Cisco Cisco Firepower Management Center 4000 Entwickleranleitung

Version 5.3

Sourcefire 3D System eStreamer Integration Guide

630

Understanding Legacy Data Structures

Legacy Correlation Event Data Structures

Appendix B

Legacy Correlation Event Data Structures

The following topics describe other legacy correlation (compliance) data 

structures:

Correlation Event for 4.8.0.2 - 4.9.1.x

Correlation events contain information about policy violations and are transmitted 

when correlation policies are violated. The Defense Center uses the standard 

message header with a record type of 97, followed by a correlation data block 

with a type of 84. The source and destination user ID fields were added in the 

4.7.0.2 - 4.8 version.
You can request that eStreamer transmit 4.8.0.2 - 4.9.1.x correlation events by 

setting bit 22 in the Flags field of a request message. If you enable bit 23, an 

extended event header is included in the record.
To request user record metadata along with the policy event data, you must 

request policy event data using bit 22 and request version 4 metadata (bit 20). For 

more information, see 

String Block 

Length

uint32

The number of bytes included in the name 

String data block, including eight bytes for the 

block type and header fields plus the number 

of bytes in the Name field.

File Name or 

Disposition

string

The descriptive name or disposition of the file. 

If the file is clean, this value is 

Clean

. If the 

file’s disposition is unknown, the value is 

Neutral

. If the file contains malware, the file 

name is given.

File Event SHA Hash 5.1.1-5.2.x Data Block Fields (Continued)