=============================================================
`pyfixbuf.yaflists` --- Pre-defined Information Element Lists
=============================================================

.. automodule:: pyfixbuf.yaflists

The `pyfixbuf.yaflists` module defines variables which specify lists of CERT
enterprise-specific Information Elements.  The Elements may be added to an
Information Model (:class:`pyfixbuf.InfoModel`) by invoking
:meth:`pyfixbuf.InfoModel.add_element_list` with one of the list variables as
an argument.

  **NOTE:** The following variables are outdated and incomplete should not be
  used in new code.  Please change your code so it adds the CERT Information
  Elements to your model by loading them from the :mod:`pyfixbuf.cert`
  package, as shown in this example::

    # create your model as normal
    model = pyfixbuf.InfoModel()

    # add this:
    import pyfixbuf.cert
    pyfixbuf.cert.add_elements_to_model(model)


As of pyfixbuf-0.9.0, these variables are no longer imported into the
:mod:`pyfixbuf` module.  To use them, you must explicitly import them::

  import pyfixbuf
  from pyfixbuf.yaflists import YAF_LIST, YAF_DNS_LIST, YAF_DPI_LIST
  from pyfixbuf.yaflists import YAF_FLOW_STATS_LIST, YAF_FTP_LIST
  from pyfixbuf.yaflists import YAF_HTTP_LIST, YAF_IMAP_LIST, YAF_RTSP_LIST
  from pyfixbuf.yaflists import YAF_SIP_LIST, YAF_SLP_LIST, YAF_SMTP_LIST
  from pyfixbuf.yaflists import YAF_SSL_LIST, YAF_STATS_LIST

The :class:`pyfixbuf.InfoElement` objects in these lists use the CERT private
enterprise number (PEN) 6871.  Each list contains Elements that are related to
a particular internet protocol (e.g., HTTP, DNS, SMTP).  The variables
`YAF_LIST`_ and `YAF_STATS_LIST`_ are necessary for reading the IPFIX streams
created by YAF_ when its deep-packet inspection feature is disabled.

.. _YAF: https://tools.netsa.cert.org/yaf/index.html

YAF_LIST
====================

.. list-table::
   :header-rows: 1
   :widths: 60, 1, 20, 100

   * - Information Element
     - ID
     - TYPE
     - Description
   * - initialTCPFlags
     - 14
     - UINT8
     - Initial sequence number of the forward direction of the flow
   * - unionTCPFlags
     - 15
     - UINT8
     - Union of TCP flags of all packets other than the initial packet in the forward direction of the flow
   * - reverseFlowDeltaMilliseconds
     - 21
     - UINT32
     - Difference in time in milliseconds between first packet in forward direction and first packet in reverse direction
   * - silkAppLabel
     - 33
     - UINT16
     - Application label, defined as the primary well-known port associated with a given application.
   * - osName
     - 36
     - STRING
     - p0f OS Name for the forward flow based on the SYN packet and p0f SYN Fingerprints.
   * - payload
     - 36
     - OCTET ARRAY
     - Initial n bytes of forward direction of flow payload.
   * - osVersion
     - 37
     - STRING
     - p0f OS Version for the forward flow based on the SYN packet and p0f SYN Fingerprints.
   * - firstPacketBanner
     - 38
     - OCTET ARRAY
     - IP and transport headers for first packet in forward direction to be used for external OS Fingerprinters.
   * - secondPacketBanner
     - 39
     - OCTET ARRAY
     - IP and transport headers for first packet in forward direction to be used for external OS Fingerprinters.
   * - flowAttributes
     - 40
     - UINT16
     - Miscellaneous flow attributes for the forward direction of the flow
   * - osFingerPrint
     - 107
     - STRING
     - p0f OS Fingerprint for the forward flow based on the SYN packet and p0f SYN fingerprints.
   * - yafFlowKeyHash
     - 106
     - UINT32
     - The 32 bit hash of the 5-tuple and VLAN that is used as they key to YAF's internal flow table.

YAF_STATS_LIST
====================

.. list-table::
   :header-rows: 1
   :widths: 50, 1, 20, 100

   * - Information Element
     - ID
     - TYPE
     - Description
   * - expiredFragmentCount
     - 100
     - UINT32
     - Total amount of fragments that have been expired since yaf start time.
   * - assembledFragmentCount
     - 101
     - UINT32
     - Total number of packets that been assembled from a series of fragments since yaf start time.
   * - meanFlowRate
     - 102
     - UINT32
     - The mean flow rate of the yaf flow sensor since yaf start time, rounded to the nearest integer.
   * - meanPacketRate
     - 103
     - UINT32
     - The mean packet rate of the yaf flow sensor since yaf start time, rounded to the nearest integer.
   * - flowTableFlushEventCount
     - 104
     - UINT32
     - Total number of times the yaf flow table has been flushed since yaf start time.
   * - flowTablePeakCount
     - 105
     - UINT32
     - The maximum number of flows in the yaf flow table at any one time since yaf start time.

YAF_FLOW_STATS_LIST
====================

.. list-table::
   :header-rows: 1
   :widths: 50, 1, 20, 100

   * - Information Element
     - ID
     - TYPE
     - Description
   * - smallPacketCount
     - 500
     - UINT32
     - The number of packets that contain less than 60 bytes of payload.
   * - nonEmptyPacketCount
     - 501
     - UINT32
     - The number of packets that contain at least 1 byte of payload.
   * - dataByteCount
     - 502
     - UINT64
     - Total bytes transferred as payload.
   * - averageInterarrivalTime
     - 503
     - UINT64
     - Average number of milliseconds between packets.
   * - standardDeviationInterarrivalTime
     - 504
     - UINT64
     - Standard deviation of the interarrival time for up to the first ten packets.
   * - firstNonEmptyPacketSize
     - 505
     - UINT16
     - Payload length of the first non-empty packet.
   * - maxPacketSize
     - 506
     - UINT16
     - The largest payload length transferred in the flow.
   * - firstEightNonEmptyPacketDirections
     - 507
     - UINT8
     - Represents directionality for the first 8 non-empty packets. 0 for forward direction, 1 for reverse direction.
   * - standardDeviationPayloadLength
     - 508
     - UINT16
     - The standard deviation of the payload length for up to the first 10 non empty packets.
   * - tcpUrgCount
     - 509
     - UINT32
     - The number of TCP packets that have the URGENT Flag set.
   * - largePacketCount
     - 510
     - UINT32
     - The number of packets that contain at least 220 bytes of payload.


YAF_HTTP_LIST
====================

Descriptions of each Information Element can be found at http://tools.netsa.cert.org/yaf/yafdpi.html.

.. list-table::
   :header-rows: 1
   :widths: 50, 20, 40

   * - Information Element
     - ID
     - TYPE
   * - httpServerString
     - 110
     - STRING
   * - httpUserAgent
     - 111
     - STRING
   * - httpGet
     - 112
     - STRING
   * - httpConnection
     - 113
     - STRING
   * - httpVersion
     - 114
     - STRING
   * - httpReferer
     - 115
     - STRING
   * - httpLocation
     - 116
     - STRING
   * - httpHost
     - 117
     - STRING
   * - httpContentLength
     - 118
     - STRING
   * - httpAge
     - 119
     - STRING
   * - httpAccept
     - 120
     - STRING
   * - httpAcceptLanguage
     - 121
     - STRING
   * - httpContentType
     - 122
     - STRING
   * - httpResponse
     - 123
     - STRING
   * - httpCookie
     - 220
     - STRING
   * - httpSetCookie
     - 221
     - STRING
   * - httpAuthorization
     - 252
     - STRING
   * - httpVia
     - 253
     - STRING
   * - httpX-Forwarded-For
     - 254
     - STRING
   * - httpRefresh
     - 256
     - STRING
   * - httpIMEI
     - 257
     - STRING
   * - httpIMSI
     - 258
     - STRING
   * - httpMSISDN
     - 259
     - STRING
   * - httpSubscriber
     - 260
     - STRING
   * - httpExpires
     - 255
     - STRING
   * - httpAcceptCharset
     - 261
     - STRING
   * - httpAcceptEncoding
     - 262
     - STRING
   * - httpAllow
     - 263
     - STRING
   * - httpDate
     - 264
     - STRING
   * - httpExpect
     - 265
     - STRING
   * - httpFrom
     - 266
     - STRING
   * - httpProxyAuthentication
     - 267
     - STRING
   * - httpUpgrade
     - 268
     - STRING
   * - httpWarning
     - 269
     - STRING
   * - httpDNT
     - 270
     - STRING
   * - httpX-Forwarded-Proto
     - 271
     - STRING
   * - httpX-Forwarded-Host
     - 272
     - STRING
   * - httpX-Forwarded-Server
     - 273
     - STRING
   * - httpX-DeviceID
     - 274
     - STRING
   * - httpX-Profile
     - 275
     - STRING
   * - httpLastModified
     - 276
     - STRING
   * - httpContentEncoding
     - 277
     - STRING
   * - httpContentLanguage
     - 278
     - STRING
   * - httpContentLocation
     - 279
     - STRING
   * - httpX-UA-Compatible
     - 280
     - STRING

YAF_SLP_LIST
====================

Descriptions of each Information Element can be found at http://tools.netsa.cert.org/yaf/yafdpi.html.

.. list-table::
   :header-rows: 1
   :widths: 50, 20, 40

   * - Information Element
     - ID
     - TYPE
   * - slpVersion
     - 128
     - UINT8
   * - slpMessageType
     - 129
     - UINT8
   * - slpString
     - 130
     - STRING

YAF_FTP_LIST
====================

Descriptions of each Information Element can be found at http://tools.netsa.cert.org/yaf/yafdpi.html.

.. list-table::
   :header-rows: 1
   :widths: 50, 20, 40

   * - Information Element
     - ID
     - TYPE
   * - ftpReturn
     - 131
     - STRING
   * - ftpUser
     - 132
     - STRING
   * - ftpPass
     - 133
     - STRING
   * - ftpType
     - 134
     - STRING
   * - ftpRespCode
     - 135
     - STRING

YAF_IMAP_LIST
====================

Descriptions of each Information Element can be found at http://tools.netsa.cert.org/yaf/yafdpi.html.

.. list-table::
   :header-rows: 1
   :widths: 50, 20, 40

   * - Information Element
     - ID
     - TYPE
   * - imapCapability
     - 136
     - STRING
   * - imapLogin
     - 137
     - STRING
   * - imapStartTLS
     - 138
     - STRING
   * - imapAuthenticate
     - 139
     - STRING
   * - imapCommand
     - 140
     - STRING
   * - imapExists
     - 141
     - STRING
   * - imapRecent
     - 142
     - STRING

YAF_RTSP_LIST
====================

Descriptions of each Information Element can be found at http://tools.netsa.cert.org/yaf/yafdpi.html.

.. list-table::
   :header-rows: 1
   :widths: 50, 20, 40

   * - Information Element
     - ID
     - TYPE
   * - rtspURL
     - 143
     - STRING
   * - rtspVersion
     - 144
     - STRING
   * - rtspReturnCode
     - 145
     - STRING
   * - rtspContentLength
     - 146
     - STRING
   * - rtspCommand
     - 147
     - STRING
   * - rtspContentType
     - 148
     - STRING
   * - rtspTransport
     - 149
     - STRING
   * - rtspCSeq
     - 150
     - STRING
   * - rtspLocation
     - 151
     - STRING
   * - rtspPacketsReceived
     - 152
     - STRING
   * - rtspUserAgent
     - 153
     - STRING
   * - rtspJitter
     - 154
     - STRING

YAF_SIP_LIST
====================

Descriptions of each Information Element can be found at http://tools.netsa.cert.org/yaf/yafdpi.html.

.. list-table::
   :header-rows: 1
   :widths: 50, 20, 40

   * - Information Element
     - ID
     - TYPE
   * - sipInvite
     - 155
     - STRING
   * - sipCommand
     - 156
     - STRING
   * - sipVia
     - 157
     - STRING
   * - sipMaxForwards
     - 158
     - STRING
   * - sipAddress
     - 159
     - STRING
   * - sipContentLength
     - 160
     - STRING
   * - sipUserAgent
     - 161
     - STRING


YAF_SMTP_LIST
====================

Descriptions of each Information Element can be found at http://tools.netsa.cert.org/yaf/yafdpi.html.

.. list-table::
   :header-rows: 1
   :widths: 50, 20, 40

   * - Information Element
     - ID
     - TYPE
   * - smtpHello
     - 162
     - STRING
   * - smtpFrom
     - 163
     - STRING
   * - smtpTo
     - 164
     - STRING
   * - smtpContentType
     - 165
     - STRING
   * - smtpSubject
     - 166
     - STRING
   * - smtpFilename
     - 167
     - STRING
   * - smtpContentDisposition
     - 168
     - STRING
   * - smtpResponse
     - 169
     - STRING
   * - smtpEnhanced
     - 170
     - STRING
   * - smtpSize
     - 222
     - STRING
   * - smtpDate
     - 251
     - STRING


YAF_DNS_LIST
====================

Descriptions of each Information Element can be found at http://tools.netsa.cert.org/yaf/yafdpi.html.

.. list-table::
   :header-rows: 1
   :widths: 50, 20, 40

   * - Information Element
     - ID
     - TYPE
   * - dnsQueryResponse
     - 174
     - UINT8
   * - dnsQRType
     - 175
     - UINT16
   * - dnsAuthoritative
     - 176
     - UINT8
   * - dnsNXDomain
     - 177
     - UINT8
   * - dnsRRSection
     - 178
     - UINT8
   * - dnsQName
     - 179
     - STRING
   * - dnsCName
     - 180
     - STRING
   * - dnsMXPreference
     - 181
     - UINT16
   * - dnsMXExchange
     - 182
     - STRING
   * - dnsNSDName
     - 183
     - STRING
   * - dnsPTRDName
     - 184
     - STRING
   * - dnsTTL
     - 199
     - UINT32
   * - dnsTXTData
     - 208
     - STRING
   * - dnsSOASerial
     - 209
     - UINT32
   * - dnsSOARefresh
     - 210
     - UINT32
   * - dnsSOARetry
     - 211
     - UINT32
   * - dnsSOAExpire
     - 212
     - UINT32
   * - dnsSOAMinimum
     - 213
     - UINT32
   * - dnsSOAMName
     - 214
     - STRING
   * - dnsSOARName
     - 215
     - STRING
   * - dnsSRVPriority
     - 216
     - UINT16
   * - dnsSRVWeight
     - 217
     - UINT16
   * - dnsSRVPort
     - 218
     - UINT16
   * - dnsSRVTarget
     - 219
     - STRING
   * - dnsID
     - 226
     - UINT16
   * - dnsAlgorithm
     - 227
     - UINT8
   * - dnsKeyTag
     - 228
     - UINT16
   * - dnsSigner
     - 229
     - STRING
   * - dnsSignature
     - 230
     - OCTET ARRAY
   * - dnsDigest
     - 231
     - OCTET ARRAY
   * - dnsPublicKey
     - 232
     - OCTET ARRAY
   * - dnsSalt
     - 233
     - OCTET ARRAY
   * - dnsHashData
     - 234
     - OCTET ARRAY
   * - dnsIterations
     - 235
     - UINT16
   * - dnsSignatureExpiration
     - 236
     - UINT32
   * - dnsSignatureInception
     - 237
     - UINT32
   * - dnsDigestType
     - 238
     - UINT8
   * - dnsLabels
     - 239
     - UINT8
   * - dnsTypeCovered
     - 240
     - UINT16
   * - dnsFlags
     - 241
     - UINT16

YAF_SSL_LIST
====================

Descriptions of each Information Element can be found at http://tools.netsa.cert.org/yaf/yafdpi.html.

.. list-table::
   :header-rows: 1
   :widths: 50, 20, 40

   * - Information Element
     - ID
     - TYPE
   * - sslCipher
     - 185
     - UINT32
   * - sslClientVersion
     - 186
     - UINT8
   * - sslServerCipher
     - 187
     - UINT32
   * - sslCompressionMethod
     - 188
     - UINT8
   * - sslCertVersion
     - 189
     - UINT8
   * - sslCertSignature
     - 190
     - STRING
   * - sslCertIssuerCountryName
     - 191
     - STRING
   * - sslCertIssuerOrgName
     - 192
     - STRING
   * - sslCertIssuerOrgUnitName
     - 193
     - STRING
   * - sslCertIssuerZipCode
     - 194
     - STRING
   * - sslCertIssuerState
     - 195
     - STRING
   * - sslCertIssuerCommonName
     - 196
     - STRING
   * - sslCertIssuerLocalityName
     - 197
     - STRING
   * - sslCertIssuerStreetAddress
     - 198
     - STRING
   * - sslCertSubCountryName
     - 200
     - STRING
   * - sslCertSubOrgName
     - 201
     - STRING
   * - sslCertSubOrgUnitName
     - 202
     - STRING
   * - sslCertSubZipCode
     - 203
     - STRING
   * - sslCertSubState
     - 204
     - STRING
   * - sslCertSubCommonName
     - 205
     - STRING
   * - sslCertSubLocalityName
     - 206
     - STRING
   * - sslCertSubStreetAddress
     - 207
     - STRING
   * - sslCertSerialNumber
     - 208
     - STRING
   * - sslObjectType
     - 245
     - UINT8
   * - sslObjectValue
     - 246
     - STRING
   * - sslCertValidityNotBefore
     - 247
     - STRING
   * - sslCertValidityNotAfter
     - 248
     - STRING
   * - sslCertPublicKeyAlgorithm
     - 249
     - STRING
   * - sslCertPublicKeyLength
     - 250
     - UINT16
   * - sslRecordVersion
     - 288
     - UINT16

YAF_DPI_LIST
====================

This list contains miscellaneous Information Elements from the remaining protocols YAF decodes.  Descriptions of each Information Element can be found at http://tools.netsa.cert.org/yaf/yafdpi.html.

.. list-table::
   :header-rows: 1
   :widths: 50, 20, 40

   * - Information Element
     - ID
     - TYPE
   * - mysqlUsername
     - 223
     - STRING
   * - mysqlCommandCode
     - 224
     - UINT8
   * - mysqlCommandText
     - 225
     - STRING
   * - pop3TextMessage
     - 124
     - STRING
   * - ircTextMessage
     - 125
     - STRING
   * - tftpFilename
     - 126
     - STRING
   * - tftpMode
     - 127
     - STRING
   * - dhcpFingerPrint
     - 242
     - STRING
   * - dhcpVendorCode
     - 243
     - STRING
   * - dnp3SourceAddress
     - 281
     - UINT16
   * - dnp3DestinationAddress
     - 282
     - UINT16
   * - dnp3Function
     - 283
     - UINT8
   * - dnp3ObjectData
     - 284
     - OCTET_ARRAY
   * - modbusData
     - 285
     - OCTET_ARRAY
   * - ethernetIPData
     - 286
     - OCTET_ARRAY
   * - rtpPayloadType
     - 287
     - UINT8


..
  Local Variables:
  fill-column:78
  End:
