Cisco Cisco Firepower Management Center 2000 Developer's Guide

Version 5.3

Sourcefire 3D System eStreamer Integration Guide

114

Understanding Intrusion and Correlation Data Structures

Intrusion Event and Metadata Record Types

Chapter 3

Destination 

OS 

Fingerprint 

UUID

uint8[16]

A fingerprint ID number that acts as a unique 

identifier for the destination host’s operating 

system.
See 

 on page 182 for information 

about obtaining the values that map to the 

fingerprint IDs.

Destination 

Criticality

uint16

User-defined criticality value for the destination 

host:
• 0 — None

• 1 — Low

• 2 — Medium

• 3 — High

Destination 

User ID

uint32

Identification number for the user logged into the 

destination host, as identified by the system.

Destination 

Port

uint16

Destination port in the event.

Destination 

Service ID

uint32

Identification number for the server running on 

the source host.

Blocked

uint8

Value indicating what happened to the packet 

that triggered the intrusion event.
• 0 — Intrusion event not dropped

• 1 — Intrusion event was dropped (drop when 

deployment is inline, switched, or routed)

• 2 — The packet that triggered the event would 

have been dropped, if the intrusion policy had 

been applied to a device in inline, switched, or 

routed deployment.

Ingress 

Interface 

UUID

uint8[16]

An interface ID that acts as the unique identifier 

for the ingress interface associated with 

correlation event.

Egress 

Interface 

UUID

uint8[16]

An interface ID that acts as the unique identifier 

for the egress interface associated with 

correlation event.

Ingress Zone 

UUID

uint8[16]

A zone ID that acts as the unique identifier for 

the ingress security zone associated with 

correlation event.

Correlation Event 5.1+ Data Fields (Continued)