Cisco Cisco Firepower Management Center 4000 Developer's Guide
B-48
FireSIGHT eStreamer Integration Guide
Appendix B Understanding Legacy Data Structures
Legacy Malware Event Data Structures
Malware Event Data Block 5.3
The eStreamer service uses the malware event data block to store information on malware events. These
events contain information on malware detected or quarantined within a cloud, the detection method, and
hosts and users affected by the malware. The malware event data block has a block type of 35 in the
series 2 group of blocks. You request the event as part of the malware event record by setting the malware
event flag—bit 30 in the request flags field—in the request message with an event version of 4 and an
event code of 101.
events contain information on malware detected or quarantined within a cloud, the detection method, and
hosts and users affected by the malware. The malware event data block has a block type of 35 in the
series 2 group of blocks. You request the event as part of the malware event record by setting the malware
event flag—bit 30 in the request flags field—in the request message with an event version of 4 and an
event code of 101.
The following graphic shows the structure of the malware event data block:
Client Application ID
uint32
The internal identification number of the detected client
application, if applicable.
application, if applicable.
Action
uint8
The action taken on the file based on the file type. Can have
the following values:
the following values:
•
1
- Detect
•
2
- Block
•
3
- Malware Cloud Lookup
•
4
- Malware Block
•
5
- Malware Whitelist
Protocol
uint8
IANA protocol number specified by the user. For example:
•
1
- ICMP
•
4
- IP
•
6
- TCP
•
17
- UDP
This is currently only TCP.
Table B-9
Malware Event Data Block for 5.2.x Fields (continued)
Field
Data Type
Description
Byte
0
1
2
3
Bit
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Malware Event Block Type (35)
Malware Event Block Length
Agent UUID
Agent UUID, continued
Agent UUID, continued
Agent UUID, continued