Cisco Cisco Firepower Management Center 2000 Entwickleranleitung
3-28
FireSIGHT eStreamer Integration Guide
Chapter 3 Understanding Intrusion and Correlation Data Structures
Intrusion Event and Metadata Record Types
The following table describes the fields in the Access Control Policy Name data block.
Access Control Rule ID Record Metadata
The eStreamer service transmits metadata containing information about the access control rule that
triggered an intrusion event or connection event within an Access Control Rule ID record, the format of
which is shown below. Access control rule metadata is sent when the Version 4 metadata flag—bit 20 in
the Request Flags field of a request message—is set. See
triggered an intrusion event or connection event within an Access Control Rule ID record, the format of
which is shown below. Access control rule metadata is sent when the Version 4 metadata flag—bit 20 in
the Request Flags field of a request message—is set. See
.) Note that the Record
Type field, which appears after the Message Length field, has a value of
119
, indicating an Access
Control Rule ID record. It contains a Rule ID data block, block type 15 in the series 2 set of data blocks.
Access Control Policy Name Data Block (14)
Access Control Policy Name Data Block Length
Access Control Policy UUID
String Block Type (0)
String Block Length
Access Control Policy Name...
Byte
0
1
2
3
Bit
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Table 3-15
Access Control Policy Name Data Block Fields
Field
Data Type
Description
Access Control Policy
Name Data Block Type
Name Data Block Type
uint32
Initiates an Access Control Policy Name data block. This
value is always
value is always
14
. The block type is a series 2 block.
Access Control Policy
Name Data Block Length
Name Data Block Length
uint32
Length of the data block. Includes the number of bytes of
data plus the 8 bytes in the two data block header fields.
data plus the 8 bytes in the two data block header fields.
Access Control Policy
UUID
UUID
uint8[16]
An ID number that acts as a unique identifier for the access
control policy associated with the intrusion event or
connection event
control policy associated with the intrusion event or
connection event
String Block Type
uint32
Initiates a String data block containing the name of the
access control policy. This value is always
access control policy. This value is always
0
.
String Block Length
uint32
The number of bytes included in the access control policy
name String data block, including eight bytes for the block
type and header fields plus the number of bytes in the
access control policy name.
name String data block, including eight bytes for the block
type and header fields plus the number of bytes in the
access control policy name.
Access Control Policy
Name
Name
string
The access control policy name.