Cisco Cisco Firepower Management Center 2000 Entwickleranleitung

Version 5.3

Sourcefire 3D System eStreamer Integration Guide

87

Understanding Intrusion and Correlation Data Structures

Intrusion Event and Metadata Record Types

Chapter 3

Correlation Rule Record

The eStreamer service transmits metadata containing information on the 

correlation rule that triggered a correlation event within a Correlation Rule record, 

the format of which is shown below. (Correlation rule information is sent when 

the Version 3 or Version 4 metadata flag—bit 15 or bit 20 in the Request Flags 

field of a request message—is set. See 

 on page 30.) Note that the 

Record Type field, which appears after the Message Length field, has a value of 

70, indicating a Correlation Rule record.

UUID

uint8[16]

A correlation policy ID number that acts as a 

unique identifier for the correlation policy.

Revision UUID

uint8[16]

A correlation policy revision ID number that 

acts as a unique identifier for the correlation 

policy.

Correlation Policy Record Fields (Continued)

Byte

0

1

2

3

Bit

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

Header Version (1)

Message Type (4)

Message Length

Record Type (70)

Record Length

Correlation Rule ID

Name Length

Name..

Name...

Description Length

Description...

Event Type Length

Event Type..

Event Type...

Correlation Rule UUID

Correlation Rule

UU

ID

Correlation Rule UUID, continued

Correlation Rule UUID, continued

Correlation Rule UUID, continued

Correlation Rule UUID, continued

Correlation Revision UUID,