Cisco Cisco Firepower Management Center 4000 Entwickleranleitung
Version 5.3
Sourcefire 3D System eStreamer Integration Guide
503
Understanding Legacy Data Structures
Legacy Malware Event Data Structures
Appendix B
Parent File SHA
Hash
string
The SHA-256 hash value of the parent
file accessing the detected or
quarantined file when detection
occurred.
String Block Type
uint32
Initiates a String data block containing
the event description. This value is
always 0.
String Block Length
uint32
The number of bytes included in the
Event Description String data block,
including eight bytes for the block type
and header fields plus the number of
bytes in the Event Description field.
Event Description
string
The additional event information
associated with the event type.
Device ID
uint32
ID for the device that generated the
event.
Connection
Instance
uint16
Snort instance on the device that
generated the event. Used to link the
event with a connection or IDS event.
Connection
Counter
uint16
Value used to distinguish between
connection events that happen during
the same second.
Connection Event
Timestamp
uint32
Timestamp of the connection event.
Direction
uint8
Indicates whether the file was
uploaded or downloaded. Can have the
following values:
•
•
1
— Download
•
2
— Upload
Currently the value depends on the
protocol (for example, if the connection
is HTTP it is a download).
Source IP Address
uint8[16]
IPv4 or IPv6 address for the source of
the connection.
Destination IP
Address
uint8[16]
IPv4 or IPv6 address for the destination
of the connection.
Malware Event Data Block for 5.1.1.x Fields (Continued)
F
IELD
D
ATA
T
YPE
D
ESCRIPTION