Cisco Cisco Firepower Management Center 2000 Entwickleranleitung

Version 5.3

Sourcefire 3D System eStreamer Integration Guide

91

Understanding Intrusion and Correlation Data Structures

Intrusion Event and Metadata Record Types

Chapter 3

Intrusion Event Extra Data Metadata

The eStreamer service transmits the event extra data metadata associated with 

intrusion event extra data records in the Intrusion Event Extra Data Metadata 

record. The record type is always 111.
The event extra data metadata appears in an encapsulated Event Extra Data 

Metadata data block, which always has a data block type value of 5. The Event 

Extra Data data block is a series 2 data block.
If bit 20 is set in the Request Flags field of a request message, you receive the 

event extra data metadata. If you want to receive both intrusion events and event 

extra data metadata, you must set bit 2 as well. See 

 on page 30. If 

you enable bit 23, an extended event header is included in the record.

Length

uint32

Total number of bytes in the BLOB data block.

Extra Data

variable

The content of the extra data. The data type is 

indicated in the Type field. 

Intrusion Event Extra Data Data Block Fields (Continued)

Byte

0

1

2

3

Bit

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

Header Version (1)

Message Type (4)

Message Length

Record Type (111)

Record Length

eStreamer Server Timestamp (in events, only if bit 23 is set)

Reserved for Future Use (in events, only if bit 23 is set)

Event Extra Data Metadata Data Block Type (5)

Data Block Length

Type