Cisco Cisco Firepower Management Center 2000 Entwickleranleitung
Version 5.3
Sourcefire 3D System eStreamer Integration Guide
485
Understanding Legacy Data Structures
Legacy Intrusion Data Structures
Appendix B
Intrusion Event Record 5.1.1.x
The fields in the intrusion event record are shaded in the following graphic. The
record type is 400 and the block type is 25.
You can request 5.1.1.x intrusion events from eStreamer only by extended
You can request 5.1.1.x intrusion events from eStreamer only by extended
request, for which you request event type code 12 and version code 4 in the
Stream Request message (see
on page 20 for
information about submitting extended requests).
For version 5.1.1.x intrusion events, the event ID, the managed device ID, and the
For version 5.1.1.x intrusion events, the event ID, the managed device ID, and the
event second form a unique identifier. The connection second, connection
instance, and connection counter together form a unique identifier for the
connection event associated with the intrusion event.
Ingress
Security Zone
UUID
uint8[16]
A zone ID number that acts as a unique identifier
for the ingress security zone.
Egress
Security Zone
UUID
uint8[16]
A zone ID number that acts as a unique identifier
for the egress security zone.
Connection
Timestamp
uint32
UNIX timestamp (seconds since 01/01/1970) of
the connection event associated with the
intrusion event.
Connection
Instance ID
uint16
Numerical ID of the Snort instance on the
managed device that generated the connection
event.
Connection
Counter
uint16
Value used to distinguish between connection
events that happen during the same second.
Source
Country
uint16
Code for the country of the source host.
Destination
Country
uint 16
Code for the country of the destination host.
Intrusion Event Record 5.2.x Fields (Continued)
F
IELD
D
ATA
T
YPE
D
ESCRIPTION
Byte
0
1
2
3
Bit
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Header Version (1)
Message Type (4)
Message Length