRSIGAlgorithm.

The Hash Algorithm field in various DNSSEC records.

Deprecated in favor of 6871/434 dnsDSKeyTag and 6871/448 dnsRRSIGKeyTag.

The Key Tag field in the DS RR.

The Signer's Name field in the DNS RRSIG RR.

This element previously was named "dnsSigner".

The Signature field in the DNS RRSIG RR. Contains the cryptographic signature that covers the dnsName (6871/179) field.

This element previously was named "dnsSignature".

The Digest field of the DNS DS RR.

This element previously was named "dnsDigest".

DNSSEC uses public key cryptography to sign and authenticate DNS resource record sets. This field holds the public key. The format depends on the algorithm of the key.

This element previously was named "dnsPublicKey".

Deprecated in favor of 6871/439 dnsNSEC3Salt and 6871/444 dnsNSEC3PARAMSalt.

The Salt Field in the DNSSEC NSEC3 or NSEC3PARAM RR.

Deprecated in favor of 6871/438 dnsNSEC3NextHashedOwnerName and 6871/445 dnsNSECNextDomainName.

The Next Hashed Owner Name in the DNSSEC NSEC3 RR and Next Domain Name field in the DNSNSEC RR.

Deprecated in favor of 6871/437 dnsNSEC3Iterations and 6871/443 dnsNSEC3PARAMIterations.

The Iterations field in the DNSSEC NSEC3 or NSEC3PARAM RR.

The Signature Expiration field in a DNS RRSIG RR. The Expiration and Inception fields specify a validity period for the signature.

This element previously was named "dnsSignatureExpiration".

The Signature Inception field in a RRSIG RR. The Expiration and Inception fields specify a validity period for the signature.

This element previously was named "dnsSignatureInception".

The Digest Type field in a DNS DS RR which identifes the algorithm used to construct the digest.

This element previously was named "dnsDigestType".

The Labels field in a DNS RRSIG RR. Specifies the number of labels in the original RRSIG resource record owner name.

This element previously was named "dnsLabels".

The Type Covered field in a DNS RRSIG RR.

This element previously was named "dnsTypeCovered".

The Flags field in the DNS DNSKEY Resource Record. Certain bits determine if the key is a zone key or should be used for a secure entry point.

This element previously was named "dnsFlags".

Reversible as reverseDhcpFingerprint (ElementID 16626).

The DHCP fingerprint. This will be the description of the OS.

This element previously was named "dhcpFingerPrint".

Reversible as reverseDhcpVendorCode (ElementID 16627).

The DHCP vendor class ID found in Option 60 of the DHCP packet. This field may help further identify the operating system of the sender.

The Serial Number from the X.509 certificate.

For the Issuer and Subject subTemplateLists, yaf only parses objects that are members of the id-at arc {joint-iso-ccitt(2) ds(5) 4}, pkcs-9 {iso(1) member-body (2) us(840) rsadsi(113459) pkcs(1) 9}, and LDAP dc 0.9.2342.19200300.100.1.25. This field will not contain the full object identfier, it will just contain the member id. For example, for an issuer common name, sslObjectType will contain 3. Below is a list of common objects in an X.509 RelativeDistinguishedName Sequence for X.509 Certificates:

pkcs-9-emailAddress          {pkcs-9 1}
id-at-commonName             {id-at 3}
id-at-countryName            {id-at 6}
id-at-localityName           {id-at 7}
id-at-stateOrProvinceName    {id-at 8}
id-at-streetAddress          {id-at 9}
id-at-organizationName       {id-at 10}
id-at-organizationalUnitName {id-at 11}
id-at-title                  {id-at 12}
id-at-postalCode             {id-at 17}
0.9.2342.19200300.100.1.25   {dc 25}
id-at-name                   {id-at 41}

The bit strings associated with sslObjectType.

The notBefore field in the Validity Sequence of the X.509 Certificate.

The notAfter field in the Validity Sequence of the X.509 Certificate.

The algorithm, encoded in ASN.1, in the SubjectPublicKeyInfo Sequence of the X.509 Certificate.

The length of the public key in the X.509 Certificate.

SMTP Date Field.

HTTP Authorization Header Field.

HTTP Via Header Field.

HTTP X-Forwarded-For Header Field.

This element previously was named "httpX-Forwarded-For".

HTTP Expires Header Field.

HTTP Refresh Header Field.

HTTP International Mobile Station Equipment Identity ID.

HTTP International Mobile Subscriber Identity

HTTP MSISDN number, a telephone number for the SIM card in a mobile/cellular phone.

HTTP Mobile Subscriber Information.

HTTP Accept Charset Header Field.

HTTP Accept Encoding Header Field.

HTTP Allow Header Field.

HTTP Date Header Field.

HTTP Expect Header Field.

HTTP From Header Field.

HTTP Proxy Authentication Field.

HTTP Upgrade Header Field.

HTTP Warning Header Field.

HTTP DNT Header Field.

HTTP X-Forwarded-Proto Header Field.

This element previously was named "httpX-Forwarded-Proto".

HTTP X-Forwarded-Host Header Field.

This element previously was named "httpX-Forwarded-Host".

HTTP X-Forwarded-Server Header Field.

This element previously was named "httpX-Forwarded-Server".

HTTP X-Device ID Header Field.

This element previously was named "httpX-DeviceID".

HTTP X-Profile Header Field.

This element previously was named "httpX-Profile".

HTTP Last Modified Header Field.

HTTP Content Encoding Header Field.

HTTP Content Language Header Field.

HTTP Content Location Header Field.

HTTP X-UA-Compatible Header Field.

This element previously was named "httpX-UA-Compatible".

The DNP3 Source Address found in the Data Link Layer of the DNP Header.

The DNP3 Destination Address found in the Data Link Layer of the DNP Header.

The DNP3 Function Code found in the first byte of the Application Layer.

The pattern captured from the DNP3 regular expression.

Data associated with the Modbus protocol, a widely used network messaging protocol used in industrial manufacturing.

Data associated with EtherNet/IP (ENIP), a protocol used in industrial automation applications.

This element previously was named "ethernetIPData".

Reversible as reverseRtpPayloadType (ElementID 16671).

The payload type in the RTP header of the first payload in the forward direction.

sslRecordVersion is the version of ssl or tls that was used in the flow.

The initial data sequence number found in the MPTCP Data Sequence Signal (DSS) Option of a flow. (See Multipath TCP, [RFC8684].)

The token used to identify an MPTCP connection over multiple subflows. This value is found in the MP_JOIN TCP Option for the initial SYN of a subflow.

The maximum segment size reported in the Maximum Segment Size TCP Option captured from an MPTCP flow.

The address identifier of the subflow found in the SYN/ACK of an MP_JOIN operation captured from an MPTCP flow.

This element previously was named "mptcpAddressID".

Various MPTCP Values:

Bit 1: Priority was changed during the life of the subflow (MP_PRIO was seen).

Bit 2: Subflow has priority at setup (backup flag was not set at initialization).

Bit 3: Subflow failed. (MP_FAIL option was seen).

Bit 4: Subflow experienced fast close. (MP_FASTCLOSE options was seen).

The server name from the SSL/TLS Client Hello. This is typically the name of the server that the client is connecting to.

The hash of the X.509 certificate.

A binary dump of the full X.509 certificate.

This element previously was named "sslCertificate".

The list of requested parameters found in DHCP Option 55.

The SHA1 hash of a complete SSL certificate.

The MD5 hash of a complete SSL certificate.

The protocol as determined by analysis with nDPI, the ntop-maintained superset of the OpenDPI library.

This element previously was named "nDPIL7Protocol".

The subprotocol as determined by analysis with nDPI, the ntop-maintained superset of the OpenDPI library.

This element previously was named "nDPIL7SubProtocol".

An IPv4 address that specifies an address for a DNS host name.

This element previously was named "rrIPv4".

An IPv6 address that specifies an address for a DNS host name.

This element previously was named "rrIPv6".

The Protocol field from a DNS DNSKEY Resource Record.

This element previously was named "DNSKEY_protocolIdentifier" and "dnsKeyProtocolIdentifier".

Element holding an entire DNS A record, which is a sub template list when emitted from YAF. This is used in Analysis Pipeline for fast flux.

This element previously was named "DNS_A_Record".

Element holding an entire DNS AAAA record, which is a sub template list when emitted from YAF. This is used in Analysis Pipeline for fast flux.

This element previously was named "DNS_AAAA_Record".

Element holding an entire DNS resource record, which is a sub template list when emitted from YAF. This is used in Analysis Pipeline.

This element previously was named "DNS_RESOURCE_RECORD".

Title {id-at 12} of the issuer of an SSL certificate.

Title {id-at 12} of the subject of an SSL certificate.

This element previously was named "sslCertSubTitle".

Name {id-at 41} of the issuer of an SSL certificate.

Name {id-at 41} of the subject of an SSL certificate.

This element previously was named "sslCertSubName".

Email address {pkcs-9 1} of the issuer of an SSL certificate.

Email address {pkcs-9 1} of the subject of an SSL certificate.

This element previously was named "sslCertSubEmailAddress".

LDAP dc (domainComponent), 0.9.2342.19200300.100.1.25, holding one component, a label, of the DNS name of the issuer of an SSL certificate.

LDAP dc (domainComponent), 0.9.2342.19200300.100.1.25, holding one component, a label, of the DNS name of the subject of an SSL certificate.

This element previously was named "sslCertSubDomainComponent".

SSL extension value holding the subject key identifer, {id-ce 14} subjectKeyIdentifier.

SSL extension value holding the key usage, {id-ce 15} keyUsage.

SSL extension value holding the usage period for the private key, {id-ce 16} privateKeyUsagePeriod.

SSL extension value holding the subject's alternative names, {id-ce 17} subjectAltName.

SSL extension value holding the issuer's alternative names, {id-ce 18} issuerAltName.

SSL extension value holding the certificate issuer associated with an entry in an indirect CRL, {id-ce 29} certificateIssuer.

SSL extension value holding the certificate revocation list (CRL) distribution points, {id-ce 31} crlDistributionPoints.

SSL extension value holding the certificate policies, {id-ce 32} certificatePolicies.

SSL extension value holding the authority key identifier, {id-ce 35} authorityKeyIdentifier.

SSL extension value holding the extended key usage {id-ce 37}, extKeyUage.

Element indicating whether or not the SMTP session sent the START TLS command.

SMTP Header key string.

SMTP Header value string.

Element for URLs captured in the SMTP message body

Element containing the value of the SMTP message size.

A basicList of smtpResponse (CERT/169) elements.

A basicList of smtpTo (CERT/164) elements.

A basicList of smtpFrom (CERT/163) elements.

A basicList of smtpFilename (CERT/167) elements.

A basicList of smtpURL (CERT/329) elements.

A sub template list holding email data in smtpMessage templates.

A sub template list holding email header data in smtpHeader templates.

A basicList of httpServerString (CERT/110) elements.

A basicList of httpUserAgent (CERT/111) elements.

A basicList of httpGet (CERT/112) elements.

A basicList of httpConnection (CERT/113) elements.

A basicList of httpVersion (CERT/114) elements.

A basicList of httpReferer (CERT/115) elements.

A basicList of httpLocation (CERT/116) elements.

A basicList of httpHost (CERT/117) elements.

A basicList of httpContentLength (CERT/118) elements.

A basicList of httpAge (CERT/119) elements.

A basicList of httpAccept (CERT/120) elements.

A basicList of httpAcceptLanguage (CERT/121) elements.

A basicList of httpContentType (CERT/122) elements.

A basicList of httpResponse (CERT/123) elements.

A basicList of pop3TextMessage (CERT/124) elements.

A basicList of ircTextMessage (CERT/125) elements.

A basicList of slpString (CERT/130) elements.

A basicList of ftpReturn (CERT/131) elements.

A basicList of ftpUser (CERT/132) elements.

A basicList of ftpPass (CERT/133) elements.

A basicList of ftpType (CERT/134) elements.

A basicList of ftpRespCode (CERT/135) elements.

A basicList of imapCapability (CERT/136) elements.

A basicList of imapLogin (CERT/137) elements.

A basicList of imapStartTLS (CERT/138) elements.

A basicList of imapAuthenticate (CERT/139) elements.

A basicList of imapCommand (CERT/140) elements.

A basicList of imapExists (CERT/141) elements.

A basicList of imapRecent (CERT/142) elements.

A basicList of rtspURL (CERT/143) elements.

A basicList of rtspVersion (CERT/144) elements.

A basicList of rtspReturnCode (CERT/145) elements.

A basicList of rtspContentLength (CERT/146) elements.

A basicList of rtspCommand (CERT/147) elements.

A basicList of rtspContentType (CERT/148) elements.

A basicList of rtspTransport (CERT/149) elements.

A basicList of rtspCSeq (CERT/150) elements.

A basicList of rtspLocation (CERT/151) elements.

A basicList of rtspPacketsReceived (CERT/152) elements.

A basicList of rtspUserAgent (CERT/153) elements.

A basicList of rtspJitter (CERT/154) elements.

A basicList of sipInvite (CERT/155) elements.

A basicList of sipCommand (CERT/156) elements.

A basicList of sipVia (CERT/157) elements.

A basicList of sipMaxForwards (CERT/158) elements.

A basicList of sipAddress (CERT/159) elements.

A basicList of sipContentLength (CERT/160) elements.

A basicList of sipUserAgent (CERT/161) elements.

A basicList of sshVersion (CERT/171) elements.

A basicList of nntpResponse (CERT/172) elements.

A basicList of nntpCommand (CERT/173) elements.

A basicList of sslCipher (CERT/185) elements.

A basicList of httpCookie (CERT/220) elements.

A basicList of httpSetCookie (CERT/221) elements.

A basicList of httpAuthorization (CERT/252) elements.

A basicList of httpVia (CERT/253) elements.

A basicList of httpX-Forwarded-For (CERT/254) elements.

This element previously was named "httpX-Forwarded-ForList".

A basicList of httpExpires (CERT/255) elements.

A basicList of httpRefresh (CERT/256) elements.

A basicList of httpIMEI (CERT/257) elements.

A basicList of httpIMSI (CERT/258) elements.

A basicList of httpMSISDN (CERT/259) elements.

A basicList of httpSubscriber (CERT/260) elements.

A basicList of httpAcceptCharset (CERT/261) elements.

A basicList of httpAllow (CERT/263) elements.

A basicList of httpDate (CERT/264) elements.

A basicList of httpExpect (CERT/265) elements.

A basicList of httpFrom (CERT/266) elements.

A basicList of httpProxyAuthentication (CERT/267) elements.

A basicList of httpUpgrade (CERT/268) elements.

A basicList of httpWarning (CERT/269) elements.

A basicList of httpDNT (CERT/270) elements.

A basicList of httpXForwardedProto (CERT/271) elements.

This element previously was named "httpX-Forwarded-ProtoList".

A basicList of httpXForwardedHost (CERT/272) elements.

This element previously was named "httpX-Forwarded-HostList".

A basicList of httpXForwardedServer (CERT/273) elements.

This element previously was named "httpX-Forwarded-ServerList".

A basicList of httpXDeviceId (CERT/274) elements.

This element previously was named "httpX-DeviceIDList".

A basicList of httpXProfile (CERT/275) elements.

This element previously was named "httpX-ProfileList".

A basicList of httpLastModified (CERT/276) elements.

A basicList of httpContentEncoding (CERT/277) elements.

A basicList of httpContentLanguage (CERT/278) elements.

A basicList of httpContentLocation (CERT/279) elements.

A basicList of httpXUACompatible (CERT/280) elements.

This element previously was named "httpX-UA-CompatibleList".

A basicList of modbusData (CERT/285) elements.

A basicList of enipData (6871/286) elements.

This element previously was named "ethernetIPDataList".

Reversible as reverseDhcpOptionList (ElementID 16806).

A basicList of dhcpOption (6871/297) elements.

The cryptographic algorithm used for the public key in a DNS DNSKEY RR.

A subTemplateList of mysqlCommandText mysqlCommandCode pairs.

A subTemplateList of yaf_ssl_cert templates.

A subTemplateList of sslCertificate values.

A subTemplateList of sslCertificate values.

A subTemplateList of sslCertificate values.

A basicList of sslBinaryCertificate (CERT/296) elements.

A subTemplateList holding the DNP3 values

A subTemplateList of yaf_dns_rr templates.

This element previously was named "dnsQRDetailRecordList".

A subTemplateList of deep packet inspection data generated by yaf.

The Algorithm field in a DNS DS RR. It holds the algorithm used by the DNS DNSKEY RR to which this DS RR refers.

The Key Tag field in a DNS DS RR.

The Algorithm field in a DNS NSEC3 RR.

The Flags field in a DNS NSEC3 RR.

The Iterations field in a DNS NSEC3 RR.

The Next Hashed Owner Name field in a DNS NSEC3 RR.

The Salt field in a DNS NSEC3 RR.

The Type Bit Maps field in a DNS NSEC3 RR.

The Algorithm field in a DNS NSEC3PARAM RR.

The Flags field in a DNS NSEC3PARAM RR.

The Iterations field in a DNS NSEC3PARAM RR.

The Salt field in a DNS NSEC3PARAM RR.

The Next Domain Name field in a DNS NSEC RR.

The Type Bit Maps field in a DNS NSEC RR.

The Algorithm field in a DNS RRSIG RR.

The Key Tag field in a DNS RRSIG RR.

The Original TTL field in a DNS RRSIG RR.

A basicList of sslCertIssuerOrgName (CERT/192) elements, each holding an organization name {id-at 10} of the issuer of an SSL certificate.

A basicList of sslCertIssuerOrgUnitName (CERT/193) elements, each holding an organizational unit name {id-at 11} of the issuer of an SSL certificate.

A basicList of sslCertIssuerCommonName (CERT/196) elements, each holding a common name {id-at 3} of the issuer of an SSL certificate.

A basicList of sslCertIssuerStreetAddress (CERT/198) elements, each holding a street address {id-at 9} of the issuer of an SSL certificate.

A basicList of sslCertSubjectOrgName (CERT/201) elements, each holding an organization name {id-at 10} of the subject of an SSL certificate.

A basicList of sslCertSubjectOrgUnitName (CERT/202) elements, each holding an organizational unit name {id-at 11} of the subject of an SSL certificate.

A basicList of sslCertSubjectCommonName (CERT/205) elements, each holding a common name {id-at 3} of the subject of an SSL certificate.

A basicList of sslCertSubjectStreetAddress (CERT/207) elements, each holding a street address {id-at 9} of the subject of an SSL certificate.

A basicList of sslCertIssuerDomainComponent (CERT/314) elements, each holding an LDAP dc (domainComponent), 0.9.2342.19200300.100.1.25, holding one component, a label, of the DNS name of the issuer of an SSL certificate.

A basicList of sslCertSubjectDomainComponent (CERT/315) elements, each holding an LDAP dc (domainComponent), 0.9.2342.19200300.100.1.25, holding one component, a label, of the DNS name of the subject of an SSL certificate.

The whole number of days the certificate was valid (sslCertValidityNotAfter - sslCertValidityNotBefore).

The whole number of days the certificate was valid at the time it was used (flowStartMilliseconds - sslCertValidityNotBefore).

The SHA256 hash of a complete SSL certificate.

Reversible as reverseSmallPacketCount (ElementID 16884).

The number of packets that contain less than 60 bytes of payload.

Reversible as reverseNonEmptyPacketCount (ElementID 16885).

The number of packets that contain at least 1 byte of payload.

Reversible as reverseDataByteCount (ElementID 16886).

Total bytes transferred as payload.

Reversible as reverseAverageInterarrivalTime (ElementID 16887).

Average number of milliseconds between packets.

Reversible as reverseStandardDeviationInterarrivalTime (ElementID 16888).

Standard deviation of the interarrival time for up to the first ten packets.

Reversible as reverseFirstNonEmptyPacketSize (ElementID 16889).

Payload length of the first non-empty packet.

Reversible as reverseMaxPacketSize (ElementID 16890).

The largest payload length transferred in the flow.

Reversible as reverseFirstEightNonEmptyPacketDirections (ElementID 16891).

Represents directionality for the first 8 non-empty packets. 0 for forward direction, 1 for reverse direction.

Reversible as reverseStandardDeviationPayloadLength (ElementID 16892).

The standard deviation of the payload length for up to the first 10 non empty packets.

Reversible as reverseTcpUrgentCount (ElementID 16893).

The number of TCP packets that have the URGENT Flag set.

Reversible as reverseLargePacketCount (ElementID 16894).

The number of packets that contain at least 220 bytes of payload.

An identifier of a tombstone record that is unique within the process that initially generates the record.

This element previously was named "tombstoneId".

An identifier for this process chosen by the user.

This element previously was named "exporterConfiguredId".

A pseudo-random number to identify this exporting process.

This element previously was named "exporterUniqueId".

An identifier for each CERT tool.

1 - YAF
2 - super_mediator
3 - SiLK rwflowpack
4 - SiLK rwflowappend
5 - Mothra IPFIX Packer
6 - Analysis Pipeline
        

A list containing a certToolId and the time when that tool accessed the tombstone record.

This element previously was named "tombstoneAccessList".

Field used by super_mediator to export DNS information.

This element previously was named "dnsRName".

Deprecated in favor of 6871/929 smDedupHitCount.

The number of times the deduplicated item was seen.

This element previously was named "observedDataTotalCount".

A representation of data that is being deduplicated.

This element previously was named "observedData".

Used by super_mediator to indicate that the record's source IP address matched an IPset.

Used by super_mediator to indicate that the record's destination IP address matched an IPset.

Specifies a human-friendly name for an IPFIX template.

Specifies a textual description for an IPFIX template.