Cisco Cisco Firepower Management Center 2000 Guía Del Desarrollador
Version 5.3
Sourcefire 3D System eStreamer Integration Guide
116
Understanding Intrusion and Correlation Data Structures
Understanding Series 2 Data Blocks
Chapter 3
Understanding Series 2 Data Blocks
Beginning in version 4.10.0, the eStreamer service uses a second series of data
blocks to package certain records such as intrusion event extra data. See the
on page 117 for a list of all block types in the series.
Series 2 blocks, like series 1 blocks, support variable-length fields and hierarchies
of nested blocks. The series 2 block types include primitive blocks that provide
the same mechanism for encapsulating nested inner blocks as the series 1
primitive block types. However, series 2 blocks and series 1 blocks have separate
numbering systems.
The following example shows the how primitive blocks are used. The list data
The following example shows the how primitive blocks are used. The list data
block (series 2 block type 31) defines an array of operating system fingerprints
(each of which is a type 87 block itself with variable length). The overall type 31
data block length is self-describing via the Data Block Length field, which contains
the length of the data portion of the message, excluding the 8 bytes in the block
the length of the data portion of the message, excluding the 8 bytes in the block
type and block length fields.
Destination Criticality
0x00004000
Destination Port
0x00008000
Destination Server
0x00010000
Source User
0x00020000
Destination User
0x00040000
Event Defined Values (Continued)
D
ESCRIPTION
M
ASK
V
ALUE
Byte
0
1
2
3
Bit
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
List Data Block Type (2)
Data Block Length
Ser
ver
Fingerprints
Operating System Fingerprint Block Type (87)*
Operating System Fingerprint Block Length
Operating System Server Fingerprint Data...