Cisco Cisco Firepower Management Center 4000 Developer's Guide
3-76
FireSIGHT eStreamer Integration Guide
Chapter 3 Understanding Intrusion and Correlation Data Structures
Understanding Series 2 Data Blocks
Geolocation Data Block for 5.2+
This is a data block that contains the mapping of a country code to a country name. The record type is
520, and a block type of 28 in series 2. It is exposed as metadata for any event that has geolocation
information. If metadata is requested and there is a value for the country code(s) in the event, then this
block is returned along with other metadata.
520, and a block type of 28 in series 2. It is exposed as metadata for any event that has geolocation
information. If metadata is requested and there is a value for the country code(s) in the event, then this
block is returned along with other metadata.
The following diagram shows the structure of a geolocation data block:
String Block Type
uint32
Initiates a String data block containing the corrective action
associated with the rule. This value is always
associated with the rule. This value is always
0
.
String Block Length
uint32
The number of bytes included in the name String data block,
including eight bytes for the block type and header fields plus
the number of bytes in the Corrective Action field.
including eight bytes for the block type and header fields plus
the number of bytes in the Corrective Action field.
Corrective Action
string
Information regarding patches, upgrades, or other means to
remove or mitigate the vulnerability.
remove or mitigate the vulnerability.
String Block Type
uint32
Initiates a String data block containing the contributors for the
rule. This value is always
rule. This value is always
0
.
String Block Length
uint32
The number of bytes included in the name String data block,
including eight bytes for the block type and header fields plus
the number of bytes in the Contributors field.
including eight bytes for the block type and header fields plus
the number of bytes in the Contributors field.
Contributors
string
Contact information for the author of the rule and other relevant
documentation.
documentation.
String Block Type
uint32
Initiates a String data block containing the additional
references associated with the rule. This value is always
references associated with the rule. This value is always
0
.
String Block Length
uint32
The number of bytes included in the name String data block,
including eight bytes for the block type and header fields plus
the number of bytes in the Additional References field.
including eight bytes for the block type and header fields plus
the number of bytes in the Additional References field.
Additional References
string
Additional information and references.
Table 3-40
Rule Documentation Data Block Fields (continued)
Field
Data Type
Description
Byte
0
1
2
3
Bit
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Header Version (1)
Message Type (4)
Message Length
Record Type (520)
Geolocation Block Type (28)
Geolocation Block Length
Country Code
String Block Type (0)