#Field ID       Data type       Description
SRC_IP          ip_addr_t       Source address of a flow
DST_IP          ip_addr_t       Destination address of a flow
SRC_PORT        uint16_t        Source transport-layer port
DST_PORT        uint16_t        Destination transport-layer port
PROTOCOL        uint8_t         L4 protocol (TCP, UDP, ICMP, etc.)
TCP_FLAGS       uint8_t         TCP flags of a flow (logical OR over TCP flags field of all packets)
PACKETS         uint32_t        Number of packets in a flow or in an interval
BYTES           uint64_t        Number of bytes in a flow or in an interval
TIME_FIRST      ur_time_t       Timestamp of the first packet of a flow
TIME_LAST       ur_time_t       Timestamp of the last packet of a flow

LINK_BIT_FIELD  uint64_t        Bit field where each bit marks whether a flow was captured on corresponding link
DIR_BIT_FIELD   uint8_t         Bit field used for detemining incomming/outgoing flow
DIRECTION_FLAGS uint8_t         Bit field for identification of flow direction (0x8=REQ, 0x4=RSP, 0x2=SF, 0x1=NRC)

#Spoofing filter type
SPOOF_TYPE      uint8_t         Identifier of the spoofing filter that reported the source IP address of the flow (0x1 Bogons, 0x2 Symetric filter, 0x4 New flow folter)

#Blacklist items
SRC_BLACKLIST   uint8_t         ID of blacklist which contains the source address of the flow
DST_BLACKLIST   uint8_t         ID of blacklist which contains the destination address of the flow
URL_BLACKLIST   uint8_t         ID of blacklist which contains recieved URL
DNS_BLACKLIST   uint8_t         ID of blacklist which contains suspicious domain name
BLACKLIST_TYPE  uint8_t         Type of the used blacklist (spam, C&C, malware, etc.)

TIMESLOT        uint32_t        Start time of a timeslot in which an event was detected (Unix timestamp)
EVENT_ID        uint32_t        Identification number of reported event

# Alias for a basic flow (you can use "<BASIC_FLOW>" in ifc-spec and it will be replaced by the following fields)
@BASIC_FLOW=SRC_IP,DST_IP,SRC_PORT,DST_PORT,PROTOCOL,PACKETS,BYTES,TIME_FIRST,TIME_LAST,TCP_FLAGS

# Flow records coming from UniRec plugin for ipfixcol
@COLLECTOR_FLOW=<BASIC_FLOW>,LINK_BIT_FIELD,DIR_BIT_FIELD

# Astute detection
ASTUTE_5T       float           ASTUTE field 5-tuple
ASTUTE_IP       float           ASTUTE field src/dst
ASTUTE_SRCIP    float           ASTUTE field src IP
ASTUTE_DSTIP    float           ASTUTE field dst IP
ASTUTE_SRCPORT  float           ASTUTE field src port
ASTUTE_DSTPORT  float           ASTUTE field dst port
@ASTUTE=ASTUTE_5T,ASTUTE_IP,ASTUTE_SRCIP,ASTUTE_DSTIP,ASTUTE_SRCPORT,ASTUTE_DSTPORT

# PCA detection
FLOWS             uint64_t      Number of flows in an interval
ENTROPY_SRCIP     float         Source ip address entropy in an interval
ENTROPY_DSTIP     float         Destination ip address entropy in an interval
ENTROPY_SRCPORT   float         Source port entropy in an interval
ENTROPY_DSTPORT   float         Destination port entropy in an interval
ENTROPY_SRCIPDSTIP   float         Source ip address destination ip entropy
ENTROPY_SRCIPSRCPORT   float         Source ip address source port entropy
ENTROPY_SRCIPDSTPORT   float         Source ip destination port entropy
ENTROPY_DSTIPSRCPORT   float         Destination ip source port entropy
ENTROPY_DSTIPDSTPORT   float         Destination ip destination port entropy
ENTROPY_SRCIPDSTIPDSTPORT   float         Source ip destination ip destination port entropy
ENTROPY_SRCIPDSTIPSRCPORT   float         Source ip destination ip source port entropy
PCA_ANOMALY_FIELD 	uint64_t       Bit field where one bit is set for dimension (metric) in which was an anomaly detected
# Volume metrics
@VOLUME=FLOWS,PACKETS,BYTES
# Basic entropy values (for source/destination IP adderss and source/destination Port)
@BASIC_ENTROPY=ENTROPY_SRCIP,ENTROPY_DSTIP,ENTROPY_SRCPORT,ENTROPY_DSTPORT
# Output format of PCA basic detection module (this is how an anomaly detection message from PCA module loos like)
@PCA_DETECTION=TIMESLOT,LINK_BIT_FIELD,PCA_ANOMALY_FIELD

# HostStatsNemea
EVENT_TYPE     uint8_t         Type of detected event
EVENT_SCALE    double           Attack intensity

# SMTP
SMTP_FLAGS    uint8_t           SMTP flags

# SIP
SIP_CONTROL	uint16_t	SIP response/command code
SIP_FROM	char*		SIP from address
SIP_TO		char*		SIP to address
@SIP=SIP_CONTROL,SIP_FROM,SIP_TO

# DNS
DNS_ANSWERS	uint16_t	DNS answers
DNS_RCODE	uint8_t		DNS rcode
DNS_NAME	char*		DNS name
DNS_QTYPE	uint16_t	DNS qtype
DNS_CLASS	uint16_t	DNS class
DNS_RR_TTL	uint32_t	DNS RR TTL
DNS_RLENGTH	uint16_t	DNS rlength
DNS_RDATA	char*		DNS rdata
@DNS=DNS_ANSWERS,DNS_RCODE,DNS_NAME,DNS_QTYPE,DNS_CLASS,DNS_RR_TTL,DNS_RLENGTH,DNS_RDATA

# HTTP
HTTP_REQUEST_METHOD_ID		uint32_t	HTTP request method id
HTTP_REQUEST_HOST		char*		HTTP request host
HTTP_REQUEST_URL		char*		HTTP request url
HTTP_REQUEST_AGENT_ID		uint32_t	HTTP request agent id
HTTP_REQUEST_AGENT		char*		HTTP request agent
HTTP_REQUEST_REFERER		char*		HTTP request referer
HTTP_RESPONSE_STATUS_CODE	uint32_t	HTTP response status code
HTTP_RESPONSE_CONTENT_TYPE	char*		HTTP response content type
@HTTP=HTTP_REQUEST_METHOD_ID,HTTP_REQUEST_HOST,HTTP_REQUEST_URL,HTTP_REQUEST_AGENT_ID,HTTP_REQUEST_AGENT,HTTP_REQUEST_REFERER,HTTP_RESPONSE_STATUS_CODE,HTTP_RESPONSE_CONTENT_TYPE

#Botnet detection
BOTNET_CC_IP    ip_addr_t       IP address of detected Command & Control server
BOTNET_BOT_IP   ip_addr_t       IP address of detected bot
BOTNET_PROBABILITY  float       Probability of reported address being bot <0,1>

@BOTNET=BOTNET_CC_IP,BOTNET_BOT_IP,BOTNET_PROBABILITY

@AMPLIFICATION_ALERT=SRC_IP,DST_IP,SRC_PORT,FLOWS,PACKETS,BYTES,TIME_FIRST,TIME_LAST,EVENT_ID

# Generic email reporting
EMAIL_SUBJECT   char*   Subject of email message
EMAIL_BODY      char*   Body of enail message


# Testing and example fields
FOO             uint32_t        Generic field containing 32bit unsigned integer (used for testing and example purposes)
BAR             uint32_t        Generic field containing 32bit unsigned integer (used for testing and example purposes)
BAZ             uint32_t        Generic field containing 32bit unsigned integer (used for testing and example purposes)
