pyfixbuf.yaflists — Pre-defined Information Element Lists

The pyfixbuf.yaflists module defines variables which specify lists of CERT enterprise-specific Information Elements. The Elements may be added to an Information Model (pyfixbuf.InfoModel) by invoking pyfixbuf.InfoModel.add_element_list with one of the list variables as an argument.

NOTE: The following variables are outdated and incomplete should not be used in new code. Please change your code so it adds the CERT Information Elements to your model by loading them from the pyfixbuf.cert package, as shown in this example:

# create your model as normal
model = pyfixbuf.InfoModel()

# add this:
import pyfixbuf.cert
pyfixbuf.cert.add_elements_to_model(model)

As of pyfixbuf-0.9.0, these variables are no longer imported into the pyfixbuf module. To use them, you must explicitly import them:

import pyfixbuf
from pyfixbuf.yaflists import YAF_LIST, YAF_DNS_LIST, YAF_DPI_LIST
from pyfixbuf.yaflists import YAF_FLOW_STATS_LIST, YAF_FTP_LIST
from pyfixbuf.yaflists import YAF_HTTP_LIST, YAF_IMAP_LIST, YAF_RTSP_LIST
from pyfixbuf.yaflists import YAF_SIP_LIST, YAF_SLP_LIST, YAF_SMTP_LIST
from pyfixbuf.yaflists import YAF_SSL_LIST, YAF_STATS_LIST

The pyfixbuf.InfoElement objects in these lists use the CERT private enterprise number (PEN) 6871. Each list contains Elements that are related to a particular internet protocol (e.g., HTTP, DNS, SMTP). The variables YAF_LIST and YAF_STATS_LIST are necessary for reading the IPFIX streams created by YAF when its deep-packet inspection feature is disabled.

YAF_LIST

Information Element

ID

TYPE

Description

initialTCPFlags

14

UINT8

Initial sequence number of the forward direction of the flow

unionTCPFlags

15

UINT8

Union of TCP flags of all packets other than the initial packet in the forward direction of the flow

reverseFlowDeltaMilliseconds

21

UINT32

Difference in time in milliseconds between first packet in forward direction and first packet in reverse direction

silkAppLabel

33

UINT16

Application label, defined as the primary well-known port associated with a given application.

osName

36

STRING

p0f OS Name for the forward flow based on the SYN packet and p0f SYN Fingerprints.

payload

36

OCTET ARRAY

Initial n bytes of forward direction of flow payload.

osVersion

37

STRING

p0f OS Version for the forward flow based on the SYN packet and p0f SYN Fingerprints.

firstPacketBanner

38

OCTET ARRAY

IP and transport headers for first packet in forward direction to be used for external OS Fingerprinters.

secondPacketBanner

39

OCTET ARRAY

IP and transport headers for first packet in forward direction to be used for external OS Fingerprinters.

flowAttributes

40

UINT16

Miscellaneous flow attributes for the forward direction of the flow

osFingerPrint

107

STRING

p0f OS Fingerprint for the forward flow based on the SYN packet and p0f SYN fingerprints.

yafFlowKeyHash

106

UINT32

The 32 bit hash of the 5-tuple and VLAN that is used as they key to YAF’s internal flow table.

YAF_STATS_LIST

Information Element

ID

TYPE

Description

expiredFragmentCount

100

UINT32

Total amount of fragments that have been expired since yaf start time.

assembledFragmentCount

101

UINT32

Total number of packets that been assembled from a series of fragments since yaf start time.

meanFlowRate

102

UINT32

The mean flow rate of the yaf flow sensor since yaf start time, rounded to the nearest integer.

meanPacketRate

103

UINT32

The mean packet rate of the yaf flow sensor since yaf start time, rounded to the nearest integer.

flowTableFlushEventCount

104

UINT32

Total number of times the yaf flow table has been flushed since yaf start time.

flowTablePeakCount

105

UINT32

The maximum number of flows in the yaf flow table at any one time since yaf start time.

YAF_FLOW_STATS_LIST

Information Element

ID

TYPE

Description

smallPacketCount

500

UINT32

The number of packets that contain less than 60 bytes of payload.

nonEmptyPacketCount

501

UINT32

The number of packets that contain at least 1 byte of payload.

dataByteCount

502

UINT64

Total bytes transferred as payload.

averageInterarrivalTime

503

UINT64

Average number of milliseconds between packets.

standardDeviationInterarrivalTime

504

UINT64

Standard deviation of the interarrival time for up to the first ten packets.

firstNonEmptyPacketSize

505

UINT16

Payload length of the first non-empty packet.

maxPacketSize

506

UINT16

The largest payload length transferred in the flow.

firstEightNonEmptyPacketDirections

507

UINT8

Represents directionality for the first 8 non-empty packets. 0 for forward direction, 1 for reverse direction.

standardDeviationPayloadLength

508

UINT16

The standard deviation of the payload length for up to the first 10 non empty packets.

tcpUrgCount

509

UINT32

The number of TCP packets that have the URGENT Flag set.

largePacketCount

510

UINT32

The number of packets that contain at least 220 bytes of payload.

YAF_HTTP_LIST

Descriptions of each Information Element can be found at http://tools.netsa.cert.org/yaf/yafdpi.html.

Information Element

ID

TYPE

httpServerString

110

STRING

httpUserAgent

111

STRING

httpGet

112

STRING

httpConnection

113

STRING

httpVersion

114

STRING

httpReferer

115

STRING

httpLocation

116

STRING

httpHost

117

STRING

httpContentLength

118

STRING

httpAge

119

STRING

httpAccept

120

STRING

httpAcceptLanguage

121

STRING

httpContentType

122

STRING

httpResponse

123

STRING

httpCookie

220

STRING

httpSetCookie

221

STRING

httpAuthorization

252

STRING

httpVia

253

STRING

httpX-Forwarded-For

254

STRING

httpRefresh

256

STRING

httpIMEI

257

STRING

httpIMSI

258

STRING

httpMSISDN

259

STRING

httpSubscriber

260

STRING

httpExpires

255

STRING

httpAcceptCharset

261

STRING

httpAcceptEncoding

262

STRING

httpAllow

263

STRING

httpDate

264

STRING

httpExpect

265

STRING

httpFrom

266

STRING

httpProxyAuthentication

267

STRING

httpUpgrade

268

STRING

httpWarning

269

STRING

httpDNT

270

STRING

httpX-Forwarded-Proto

271

STRING

httpX-Forwarded-Host

272

STRING

httpX-Forwarded-Server

273

STRING

httpX-DeviceID

274

STRING

httpX-Profile

275

STRING

httpLastModified

276

STRING

httpContentEncoding

277

STRING

httpContentLanguage

278

STRING

httpContentLocation

279

STRING

httpX-UA-Compatible

280

STRING

YAF_SLP_LIST

Descriptions of each Information Element can be found at http://tools.netsa.cert.org/yaf/yafdpi.html.

Information Element

ID

TYPE

slpVersion

128

UINT8

slpMessageType

129

UINT8

slpString

130

STRING

YAF_FTP_LIST

Descriptions of each Information Element can be found at http://tools.netsa.cert.org/yaf/yafdpi.html.

Information Element

ID

TYPE

ftpReturn

131

STRING

ftpUser

132

STRING

ftpPass

133

STRING

ftpType

134

STRING

ftpRespCode

135

STRING

YAF_IMAP_LIST

Descriptions of each Information Element can be found at http://tools.netsa.cert.org/yaf/yafdpi.html.

Information Element

ID

TYPE

imapCapability

136

STRING

imapLogin

137

STRING

imapStartTLS

138

STRING

imapAuthenticate

139

STRING

imapCommand

140

STRING

imapExists

141

STRING

imapRecent

142

STRING

YAF_RTSP_LIST

Descriptions of each Information Element can be found at http://tools.netsa.cert.org/yaf/yafdpi.html.

Information Element

ID

TYPE

rtspURL

143

STRING

rtspVersion

144

STRING

rtspReturnCode

145

STRING

rtspContentLength

146

STRING

rtspCommand

147

STRING

rtspContentType

148

STRING

rtspTransport

149

STRING

rtspCSeq

150

STRING

rtspLocation

151

STRING

rtspPacketsReceived

152

STRING

rtspUserAgent

153

STRING

rtspJitter

154

STRING

YAF_SIP_LIST

Descriptions of each Information Element can be found at http://tools.netsa.cert.org/yaf/yafdpi.html.

Information Element

ID

TYPE

sipInvite

155

STRING

sipCommand

156

STRING

sipVia

157

STRING

sipMaxForwards

158

STRING

sipAddress

159

STRING

sipContentLength

160

STRING

sipUserAgent

161

STRING

YAF_SMTP_LIST

Descriptions of each Information Element can be found at http://tools.netsa.cert.org/yaf/yafdpi.html.

Information Element

ID

TYPE

smtpHello

162

STRING

smtpFrom

163

STRING

smtpTo

164

STRING

smtpContentType

165

STRING

smtpSubject

166

STRING

smtpFilename

167

STRING

smtpContentDisposition

168

STRING

smtpResponse

169

STRING

smtpEnhanced

170

STRING

smtpSize

222

STRING

smtpDate

251

STRING

YAF_DNS_LIST

Descriptions of each Information Element can be found at http://tools.netsa.cert.org/yaf/yafdpi.html.

Information Element

ID

TYPE

dnsQueryResponse

174

UINT8

dnsQRType

175

UINT16

dnsAuthoritative

176

UINT8

dnsNXDomain

177

UINT8

dnsRRSection

178

UINT8

dnsQName

179

STRING

dnsCName

180

STRING

dnsMXPreference

181

UINT16

dnsMXExchange

182

STRING

dnsNSDName

183

STRING

dnsPTRDName

184

STRING

dnsTTL

199

UINT32

dnsTXTData

208

STRING

dnsSOASerial

209

UINT32

dnsSOARefresh

210

UINT32

dnsSOARetry

211

UINT32

dnsSOAExpire

212

UINT32

dnsSOAMinimum

213

UINT32

dnsSOAMName

214

STRING

dnsSOARName

215

STRING

dnsSRVPriority

216

UINT16

dnsSRVWeight

217

UINT16

dnsSRVPort

218

UINT16

dnsSRVTarget

219

STRING

dnsID

226

UINT16

dnsAlgorithm

227

UINT8

dnsKeyTag

228

UINT16

dnsSigner

229

STRING

dnsSignature

230

OCTET ARRAY

dnsDigest

231

OCTET ARRAY

dnsPublicKey

232

OCTET ARRAY

dnsSalt

233

OCTET ARRAY

dnsHashData

234

OCTET ARRAY

dnsIterations

235

UINT16

dnsSignatureExpiration

236

UINT32

dnsSignatureInception

237

UINT32

dnsDigestType

238

UINT8

dnsLabels

239

UINT8

dnsTypeCovered

240

UINT16

dnsFlags

241

UINT16

YAF_SSL_LIST

Descriptions of each Information Element can be found at http://tools.netsa.cert.org/yaf/yafdpi.html.

Information Element

ID

TYPE

sslCipher

185

UINT32

sslClientVersion

186

UINT8

sslServerCipher

187

UINT32

sslCompressionMethod

188

UINT8

sslCertVersion

189

UINT8

sslCertSignature

190

STRING

sslCertIssuerCountryName

191

STRING

sslCertIssuerOrgName

192

STRING

sslCertIssuerOrgUnitName

193

STRING

sslCertIssuerZipCode

194

STRING

sslCertIssuerState

195

STRING

sslCertIssuerCommonName

196

STRING

sslCertIssuerLocalityName

197

STRING

sslCertIssuerStreetAddress

198

STRING

sslCertSubCountryName

200

STRING

sslCertSubOrgName

201

STRING

sslCertSubOrgUnitName

202

STRING

sslCertSubZipCode

203

STRING

sslCertSubState

204

STRING

sslCertSubCommonName

205

STRING

sslCertSubLocalityName

206

STRING

sslCertSubStreetAddress

207

STRING

sslCertSerialNumber

208

STRING

sslObjectType

245

UINT8

sslObjectValue

246

STRING

sslCertValidityNotBefore

247

STRING

sslCertValidityNotAfter

248

STRING

sslCertPublicKeyAlgorithm

249

STRING

sslCertPublicKeyLength

250

UINT16

sslRecordVersion

288

UINT16

YAF_DPI_LIST

This list contains miscellaneous Information Elements from the remaining protocols YAF decodes. Descriptions of each Information Element can be found at http://tools.netsa.cert.org/yaf/yafdpi.html.

Information Element

ID

TYPE

mysqlUsername

223

STRING

mysqlCommandCode

224

UINT8

mysqlCommandText

225

STRING

pop3TextMessage

124

STRING

ircTextMessage

125

STRING

tftpFilename

126

STRING

tftpMode

127

STRING

dhcpFingerPrint

242

STRING

dhcpVendorCode

243

STRING

dnp3SourceAddress

281

UINT16

dnp3DestinationAddress

282

UINT16

dnp3Function

283

UINT8

dnp3ObjectData

284

OCTET_ARRAY

modbusData

285

OCTET_ARRAY

ethernetIPData

286

OCTET_ARRAY

rtpPayloadType

287

UINT8