Cisco Cisco Firepower Management Center 2000 Entwickleranleitung
Version 5.3
Sourcefire 3D System eStreamer Integration Guide
437
Data Structure Examples
Intrusion Event Data Structure Examples
Appendix A
In the preceding example, the following event information appears:
A. The first two bytes of this line indicate the standard header value of 1. The
second two bytes indicate that the message is a data message (message
type four).
B. This line indicates that the message that follows is 129 bytes.
C. This line indicates a record type value of 66, which represents a rule message
record.
D. This line indicates that the rule message record that follows is 121 bytes long.
E. This line indicates that the generator identification number is 1, the rules
engine.
F. This line indicates that the rule identification number is 28069.
G. This line indicates that the rule revision number is 1.
H. This line indicates that the rule identification number rendered to the
Sourcefire 3D System is 28069.
I.
The first two bytes of this line indicate that there are 71 bytes included in the
rule text name. The second two bytes begin the unique identifier number for
the rule.
J. The first two bytes of this line finish the unique identifier number of the rule.
The next two bytes begin the unique identifier number for the revision of the
rule.
K. The first two bytes of this line finish the unique identifier number for the
revision of the rule. The second two bytes begin the text of the rule message
itself. The full text of the transmitted rule message is: “APP-DETECT DNS
request for potential malware SafeGuard to domain 360.cn”.
Example of a Version 4.0 Correlation Policy Violation Event
The following diagram shows an example correlation policy violation record in
Defense Center 4.0 format:
Byte
0
1
2
3
Bit
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
A
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0
B
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 1 0 0 1
C
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 1 0 0
D
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 1
E
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 1 0 0