Cisco Cisco Firepower Management Center 4000 Developer's Guide
3-71
FireSIGHT eStreamer Integration Guide
Chapter 3 Understanding Intrusion and Correlation Data Structures
Understanding Series 2 Data Blocks
File Event SHA Hash for 5.3+
The eStreamer service uses the File Event SHA Hash data block to contain metadata of the mapping of
the SHA hash of a file to its filename. The block type is 40 in the series 2 list of data blocks. It can be
requested if file log events have been requested in the extended requests—event code
the SHA hash of a file to its filename. The block type is 40 in the series 2 list of data blocks. It can be
requested if file log events have been requested in the extended requests—event code
111
—and either
bit 20 is set or metadata is requested with an event version of
5
and an event code of
21
.
The following diagram shows the structure of a file event hash data block:
The following table describes the fields in the file event SHA hash data block.
Byte
0
1
2
3
Bit
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
File Event SHA Hash Block Type (40)
File Event SHA Hash Block Length
SHA Hash
SHA Hash, continued
SHA Hash, continued
SHA Hash, continued
SHA Hash, continued
SHA Hash, continued
SHA Hash, continued
SHA Hash, continued
File Name
String Block Type (0)
String Block Length
File Name...
Disposition
User Defined
Table 3-39
File Event SHA Hash Data Block Fields
Field
Data Type
Description
File Event SHA
Hash Block Type
Hash Block Type
uint32
Initiates a File Event SHA Hash block. This value is always
26
.
File Event SHA
Hash Block Length
Hash Block Length
uint32
Total number of bytes in the File Event SHA Hash block,
including eight bytes for the File Event SHA Hash block type and
length fields, plus the number of bytes of data that follows.
including eight bytes for the File Event SHA Hash block type and
length fields, plus the number of bytes of data that follows.
SHA Hash
uint8[32]
The SHA-256 hash of the file in binary format.