00001
00002
00003
00004
00005
00006
00007
00008
00009
00010
00011
00012
00013
00014
00015
00016
00017
00018
00019
00020
00021
00022
00023
00024
00025
00026
00027
00028
00029
00030
00031
00032
00033
00034
00035
00036
00037
00038
00039
00040
00041
00042
00043
00044
00045
00046
00047
00048
00049
00050
00051
00052
00053
00054
00055
00056
00057
00058
00059
00060
00061 #ifndef CERT_IE_H_
00062 #define CERT_IE_H_
00063
00064
00071 static fbInfoElement_t yaf_info_elements[] = {
00072 FB_IE_INIT("initialTCPFlags", CERT_PEN, 14, 1, FB_IE_F_ENDIAN | FB_IE_F_REVERSIBLE),
00073 FB_IE_INIT("unionTCPFlags", CERT_PEN, 15, 1, FB_IE_F_ENDIAN | FB_IE_F_REVERSIBLE),
00074 FB_IE_INIT("payload", CERT_PEN, 18, FB_IE_VARLEN, FB_IE_F_REVERSIBLE),
00075 FB_IE_INIT("reverseFlowDeltaMilliseconds", CERT_PEN, 21, 4, FB_IE_F_ENDIAN),
00076 FB_IE_INIT("silkAppLabel", CERT_PEN, 33, 2, FB_IE_F_ENDIAN),
00077 FB_IE_INIT("payloadEntropy", CERT_PEN, 35, 1, FB_IE_F_REVERSIBLE),
00078 FB_IE_INIT("osName", CERT_PEN, 36, FB_IE_VARLEN, FB_IE_F_REVERSIBLE),
00079 FB_IE_INIT("osVersion", CERT_PEN, 37, FB_IE_VARLEN, FB_IE_F_REVERSIBLE),
00080 FB_IE_INIT("firstPacketBanner", CERT_PEN, 38, FB_IE_VARLEN, FB_IE_F_REVERSIBLE),
00081 FB_IE_INIT("secondPacketBanner", CERT_PEN, 39, FB_IE_VARLEN, FB_IE_F_REVERSIBLE),
00082 FB_IE_INIT("flowAttributes", CERT_PEN, 40, 2, FB_IE_F_ENDIAN | FB_IE_F_REVERSIBLE),
00083 FB_IE_INIT("osFingerPrint", CERT_PEN, 107, FB_IE_VARLEN, FB_IE_F_REVERSIBLE),
00084 FB_IE_INIT("expiredFragmentCount", CERT_PEN, 100, 4, FB_IE_F_ENDIAN),
00085 FB_IE_INIT("assembledFragmentCount", CERT_PEN, 101, 4, FB_IE_F_ENDIAN),
00086 FB_IE_INIT("meanFlowRate", CERT_PEN, 102, 4, FB_IE_F_ENDIAN),
00087 FB_IE_INIT("meanPacketRate", CERT_PEN, 103, 4, FB_IE_F_ENDIAN),
00088 FB_IE_INIT("flowTableFlushEventCount", CERT_PEN, 104, 4, FB_IE_F_ENDIAN),
00089 FB_IE_INIT("flowTablePeakCount", CERT_PEN, 105, 4, FB_IE_F_ENDIAN),
00090 FB_IE_NULL
00091 };
00092
00093
00094 #if YAF_ENABLE_HOOKS
00095 static fbInfoElement_t yaf_dpi_info_elements[] = {
00096 FB_IE_INIT("httpServerString", CERT_PEN, 110, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00097 FB_IE_INIT("httpUserAgent", CERT_PEN, 111, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00098 FB_IE_INIT("httpGet", CERT_PEN, 112, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00099 FB_IE_INIT("httpConnection", CERT_PEN, 113, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00100 FB_IE_INIT("httpVersion", CERT_PEN, 114, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00101 FB_IE_INIT("httpReferer", CERT_PEN, 115, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00102 FB_IE_INIT("httpLocation", CERT_PEN, 116, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00103 FB_IE_INIT("httpHost", CERT_PEN, 117, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00104 FB_IE_INIT("httpContentLength", CERT_PEN, 118, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00105 FB_IE_INIT("httpAge", CERT_PEN, 119, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00106 FB_IE_INIT("httpAccept", CERT_PEN, 120, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00107 FB_IE_INIT("httpAcceptLanguage", CERT_PEN, 121, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00108 FB_IE_INIT("httpContentType", CERT_PEN, 122, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00109 FB_IE_INIT("httpResponse", CERT_PEN, 123, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00110 FB_IE_INIT("pop3TextMessage", CERT_PEN, 124, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00111 FB_IE_INIT("ircTextMessage", CERT_PEN, 125, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00112 FB_IE_INIT("tftpFilename", CERT_PEN, 126, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00113 FB_IE_INIT("tftpMode", CERT_PEN, 127, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00114 FB_IE_INIT("slpVersion", CERT_PEN, 128, 1, FB_IE_F_ENDIAN),
00115 FB_IE_INIT("slpMessageType", CERT_PEN, 129, 1, FB_IE_F_ENDIAN),
00116 FB_IE_INIT("slpString", CERT_PEN, 130, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00117 FB_IE_INIT("ftpReturn", CERT_PEN, 131, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00118 FB_IE_INIT("ftpUser", CERT_PEN, 132, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00119 FB_IE_INIT("ftpPass", CERT_PEN,133, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00120 FB_IE_INIT("ftpType", CERT_PEN,134, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00121 FB_IE_INIT("ftpRespCode", CERT_PEN,135, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00122 FB_IE_INIT("imapCapability", CERT_PEN, 136, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00123 FB_IE_INIT("imapLogin", CERT_PEN, 137, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00124 FB_IE_INIT("imapStartTLS", CERT_PEN, 138, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00125 FB_IE_INIT("imapAuthenticate", CERT_PEN, 139, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00126 FB_IE_INIT("imapCommand", CERT_PEN, 140, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00127 FB_IE_INIT("imapExists", CERT_PEN, 141, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00128 FB_IE_INIT("imapRecent", CERT_PEN, 142, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00129 FB_IE_INIT("rtspURL", CERT_PEN, 143, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00130 FB_IE_INIT("rtspVersion", CERT_PEN, 144, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00131 FB_IE_INIT("rtspReturnCode", CERT_PEN, 145, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00132 FB_IE_INIT("rtspContentLength", CERT_PEN, 146, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00133 FB_IE_INIT("rtspCommand", CERT_PEN, 147, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00134 FB_IE_INIT("rtspContentType", CERT_PEN, 148, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00135 FB_IE_INIT("rtspTransport", CERT_PEN, 149, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00136 FB_IE_INIT("rtspCSeq", CERT_PEN, 150, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00137 FB_IE_INIT("rtspLocation", CERT_PEN, 151, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00138 FB_IE_INIT("rtspPacketsReceived", CERT_PEN, 152, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00139 FB_IE_INIT("rtspUserAgent", CERT_PEN, 153, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00140 FB_IE_INIT("rtspJitter", CERT_PEN, 154, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00141 FB_IE_INIT("sipInvite", CERT_PEN, 155, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00142 FB_IE_INIT("sipCommand", CERT_PEN, 156, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00143 FB_IE_INIT("sipVia", CERT_PEN, 157, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00144 FB_IE_INIT("sipMaxForwards", CERT_PEN, 158, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00145 FB_IE_INIT("sipAddress", CERT_PEN, 159, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00146 FB_IE_INIT("sipContentLength", CERT_PEN, 160, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00147 FB_IE_INIT("sipUserAgent", CERT_PEN, 161, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00148 FB_IE_INIT("smtpHello", CERT_PEN, 162, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00149 FB_IE_INIT("smtpFrom", CERT_PEN, 163, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00150 FB_IE_INIT("smtpTo", CERT_PEN, 164, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00151 FB_IE_INIT("smtpContentType", CERT_PEN, 165, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00152 FB_IE_INIT("smtpSubject", CERT_PEN, 166, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00153 FB_IE_INIT("smtpFilename", CERT_PEN, 167, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00154 FB_IE_INIT("smtpContentDisposition", CERT_PEN, 168, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00155 FB_IE_INIT("smtpResponse", CERT_PEN, 169, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00156 FB_IE_INIT("smtpEnhanced", CERT_PEN, 170, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00157 FB_IE_INIT("sshVersion", CERT_PEN, 171, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00158 FB_IE_INIT("nntpResponse", CERT_PEN, 172, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00159 FB_IE_INIT("nntpCommand", CERT_PEN, 173, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00160 FB_IE_INIT("dnsQueryResponse", CERT_PEN, 174, 1, FB_IE_F_ENDIAN),
00161 FB_IE_INIT("dnsQRType", CERT_PEN, 175, 2, FB_IE_F_ENDIAN),
00162 FB_IE_INIT("dnsAuthoritative", CERT_PEN, 176, 1, FB_IE_F_ENDIAN),
00163 FB_IE_INIT("dnsNXDomain", CERT_PEN, 177, 1, FB_IE_F_ENDIAN),
00164 FB_IE_INIT("dnsRRSection", CERT_PEN, 178, 1, FB_IE_F_ENDIAN),
00165 FB_IE_INIT("dnsQName", CERT_PEN, 179, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00166 FB_IE_INIT("dnsCName", CERT_PEN, 180, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00167 FB_IE_INIT("dnsMXPreference", CERT_PEN, 181, 2, FB_IE_F_ENDIAN),
00168 FB_IE_INIT("dnsMXExchange", CERT_PEN, 182, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00169 FB_IE_INIT("dnsNSDName", CERT_PEN, 183, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00170 FB_IE_INIT("dnsPTRDName", CERT_PEN, 184, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00171 FB_IE_INIT("sslCipher", CERT_PEN, 185, 4, FB_IE_F_ENDIAN),
00172 FB_IE_INIT("sslClientVersion", CERT_PEN, 186, 1, FB_IE_F_ENDIAN),
00173 FB_IE_INIT("sslServerCipher", CERT_PEN, 187, 4, FB_IE_F_ENDIAN),
00174 FB_IE_INIT("sslCompressionMethod", CERT_PEN, 188, 1, FB_IE_F_ENDIAN),
00175 FB_IE_INIT("sslCertVersion", CERT_PEN, 189, 1, FB_IE_F_ENDIAN),
00176 FB_IE_INIT("sslCertSignature", CERT_PEN, 190, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00177 FB_IE_INIT("sslCertIssuerCountryName", CERT_PEN, 191, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00178 FB_IE_INIT("sslCertIssuerOrgName", CERT_PEN, 192, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00179 FB_IE_INIT("sslCertIssuerOrgUnitName", CERT_PEN, 193, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00180 FB_IE_INIT("sslCertIssuerZipCode", CERT_PEN, 194, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00181 FB_IE_INIT("sslCertIssuerState", CERT_PEN, 195, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00182 FB_IE_INIT("sslCertIssuerCommonName", CERT_PEN, 196, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00183 FB_IE_INIT("sslCertIssuerLocalityName", CERT_PEN, 197, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00184 FB_IE_INIT("sslCertIssuerStreetAddress", CERT_PEN, 198, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00185 FB_IE_INIT("dnsTTL", CERT_PEN, 199, 4, FB_IE_F_ENDIAN),
00186 FB_IE_INIT("sslCertSubCountryName", CERT_PEN, 200, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00187 FB_IE_INIT("sslCertSubOrgName", CERT_PEN, 201, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00188 FB_IE_INIT("sslCertSubOrgUnitName", CERT_PEN, 202, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00189 FB_IE_INIT("sslCertSubZipCode", CERT_PEN, 203, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00190 FB_IE_INIT("sslCertSubState", CERT_PEN, 204, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00191 FB_IE_INIT("sslCertSubCommonName", CERT_PEN, 205, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00192 FB_IE_INIT("sslCertSubLocalityName", CERT_PEN, 206, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00193 FB_IE_INIT("sslCertSubStreetAddress", CERT_PEN, 207, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00194 FB_IE_INIT("dnsTXTData", CERT_PEN, 208, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00195 FB_IE_INIT("dnsSOASerial", CERT_PEN, 209, 4, FB_IE_F_ENDIAN),
00196 FB_IE_INIT("dnsSOARefresh", CERT_PEN, 210, 4, FB_IE_F_ENDIAN),
00197 FB_IE_INIT("dnsSOARetry", CERT_PEN, 211, 4, FB_IE_F_ENDIAN),
00198 FB_IE_INIT("dnsSOAExpire", CERT_PEN, 212, 4, FB_IE_F_ENDIAN),
00199 FB_IE_INIT("dnsSOAMinimum", CERT_PEN, 213, 4, FB_IE_F_ENDIAN),
00200 FB_IE_INIT("dnsSOAMName", CERT_PEN, 214, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00201 FB_IE_INIT("dnsSOARName", CERT_PEN, 215, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00202 FB_IE_INIT("dnsSRVPriority", CERT_PEN, 216, 2, FB_IE_F_ENDIAN),
00203 FB_IE_INIT("dnsSRVWeight", CERT_PEN, 217, 2, FB_IE_F_ENDIAN),
00204 FB_IE_INIT("dnsSRVPort", CERT_PEN, 218, 2, FB_IE_F_ENDIAN),
00205 FB_IE_INIT("dnsSRVTarget", CERT_PEN, 219, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00206 FB_IE_INIT("httpCookie", CERT_PEN, 220, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00207 FB_IE_INIT("httpSetCookie", CERT_PEN, 221, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00208 FB_IE_INIT("smtpSize", CERT_PEN, 222, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00209 FB_IE_INIT("mysqlUsername", CERT_PEN, 223, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00210 FB_IE_INIT("mysqlCommandCode", CERT_PEN, 224, 1, FB_IE_F_ENDIAN),
00211 FB_IE_INIT("mysqlCommandText", CERT_PEN, 225, FB_IE_VARLEN, FB_IE_F_ENDIAN),
00212 FB_IE_INIT("dnsID", CERT_PEN, 226, 2, FB_IE_F_ENDIAN),
00213 FB_IE_NULL
00214 };
00215 #endif
00216
00217 #endif