Cisco Cisco Firepower Management Center 4000 Entwickleranleitung

Cisco

Version 5.3

Sourcefire 3D System eStreamer Integration Guide

137

Understanding Intrusion and Correlation Data Structures

Understanding Series 2 Data Blocks

Chapter 3

Disposition

uint8

The malware status of the file. Possible

values include:
•

1

— CLEAN — The file is clean and does

not contain malware.

•

2

— UNKNOWN — It is unknown

whether the file contains malware.

•

3

— MALWARE — The file contains

malware.

•

4

— UNAVAILABLE — The software was

unable to send a request to the

Sourcefire cloud for a disposition, or the

Sourcefire cloud services did not respond

to the request.

•

5

— CUSTOM SIGNATURE — The file

matches a user-defined hash, and is

treated in a fashion designated by the

user.

SPERO

Disposition

uint8

Indicates whether the SPERO signature

was used in file analysis. If the value is

1

,

2

,

or

3

, SPERO analysis was used. If there is

any other value SPERO analysis was not

used.

File Storage

Status

uint8

The storage status of the file. Possible

values are:

•

1

— File Stored

•

2

— File Stored

•

3

— Unable to Store File

•

4

— Unable to Store File

•

5

— Unable to Store File

•

6

— Unable to Store File

•

7

— Unable to Store File

•

8

— File Size is Too Large

•

9

— File Size is Too Small

•

10

— Unable to Store File

•

11

— File Not Stored, Disposition

Unavailable

File Event Data Block Fields (Continued)

F

IELD

D

ATA

T

YPE

D

ESCRIPTION