Cisco Cisco Firepower Management Center 2000 Entwickleranleitung

Version 5.3

Sourcefire 3D System eStreamer Integration Guide

492

Understanding Legacy Data Structures

Legacy Malware Event Data Structures

Appendix B

Legacy Malware Event Data Structures

Malware Event Data Block 5.1

The eStreamer service uses the malware event data block to store information on 

malware events. These events contain information on malware detected or 

quarantined within a cloud, the detection method, and hosts and users affected 

by the malware. The malware event data block has a block type of 16 in the series 

2 group of blocks. You request the event as part of the malware event record by 

setting the malware event flag—bit 30 in the request flags field—in the request 

message with an event version of 1 and an event code of 101. 
The following graphic shows the structure of the malware event data block:

Ingress 

Security Zone 

UUID

uint8[16]

A zone ID number that acts as a unique identifier 

for the ingress security zone.

Egress 

Security Zone 

UUID

uint8[16]

A zone ID number that acts as a unique identifier 

for the egress security zone.

Connection 

Timestamp

uint32

UNIX timestamp (seconds since 01/01/1970) of 

the connection event associated with the 

intrusion event.

Connection 

Instance ID

uint16

Numerical ID of the Snort instance on the 

managed device that generated the connection 

event.

Connection 

Counter

uint16

Value used to distinguish between connection 

events that happen during the same second.

Intrusion Event Record 5.1.1 Fields (Continued)

Byte

0

1

2

3

Bit

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

Malware Event Block Type (16)

Malware Event Block Length