Cisco Cisco Firepower Management Center 4000 Entwickleranleitung
B-29
FireSIGHT eStreamer Integration Guide
Appendix B Understanding Legacy Data Structures
Legacy Intrusion Data Structures
Intrusion Impact Alert Data
The Intrusion Impact Alert event contains information about impact events. It is transmitted when an
intrusion event is compared to the system network map data and the impact is determined. It uses the
standard record header with a record type of 9, followed by an Intrusion Impact Alert data block with a
data block type of 20 in the series 1 group of blocks. (The Impact Alert data block is a type of series 1
data block. For more information about series 1 data blocks, see
intrusion event is compared to the system network map data and the impact is determined. It uses the
standard record header with a record type of 9, followed by an Intrusion Impact Alert data block with a
data block type of 20 in the series 1 group of blocks. (The Impact Alert data block is a type of series 1
data block. For more information about series 1 data blocks, see
You can request that eStreamer only transmit intrusion impact events by setting bit 5 in the Flags field
of the request message. See
of the request message. See
for more information
about request messages. Version 1 of these alerts only handles IPv4. Version 2, introduced in 5.3, handles
IPv6 events in addition to IPv4.
IPv6 events in addition to IPv4.
VLAN ID
uint16
Indicates the ID of the VLAN where the packet originated.
Pad
uint16
Reserved for future use.
Policy UUID
uint8[16]
A policy ID number that acts as a unique identifier for the intrusion
policy.
policy.
User ID
uint32
The internal identification number for the user, if applicable.
Web
Application ID
Application ID
uint32
The internal identification number for the web application, if
applicable.
applicable.
Client
Application ID
Application ID
uint32
The internal identification number for the client application, if
applicable.
applicable.
Application
Protocol ID
Protocol ID
uint32
The internal identification number for the application protocol, if
applicable.
applicable.
Access Control
Rule ID
Rule ID
uint32
A rule ID number that acts as a unique identifier for the access control
rule.
rule.
Access Control
Policy UUID
Policy UUID
uint8[16]
A policy ID number that acts as a unique identifier for the access
control policy.
control policy.
Ingress Interface
UUID
UUID
uint8[16]
An interface ID number that acts as a unique identifier for the ingress
interface.
interface.
Egress Interface
UUID
UUID
uint8[16]
An interface ID number that acts as a unique identifier for the egress
interface.
interface.
Ingress Security
Zone UUID
Zone UUID
uint8[16]
A zone ID number that acts as a unique identifier for the ingress
security zone.
security zone.
Egress Security
Zone UUID
Zone UUID
uint8[16]
A zone ID number that acts as a unique identifier for the egress security
zone.
zone.
Connection
Timestamp
Timestamp
uint32
UNIX timestamp (seconds since 01/01/1970) of the connection event
associated with the intrusion event.
associated with the intrusion event.
Connection
Instance ID
Instance ID
uint16
Numerical ID of the Snort instance on the managed device that
generated the connection event.
generated the connection event.
Connection
Counter
Counter
uint16
Value used to distinguish between connection events that happen
during the same second.
during the same second.
Table B-5
Intrusion Event Record 5.1.1 Fields (continued)
Field
Data Type
Description