Cisco Cisco Firepower Management Center 4000 Entwickleranleitung
Version 5.3
Sourcefire 3D System eStreamer Integration Guide
121
Understanding Intrusion and Correlation Data Structures
Understanding Series 2 Data Blocks
Chapter 3
Series 2 Primitive Data Blocks
Both series 2 and series 1 blocks include a set of primitives that are used to
encapsulate lists of variable-length blocks as well as variable-length strings and
BLOBs within messages. These primitive blocks have the standard eStreamer
block header discussed above in
on page 46, but they appear
only within other data blocks. Any number can be included in a given block type.
For details on the structure of these blocks, see the following:
•
•
•
•
String Data Block
The eStreamer service uses the String data block to send string data in
messages. These blocks commonly appear within other data blocks to identify,
for example, operating system or server names.
Empty String data blocks (containing no data, only the header fields) have a block
Empty String data blocks (containing no data, only the header fields) have a block
length of 8. eStreamer uses an empty String data block when it has no content
for a string value, as might happen, for example, in the OS vendor string field in
an Operating System data block when the vendor of the operating system is
unknown.
The String data block has a block type of 0 in the series 2 group of blocks.
The String data block has a block type of 0 in the series 2 group of blocks.
IMPORTANT!
Strings returned in this data block are not always null-terminated
(that is, the string characters are not always followed by a 0).
The following diagram shows the format of the String data block:
Byte
0
1
2
3
Bit
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Data Block Type (0)
Data Block Length
String Data...