Manualsbrain.com
  1. Handbücher
  2. Marken
  3. Cisco
  4. Cisco Firepower Management Center 2000
  5. Entwickleranleitung

Cisco Cisco Firepower Management Center 2000 Entwickleranleitung

Download
Seite von 726
Version 5.3
Sourcefire 3D System eStreamer Integration Guide
89
Understanding Intrusion and Correlation Data Structures
Intrusion Event and Metadata Record Types
Chapter 3
Intrusion Event Extra Data Record
The eStreamer service transmits the event extra data associated with an intrusion 
event in the Intrusion Event Extra Data record. The record type is always 110. 
The event extra data appears in an encapsulated Event Extra Data data block, 
which always has a data block type value of 4. (The Event Extra Data data block is 
a series 2 data block. For more information about series 2 data blocks, see 
The supported types of extra data include IPv6 source and destination addresses, 
as well as the originating IP addresses (v4 or v6) of clients connecting to a web 
server through an HTTP proxy or load balancer. The graphic below shows the 
format of the Intrusion Event Extra Data record.
If bit 27 is set in the Request Flags field of the request message, you receive the 
event extra data for each intrusion event. If you set bit 20, you also receive the 
event extra data metadata described in 
page 91. If you enable bit 23, eStreamer will include the extended event header. 
See 
 on page 30 for information on setting request flags.
Revision UUID
uint8[16]
A correlation rule revision ID number that acts 
as a unique identifier for the correlation rule 
revision.
Whitelist UUID
uint8[16]
A correlation ID number that acts as a unique 
identifier for the event sent as a result of a 
whitelist violation.
Correlation Rule Record Fields (Continued)
F
IELD
D
ATA
 T
YPE
D
ESCRIPTION
Byte
0
1
2
3
Bit
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Header Version (1)
Message Type (4)
Message Length
Record Type (110)
Record Length
eStreamer Server Timestamp (in events, only if bit 23 is set)
Reserved for Future Use (in events, only if bit 23 is set)
Event Extra Data Data Block Type (4)
Event Extra Data Data Block Length