Cisco Cisco Firepower Management Center 4000 Entwickleranleitung
Version 5.3
Sourcefire 3D System eStreamer Integration Guide
165
Understanding Discovery & Connection Data Structures
Discovery and Connection Event Data Messages
Chapter 4
•
on page 165 provides a
high-level view of the structure that eStreamer uses for host discovery,
user, and connection messages.
•
on page 166 describes the
record types for discovery and connection events.
•
on page 172 describes the metadata
records that you can request for context information to convert numeric and
coded data to text; for example, convert the user ID in an event to a user
name.
•
on page 198 describes the structure of the
standard event header used in all discovery and connection messages, and
the values that can occur in the event type and event subtype fields. The
event type and subtype fields further define the structure of the data record
carried in the message.
•
on page 205 describes the
structure of the data record that eStreamer uses for the various host
discovery event types.
•
on page 222 describes the structure of
the data record that eStreamer uses for the various user event types.
•
on page 224 describes the
series of data block structures that are used to convey complex records in
discovery and connection event messages. Series 1 data blocks also appear
in correlation events.
•
on page 336 describes other series 1
block structures that are used to convey complex user event records.
TIP!
See
illustrate sample discovery events.
Discovery and Connection Event Data Messages
eStreamer packages the data for discovery and connection events in the same
message structure, which contains:
•
a record header that defines the record type
•
a discovery event header that identifies and characterizes the event, and
specifically identifies the event type and subtype. For information, see
•
a data record consisting of a block header and a data block. Discovery and
connection event data messages use series 1 data blocks. For information,
see
on page 225 or