Cisco Cisco Firepower Management Center 4000 Guía Del Desarrollador
Version 5.3
Sourcefire 3D System eStreamer Integration Guide
43
Understanding the eStreamer Application Protocol
Event Data Message Format
Chapter 2
followed immediately by a data block in the data record section of the message.
Correlation messages use Series 1 data blocks.
Correlation Record Header
The shaded section of the following graphic shows the fields of the record header
in correlation event messages. Note that correlation messages use series 1 data
blocks; however, they do not have the discovery header that appears in discovery
event messages. Their header fields resemble those of intrusion event
messages. The table that follows the graphic below defines the record header
fields for correlation events.
Byte
0
1
2
3
Bit
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Message Header
See
Record Header
See
Data Record Block
...
Byte
0
1
2
3
Bit
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Header Version (1)
Message Type (3)
Message Length
Record Type
See
Record Length
eStreamer Server Timestamp
(for events only, not used in metadata records)
Reserved for Future Use
(for events only, not used in metadata records)
Data Record Block
Uses Series 1 block, see
...