Cisco Cisco Firepower Management Center 4000 Guía Del Desarrollador
3-12
FireSIGHT eStreamer Integration Guide
Chapter 3 Understanding Intrusion and Correlation Data Structures
Intrusion Event and Metadata Record Types
Intrusion Impact Alert Data 5.3+
The Intrusion Impact Alert 5.3+ event contains information about impact events. It is transmitted when
an intrusion event is compared to the system network map data and the impact is determined. It uses the
standard record header with a record type of 9, followed by an Intrusion Impact Alert data block with a
series 1 data block type of 153 in the series 1 group of blocks. (The Impact Alert data block is a type of
series 1 data block. For more information about series 1 data blocks, see
an intrusion event is compared to the system network map data and the impact is determined. It uses the
standard record header with a record type of 9, followed by an Intrusion Impact Alert data block with a
series 1 data block type of 153 in the series 1 group of blocks. (The Impact Alert data block is a type of
series 1 data block. For more information about series 1 data blocks, see
.)
You can request that eStreamer only transmit intrusion impact events by setting bit 5 in the Flags field
of the request message. See
of the request message. See
for more information
about request messages. Version 1 of these alerts only handles IPv4. Version 2, introduced in 5.3, handles
IPv6 events in addition to IPv4.
IPv6 events in addition to IPv4.
Byte
0
1
2
3
Bit
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Header Version (1)
Message Type (4)
Message Length
Record Type (9)
eStreamer Server Timestamp (in events, only if bit 23 is set)
Reserved for Future Use (in events, only if bit 23 is set)
Intrusion Impact Alert Block Length
Event ID
Device ID
Event Second
Impact
Source IP Address
Source IP Address, continued
Source IP Address, continued
Source IP Address, continued
Destination IP Address
Destination IP Address, continued
Destination IP Address, continued
Destination IP Address, continued