Cisco Cisco Firepower Management Center 2000 Entwickleranleitung

Version 5.3

Sourcefire 3D System eStreamer Integration Guide

485

Understanding Legacy Data Structures

Legacy Intrusion Data Structures

Appendix B

Intrusion Event Record 5.1.1.x

The fields in the intrusion event record are shaded in the following graphic. The 

record type is 400 and the block type is 25.
You can request 5.1.1.x intrusion events from eStreamer only by extended 

request, for which you request event type code 12 and version code 4 in the 

Stream Request message (see 

 on page 20 for 

information about submitting extended requests).
For version 5.1.1.x intrusion events, the event ID, the managed device ID, and the 

event second form a unique identifier. The connection second, connection 

instance, and connection counter together form a unique identifier for the 

connection event associated with the intrusion event.

Ingress 

Security Zone 

UUID

uint8[16]

A zone ID number that acts as a unique identifier 

for the ingress security zone.

Egress 

Security Zone 

UUID

uint8[16]

A zone ID number that acts as a unique identifier 

for the egress security zone.

Connection 

Timestamp

uint32

UNIX timestamp (seconds since 01/01/1970) of 

the connection event associated with the 

intrusion event.

Connection 

Instance ID

uint16

Numerical ID of the Snort instance on the 

managed device that generated the connection 

event.

Connection 

Counter

uint16

Value used to distinguish between connection 

events that happen during the same second.

Source 

Country

uint16

Code for the country of the source host.

Destination 

Country

uint 16

Code for the country of the destination host.

Intrusion Event Record 5.2.x Fields (Continued)

Byte

0

1

2

3

Bit

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

Header Version (1)

Message Type (4)

Message Length