-
Notifications
You must be signed in to change notification settings - Fork 40
/
Copy pathunirec-elements.txt
291 lines (257 loc) · 20.2 KB
/
unirec-elements.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
# This file is part of Unirec output plugin for IPFIXcol2
#
# Entries in this file show mapping from IPFIX Information Elements to UniRec
# fields. You can change setting by editing this file. Each entry consists
# of the following parameters:
# - UniRec field name
# - UniRec data type - one of the following:
# int{8,16,32,64}, uint{8,16,32,64},
# float, double, time, ipaddr, macaddr, char, string, bytes
# int{8,16,32,64}*, uint{8,16,32,64}*, // "array of" types
# float*, double*, time*, ipaddr*, macaddr* // "array of" types
# string_trimmed // trimmed string (i.e. no tailing '\0')
# - Comma separated list of IPFIX Information Elements identifiers
# ("eXXidYY" where XX is Private Enterprise Number and YY is field ID)
#
# See ipfixcol2-unirec-output(1) for details
#
# Note:
# IPFIX IEs "_internal_dbf_" and "_internal_lbf_" represents internal
# conversion functions of UniRec plugin.
#UNIREC NAME UNIREC TYPE IPFIX IEs DESCRIPTION
# --- Basic fields ---
SRC_IP ipaddr e0id8,e0id27 # IPv4 or IPv6 source address
DST_IP ipaddr e0id12,e0id28 # IPv4 or IPv6 destination address
SRC_PORT uint16 e0id7 # Transport protocol source port
DST_PORT uint16 e0id11,e0id32 # Transport protocol destination port or ICMP type/code
PROTOCOL uint8 e0id4 # Transport protocol
TCP_FLAGS uint8 e0id6 # TCP flags
BYTES uint64 e0id1 # Number of bytes in flow
PACKETS uint32 e0id2 # Number of packets in flow
TTL uint8 e0id192 # IP time to live
TTL_REV uint8 e29305id192 # IP time to live rev
TOS uint8 e0id5 # IP type of service
TIME_FIRST time e0id150,e0id152,e0id154,e0id156 # Time of the first packet of a flow
TIME_LAST time e0id151,e0id153,e0id155,e0id157 # Time of the last packet of a flow
DIR_BIT_FIELD uint8 _internal_dbf_ # Bit field used for determining incoming/outgoing flow (1 => Incoming, 0 => Outgoing)
LINK_BIT_FIELD uint64 _internal_lbf_ # Bit field of links on which was flow seen
ODID uint32 _internal_odid_ # Observation Domain ID (ODID) of exporter
EXPORTER_IP ipaddr _internal_exporter_ip_ # IP address of exporter from exporting session
SRC_MAC macaddr e0id56
DST_MAC macaddr e0id80
FLOW_END_REASON uint8 iana:flowEndReason # Reason of exporting the flow record, see https://www.iana.org/assignments/ipfix/ipfix.xhtml#ipfix-flow-end-reason
# --- Additional biflow fields ---
BYTES_REV uint64 e29305id1
PACKETS_REV uint32 e29305id2
TCP_FLAGS_REV uint8 e29305id6
# --- Additional TCP fields ---
TCP_SYN_SIZE uint8 flowmon:tcpSynSize
TCP_SYN_TTL uint8 flowmon:tcpSynTtl
# --- DNS specific fields ---
DNS_ANSWERS uint16 cesnet:DNSAnswers # DNS answers
DNS_RCODE uint8 cesnet:DNSRCode # DNS rcode
DNS_Q_NAME string cesnet:DNSName # DNS name
DNS_Q_TYPE uint16 cesnet:DNSQType # DNS qtype
DNS_Q_CLASS uint16 cesnet:DNSClass # DNS class
DNS_RR_TTL uint32 cesnet:DNSRRTTL # DNS rr ttl
DNS_RR_RLENGTH uint16 cesnet:DNSRDataLength # DNS rlenght
DNS_RR_RDATA bytes cesnet:DNSRData # DNS rdata
DNS_PSIZE uint16 cesnet:DNSPSize # DNS payload size
DNS_DO uint8 cesnet:DNSRDO # DNS DNSSEC OK bit
DNS_ID uint16 cesnet:DNSTransactionID # DNS transaction id
FME_DNS_FLAGS uint16 flowmon:dnsFlagsCodes # DNS header flags
FME_DNS_CNT_QUESTIONS uint16 flowmon:dnsQuestionCount # DNS questions
FME_DNS_CNT_ANSWERS uint16 flowmon:dnsAnswrecCount # DNS answers
FME_DNS_CNT_AUTHS uint16 flowmon:dnsAuthrecCount # DNS auth. records
FME_DNS_CNT_ADDIT uint16 flowmon:dnsAddtrecCount # DNS additional records
FME_DNS_Q_NAME string flowmon:dnsQname # DNS query name
FME_DNS_Q_TYPE uint16 flowmon:dnsQtype # DNS query type
FME_DNS_Q_CLASS uint16 flowmon:dnsQclass # DNS query class
FME_DNS_RR_NAME string flowmon:dnsCrrName # DNS RR name
FME_DNS_RR_TYPE uint16 flowmon:dnsCrrType # DNS RR type
FME_DNS_RR_CLASS uint16 flowmon:dnsCrrClass # DNS RR class
FME_DNS_RR_RDATA bytes flowmon:dnsCrrRdata # DNS RR rdata
FME_DNS_RR_RLENGTH uint16 flowmon:dnsCrrRdataLen # DNS RR rlenght
FME_DNS_ID uint16 flowmon:dnsId # DNS transaction id
FME_DNS_RR_TTL uint32 flowmon:dnsCrrTtl # DNS rr ttl
# Note: Old fields DNS_RCODE, DNS_PSIDE and DNS_DO are not available anymore...
# --- SMTP specific fields ---
SMTP_COMMAND_FLAGS uint32 cesnet:SMTPCommands # SMTP command flags
SMTP_MAIL_CMD_COUNT uint32 cesnet:SMTPMailCount # SMTP MAIL command count
SMTP_RCPT_CMD_COUNT uint32 cesnet:SMTPRcptCount # SMTP RCPT command count
SMTP_FIRST_SENDER string cesnet:SMTPSender # SMTP first sender
SMTP_FIRST_RECIPIENT string cesnet:SMTPRecipient # SMTP first recipient
SMTP_STAT_CODE_FLAGS uint32 cesnet:SMTPStatusCodes # SMTP status code flags
SMTP_2XX_STAT_CODE_COUNT uint32 cesnet:SMTPCode2XXCount # SMTP 2XX status code count
SMTP_3XX_STAT_CODE_COUNT uint32 cesnet:SMTPCode3XXCount # SMTP 3XX status code count
SMTP_4XX_STAT_CODE_COUNT uint32 cesnet:SMTPCode4XXCount # SMTP 4XX status code count
SMTP_5XX_STAT_CODE_COUNT uint32 cesnet:SMTPCode5XXCount # SMTP 5XX status code count
SMTP_DOMAIN string cesnet:SMTPDomain # SMTP domain
# --- SIP specific fields ---
SIP_MSG_TYPE uint16 cesnet:SIPMsgType # SIP message type
SIP_STATUS_CODE uint16 cesnet:SIPStatusCode # SIP status code
SIP_CALL_ID string cesnet:SIPCallID # SIP call id
SIP_CALLING_PARTY string cesnet:SIPCallingParty # SIP from
SIP_CALLED_PARTY string cesnet:SIPCalledParty # SIP to
SIP_VIA string cesnet:SIPVia # SIP VIA
SIP_USER_AGENT string cesnet:SIPUserAgent # SIP user agent
SIP_REQUEST_URI string cesnet:SIPRequestURI # SIP request uri
SIP_CSEQ string cesnet:SIPCseq # SIP CSeq
FME_VOIP_PACKET_TYPE uint8 flowmon:voipPacketType
FME_SIP_INVITE_RINGING_TIME uint64 flowmon:sipInviteRingingTime
FME_SIP_OK_TIME uint64 flowmon:sipOkTime
FME_SIP_BYE_TIME uint64 flowmon:sipByeTime
FME_SIP_RTP_IP4 ipaddr flowmon:sipRtpIp4
FME_SIP_RTP_IP6 ipaddr flowmon:sipRtpIp6
FME_SIP_RTP_AUDIO uint16 flowmon:sipRtpAudio
FME_SIP_RTP_VIDEO uint16 flowmon:sipRtpVideo
FME_SIP_STATS bytes flowmon:sipStats
FME_RTP_CODEC uint8 flowmon:rtpCodec
FME_RTP_JITTER uint32 flowmon:rtpJitter
FME_RTCP_LOST uint32 flowmon:rtcpLost
FME_RTCP_PACKETS uint64 flowmon:rtcpPackets
FME_RTCP_OCTETS uint64 flowmon:rtcpOctets
FME_RTCP_SOURCE_COUNT uint8 flowmon:rtcpSourceCount
FME_SIP_CALL_ID string flowmon:sipCallId # SIP call id
FME_SIP_CALLING_PARTY string flowmon:sipCallingParty # SIP from
FME_SIP_CALLED_PARTY string flowmon:sipCalledParty # SIP to
FME_SIP_VIA string flowmon:sipVia # SIP VIA
# --- HTTP elements ---
HTTP_REQUEST_METHOD_ID string cesnet:httpMethod # HTTP request method
FME_HTTP_UA_OS uint16 flowmon:httpUaOs
FME_HTTP_UA_OS_MAJ uint16 flowmon:httpUaOsMaj
FME_HTTP_UA_OS_MIN uint16 flowmon:httpUaOsMin
FME_HTTP_UA_OS_BLD uint16 flowmon:httpUaOsBld
FME_HTTP_UA_APP uint16 flowmon:httpUaApp
FME_HTTP_UA_APP_MAJ uint16 flowmon:httpUaAppMaj
FME_HTTP_UA_APP_MIN uint16 flowmon:httpUaAppMin
FME_HTTP_UA_APP_BLD uint16 flowmon:httpUaAppBld
HTTP_REQUEST_REFERER string flowmon:httpReferer
HTTP_RESPONSE_CONTENT_TYPE string flowmon:httpContentType
FME_HTTP_METHOD_MASK uint16 flowmon:httpMethodMask
HTTP_REQUEST_HOST string flowmon:httpHost # HTTP(S) request host
HTTP_REQUEST_URL string flowmon:httpUrl # HTTP request url
HTTP_RESPONSE_STATUS_CODE uint32 flowmon:httpStatusCode # HTTP response status code
HTTP_REQUEST_AGENT string flowmon:httpUserAgent
# --- Other fields ---
IPV6_TUN_TYPE uint8 e16982id405 # IPv6 tunnel type
APP_ID bytes e0id95 # Application ID from libprotoident / NBAR2 / Flowmon's NBAR plugin
# --- TLS fields
FME_TLS_CONTENT_TYPE uint8 flowmon:tlsContentType # tlsContentType
FME_TLS_HANDSHAKE_TYPE uint32 flowmon:tlsHandshakeType # https://tools.ietf.org/html/rfc5246#appendix-A.4
FME_TLS_SETUP_TIME uint64 flowmon:tlsSetupTime # tlsSetupTime
FME_TLS_SERVER_VERSION uint16 flowmon:tlsServerVersion # 8b major and 8b minor, 0x0303 ~ TLS1.2
FME_TLS_SERVER_RANDOM bytes flowmon:tlsServerRandom # tlsServerRandom
FME_TLS_SERVER_SESSIONID bytes flowmon:tlsServerSessionId # tlsServerSessionId
FME_TLS_CIPHER_SUITE uint16 flowmon:tlsCipherSuite # https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4
FME_TLS_ALPN string flowmon:tlsAlpn # TLS Application-Layer Protocol Negotiation https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids
FME_TLS_SNI string flowmon:tlsSni # Server Name Indication https://en.wikipedia.org/wiki/Server_Name_Indication
FME_TLS_SNI_LENGTH uint16 flowmon:tlsSniLength # Length of TLS_SNI field
FME_TLS_CLIENT_VERSION uint16 flowmon:tlsClientVersion # tlsClientVersion
FME_TLS_CIPHER_SUITES bytes flowmon:tlsCipherSuites # List of 2B ciphers, beware of network byte order. See https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4
FME_TLS_CLIENT_RANDOM bytes flowmon:tlsClientRandom # tlsClientRandom
FME_TLS_CLIENT_SESSIONID bytes flowmon:tlsClientSessionId # tlsClientSessionId
FME_TLS_EXTENSION_TYPES bytes flowmon:tlsExtensionTypes # tlsExtensionTypes
FME_TLS_EXTENSION_LENGTHS bytes flowmon:tlsExtensionLengths # tlsExtensionLengths
FME_TLS_ELLIPTIC_CURVES bytes flowmon:tlsEllipticCurves # tlsEllipticCurves
FME_TLS_EC_POINTFORMATS bytes flowmon:tlsEcPointFormats # tlsEcPointFormats
FME_TLS_CLIENT_KEYLENGTH int32 flowmon:tlsClientKeyLength # Length of client's key
FME_TLS_ISSUER_CN string flowmon:tlsIssuerCn # Common name of certificate issuer
FME_TLS_SUBJECT_CN string flowmon:tlsSubjectCn # Certificate Common Name
FME_TLS_SUBJECT_ON string flowmon:tlsSubjectOn # Certificate Organization Name
FME_TLS_VALIDITY_NOTBEFORE int64 flowmon:tlsValidityNotBefore # UNIX timestamp of certificate creation
FME_TLS_VALIDITY_NOTAFTER int64 flowmon:tlsValidityNotAfter # UNIX timestamp of certificate expiration
FME_TLS_SIGNATURE_ALG uint16 flowmon:tlsSignatureAlg # tlsSignatureAlg
FME_TLS_PUBLIC_KEYALG uint16 flowmon:tlsPublicKeyAlg # tlsPublicKeyAlg
FME_TLS_PUBLIC_KEYLENGTH int32 flowmon:tlsPublicKeyLength # tlsPublicKeyLength
TLS_SNI string cesnet:TLSSNI # Server Name Indication https://en.wikipedia.org/wiki/Server_Name_Indication
TLS_JA3_FINGERPRINT bytes flowmon:tlsJa3Fingerprint # tlsJa3Fingerprint
QUIC_SNI string cesnet:quicSNI # Server Name Indication from QUIC
QUIC_USER_AGENT string cesnet:quicUserAgent # User-Agent value extracted from decrypted QUIC header
QUIC_VERSION uint32 cesnet:quicVersion # Version of QUIC protocol extracted from decrypted QUIC header
# --- Per-Packet Information elements ---
PPI_PKT_LENGTHS uint16* e0id291/cesnet:packetLength # basicList of packet lengths
PPI_PKT_TIMES time* e0id291/cesnet:packetTime # basicList of packet timestamps
PPI_PKT_FLAGS uint8* e0id291/cesnet:packetFlag # basicList of packet TCP flags
PPI_PKT_DIRECTIONS int8* e0id291/cesnet:packetDirection # basicList of packet directions
# --- SSDP Information elements ---
SSDP_LOCATION_PORT uint16 cesnet:SSDPLocationPort,flowmon:SSDPLocationPort
SSDP_SERVER string cesnet:SSDPServer,flowmon:SSDPServer
SSDP_USER_AGENT string cesnet:SSDPUserAgent,flowmon:SSDPUserAgent
SSDP_NT string cesnet:SSDPNT,flowmon:SSDPNT
SSDP_ST string cesnet:SSDPST,flowmon:SSDPST
# --- DNSDD Information elements ---
DNSSD_QUERIES string cesnet:DNSSDQueries,flowmon:DNSSDQuery
DNSSD_RESPONSES string cesnet:DNSSDResponses,flowmon:DNSSDResponse
# --- OVPN Information elements ---
OVPN_CONF_LEVEL uint8 cesnet:OVPNConfLevel
# --- NTP Information elements ---
NTP_LEAP uint8 cesnet:NTPLeap
NTP_VERSION uint8 cesnet:NTPVersion
NTP_MODE uint8 cesnet:NTPMode
NTP_STRATUM uint8 cesnet:NTPStratum
NTP_POLL uint8 cesnet:NTPPoll
NTP_PRECISION uint8 cesnet:NTPPrecision
NTP_DELAY uint32 cesnet:NTPDelay
NTP_DISPERSION uint32 cesnet:NTPDispersion
NTP_REF_ID string cesnet:NTPRefID
NTP_REF string cesnet:NTPRef
NTP_ORIG string cesnet:NTPOrig
NTP_RECV string cesnet:NTPRecv
NTP_SENT string cesnet:NTPSent
# --- ARP Information elements ---
ARP_HA_FORMAT uint16 cesnet:ARPHAFormat
ARP_PA_FORMAT uint16 cesnet:ARPPAFormat
ARP_OPCODE uint16 cesnet:ARPOpcode
ARP_SRC_HA bytes cesnet:ARPSrcHA
ARP_SRC_PA bytes cesnet:ARPSrcPA
ARP_DST_HA bytes cesnet:ARPDstHA
ARP_DST_PA bytes cesnet:ARPDstPa
# --- NetBios Information elements ---
NB_NAME string cesnet:NBName
NB_SUFFIX uint8 cesnet:NBSuffix
# --- IDPContent Information elements ---
IDP_CONTENT bytes cesnet:IDPContent
IDP_CONTENT_REV bytes cesnet:IDPContentRev
# --- Hists ---
S_PHISTS_SIZES uint32* e0id291/cesnet:phistSrcSizes
S_PHISTS_IPT uint32* e0id291/cesnet:phistSrcInterPacketTime
D_PHISTS_SIZES uint32* e0id291/cesnet:phistDstSizes
D_PHISTS_IPT uint32* e0id291/cesnet:phistDstInterPacketTime
# --- Bursts ---
SBI_BRST_BYTES uint32* e0id291/cesnet:burstSrcBytes
SBI_BRST_PACKETS uint32* e0id291/cesnet:burstSrcPackets
SBI_BRST_TIME_START time* e0id291/cesnet:burstSrcTimeStart
SBI_BRST_TIME_STOP time* e0id291/cesnet:burstSrcTimeStop
DBI_BRST_PACKETS uint32* e0id291/cesnet:burstDstPackets
DBI_BRST_BYTES uint32* e0id291/cesnet:burstDstBytes
DBI_BRST_TIME_START time* e0id291/cesnet:burstDstTimeStart
DBI_BRST_TIME_STOP time* e0id291/cesnet:burstDstTimeStop
# --- BasicPlus ---
L4_TCP_MSS uint32 cesnet:tcpMss
L4_TCP_MSS_REV uint32 cesnet:tcpMssRev
L4_TCP_SYN_SIZE uint16 cesnet:tcpSynSize
L4_TCP_WIN uint16 e0id186
L4_TCP_WIN_REV uint16 e29305id186
L4_TCP_OPTIONS uint64 e0id209
L4_TCP_OPTIONS_REV uint64 e29305id209
L3_FLAGS uint8 e0id197
L3_FLAGS_REV uint8 e29305id197
# --- wireguard ---
WG_CONF_LEVEL uint8 cesnet:WGConfLevel
WG_SRC_PEER uint32 cesnet:WGSrcPeer
WG_DST_PEER uint32 cesnet:WGDstPeer
# --- OSQuery ---
OSQUERY_PROGRAM_NAME string cesnet:OSQueryProgramName
OSQUERY_USERNAME string cesnet:OSQueryUsername
OSQUERY_OS_NAME string cesnet:OSQueryOSName
OSQUERY_OS_MAJOR uint16 cesnet:OSQueryOSMajor
OSQUERY_OS_MINOR uint16 cesnet:OSQueryOSMinor
OSQUERY_OS_BUILD string cesnet:OSQueryOSBuild
OSQUERY_OS_PLATFORM string cesnet:OSQueryOSPlatform
OSQUERY_OS_PLATFORM_LIKE string cesnet:OSQueryOSPlatformLike
OSQUERY_OS_ARCH string cesnet:OSQueryOSArch
OSQUERY_KERNEL_VERSION string cesnet:OSQueryKernelVersion
OSQUERY_SYSTEM_HOSTNAME string cesnet:OSQuerySystemHostname
# --- SYN-SYNACK-ACK (SSA) detection of new handshake within existing connection
SSA_CONF_LEVEL uint8 cesnet:ssaConfLevel # Confidence level of detected SSA