Cisco Cisco Firepower Management Center 4000 Entwickleranleitung
B-102
FireSIGHT eStreamer Integration Guide
Appendix B Understanding Legacy Data Structures
Legacy Connection Data Structures
Connection Statistics Data Block 5.3
The connection statistics data block is used in connection data messages. Changes to the connection data
block between versions 5.2.x and 5.3 include the addition of new fields for NetFlow information. The
connection statistics data block for version 5.3 has a block type of 152 in the series 1 group of blocks.
It deprecates block type 144,
block between versions 5.2.x and 5.3 include the addition of new fields for NetFlow information. The
connection statistics data block for version 5.3 has a block type of 152 in the series 1 group of blocks.
It deprecates block type 144,
.
You request connection event records by setting the extended event flag—bit 30 in the Request Flags
field—in the request message with an event version of 10 and an event code of 71. See
field—in the request message with an event version of 10 and an event code of 71. See
. If you enable bit 23, an extended event header is included in the record.
For more information on the Connection Statistics Data message, see
The following diagram shows the format of a Connection Statistics data block for 5.3+:
Monitor Rule 1
uint32
The ID of the first monitor rule associated with the connection
event.
event.
Monitor Rule 2
uint32
The ID of the second monitor rule associated with the connection
event.
event.
Monitor Rule 3
uint32
The ID of the third monitor rule associated with the connection
event.
event.
Monitor Rule 4
uint32
The ID of the fourth monitor rule associated with the connection
event.
event.
Monitor Rule 5
uint32
The ID of the fifth monitor rule associated with the connection
event.
event.
Monitor Rule 6
uint32
The ID of the sixth monitor rule associated with the connection
event.
event.
Monitor Rule 7
uint32
The ID of the seventh monitor rule associated with the connection
event.
event.
Monitor Rule 8
uint32
The ID of the eighth monitor rule associated with the connection
event.
event.
Security
Intelligence
Source/
Destination
Intelligence
Source/
Destination
uint8
Whether the source or destination IP address matched the IP
blacklist.
blacklist.
Security
Intelligence Layer
Intelligence Layer
uint8
The IP layer that matched the IP blacklist.
File Event Count
uint16
Value used to distinguish between file events that happen during
the same second.
the same second.
Intrusion Event
Count
Count
uint16
Value used to distinguish between intrusion events that happen
during the same second.
during the same second.
Table B-23
Connection Statistics Data Block 5.1.1.x Fields (continued)
Field
Data Type
Description