Cisco Cisco Firepower Management Center 4000 Entwickleranleitung
3-14
FireSIGHT eStreamer Integration Guide
Chapter 3 Understanding Intrusion and Correlation Data Structures
Intrusion Event and Metadata Record Types
Impact
bits[8]
Impact flag value of the event. The low-order eight bits indicate the
impact level. Values are:
impact level. Values are:
•
0x01
(bit 0) - Source or destination host is in a network
monitored by the system.
•
0x02
(bit 1) - Source or destination host exists in the network
map.
•
0x04
(bit 2) - Source or destination host is running a server on
the port in the event (if TCP or UDP) or uses the IP protocol.
•
0x08
(bit 3) - There is a vulnerability mapped to the operating
system of the source or destination host in the event.
•
0x10
(bit 4) - There is a vulnerability mapped to the server
detected in the event.
•
0x20
(bit 5) - The event caused the managed device to drop the
session (used only when the device is running in inline,
switched, or routed deployment). Corresponds to blocked
status in the FireSIGHT System web interface.
switched, or routed deployment). Corresponds to blocked
status in the FireSIGHT System web interface.
•
0x40
(bit 6) - The rule that generated this event contains rule
metadata setting the impact flag to red. The source or
destination host is potentially compromised by a virus, trojan,
or other piece of malicious software.
destination host is potentially compromised by a virus, trojan,
or other piece of malicious software.
•
0x80
(bit 7) - There is a vulnerability mapped to the client
detected in the event. (version 5.0+ only)
The following impact level values map to specific priorities on the
Defense Center. An
Defense Center. An
X
indicates the value can be 0 or 1:
•
gray (0, unknown):
00X00000
•
red (1, vulnerable):
XXXX1XXX, XXX1XXXX, X1XXXXXX,
1XXXXXXX
(version 5.0+ only)
•
orange (2, potentially vulnerable):
00X0011X
•
yellow (3, currently not vulnerable):
00X0001X
•
blue (4, unknown target):
00X00001
Source IP Address
uint8[16]
IP address of the host associated with the impact event. This can
contain either an IPv4 or IPv6 address. See
contain either an IPv4 or IPv6 address. See
for more information.
Destination IP
Address
Address
uint8[16]
IP address of the destination IP address associated with the impact
event (if applicable). This can contain either an IPv4 or IPv6
address. See
event (if applicable). This can contain either an IPv4 or IPv6
address. See
for more information. This
value is
0
if there is no destination IP address.
String Block Type
uint32
Initiates a string data block that contains the impact name. This
value is always set to
value is always set to
0
. For more information about string blocks,
see
Table 3-5
Impact Event Data Fields (continued)
Field
Data Type
Description