Cisco Cisco Firepower Management Center 4000 Entwickleranleitung
Version 5.3
Sourcefire 3D System eStreamer Integration Guide
110
Understanding Intrusion and Correlation Data Structures
Intrusion Event and Metadata Record Types
Chapter 3
Note that the record structure includes a String block type, which is a block in
series 1. For information about series 1 blocks, see
Correlation Event 5.1+ Data Fields
F
IELD
D
ATA
T
YPE
D
ESCRIPTION
Correlation
Block Type
uint32
Indicates a correlation event data block follows.
This field always has a value of 128. See
Correlation
Block Length
uint32
Length of the correlation data block, which
includes 8 bytes for the correlation block type
and length plus the correlation data that follows.
Device ID
uint32
Internal identification number of the managed
device or Defense Center that generated the
correlation event. A value of zero indicates the
Defense Center. You can obtain managed device
names by requesting Version 3 metadata. See
for more information.
(Correlation)
Event Second
uint32
UNIX timestamp indicating the time that the
correlation event was generated (in seconds
from 01/01/1970).
Event ID
uint32
Correlation event identification number.
Policy ID
uint32
Identification number of the correlation policy
that was violated. See
page 182 for information about how to obtain
policy identification numbers from the database.
Rule ID
uint32
Identification number of the correlation rule that
triggered to violate the policy. See
on page 182 for information about how to obtain
policy identification numbers from the database.
Priority
uint32
Priority assigned to the event. This is an integer
value from 0 to 5.
String Block
Type
uint32
Initiates a string data block that contains the
correlation violation event description. This value
is always set to 0. For more information about
string blocks, see