Cisco Cisco Firepower Management Center 4000 Entwickleranleitung

Version 5.3

Sourcefire 3D System eStreamer Integration Guide

77

Understanding Intrusion and Correlation Data Structures

Intrusion Event and Metadata Record Types

Chapter 3

Intrusion Impact Alert Data

The Intrusion Impact Alert event contains information about impact events. It is 

transmitted when an intrusion event is compared to the system network map 

data and the impact is determined. It uses the standard record header with a 

record type of 9, followed by an Intrusion Impact Alert data block with a series 1 

data block type of 20 in the series 1 group of blocks. (The Impact Alert data block 

is a type of series 1 data block. For more information about series 1 data blocks, 

 on page 224.) 

Ingress 

Security Zone 

UUID

uint8[16]

A zone ID number that acts as a unique identifier 

for the ingress security zone.

Egress 

Security Zone 

UUID

uint8[16]

A zone ID number that acts as a unique identifier 

for the egress security zone.

Connection 

Timestamp

uint32

UNIX timestamp (seconds since 01/01/1970) of 

the connection event associated with the 

intrusion event.

Connection 

Instance ID

uint16

Numerical ID of the Snort instance on the 

managed device that generated the connection 

event.

Connection 

Counter

uint16

Value used to distinguish between connection 

events that happen during the same second.

Source 

Country

uint16

Code for the country of the source host.

Destination 

Country

uint 16

Code for the country of the destination host.

IOC Number

uint16

ID Number of the compromise associated with 

this event.

Intrusion Event Record 5.3+ Fields (Continued)