Cisco Cisco Firepower Management Center 4000 Developer's Guide
Version 5.3
Sourcefire 3D System eStreamer Integration Guide
106
Understanding Intrusion and Correlation Data Structures
Intrusion Event and Metadata Record Types
Chapter 3
set. See
on page 30.) Note that the Record Type field, which
appears after the Message Length field, has a value of 131, indicating a FireAMP
file type record.
The
table describes the fields in the FireAMP
File Type record.
Correlation Event for 5.1+
Correlation events (called compliance events in pre-5.0 versions) contain
information about correlation policy violations. This message uses the standard
eStreamer message header and specifies a record type of 112, followed by a
correlation data block of type 128. Data block type 128 differs from its
predecessor (block type 116) in including IPv6 support.
Byte
0
1
2
3
Bit
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Header Version (1)
Message Type (4)
Message Length
Record Type (131)
Record Length
FireAMP File Type ID
FireAMP File Type Length
FireAMP File Type...
FireAMP File Type Record Fields
F
IELD
D
ATA
T
YPE
D
ESCRIPTION
FireAMP File
Type ID
uint32
The FireAMP file type ID number.
FireAMP File
Type Length
uint32
The number of bytes included in the FireAMP
file type.
FireAMP File
Type
string
The type of detected file.