Cisco Cisco Firepower Management Center 4000 Entwickleranleitung
Version 5.3
Sourcefire 3D System eStreamer Integration Guide
77
Understanding Intrusion and Correlation Data Structures
Intrusion Event and Metadata Record Types
Chapter 3
Intrusion Impact Alert Data
The Intrusion Impact Alert event contains information about impact events. It is
transmitted when an intrusion event is compared to the system network map
data and the impact is determined. It uses the standard record header with a
record type of 9, followed by an Intrusion Impact Alert data block with a series 1
data block type of 20 in the series 1 group of blocks. (The Impact Alert data block
is a type of series 1 data block. For more information about series 1 data blocks,
Ingress
Security Zone
UUID
uint8[16]
A zone ID number that acts as a unique identifier
for the ingress security zone.
Egress
Security Zone
UUID
uint8[16]
A zone ID number that acts as a unique identifier
for the egress security zone.
Connection
Timestamp
uint32
UNIX timestamp (seconds since 01/01/1970) of
the connection event associated with the
intrusion event.
Connection
Instance ID
uint16
Numerical ID of the Snort instance on the
managed device that generated the connection
event.
Connection
Counter
uint16
Value used to distinguish between connection
events that happen during the same second.
Source
Country
uint16
Code for the country of the source host.
Destination
Country
uint 16
Code for the country of the destination host.
IOC Number
uint16
ID Number of the compromise associated with
this event.
Intrusion Event Record 5.3+ Fields (Continued)
F
IELD
D
ATA
T
YPE
D
ESCRIPTION