Cisco Cisco Firepower Management Center 4000 Developer's Guide
Version 5.3
Sourcefire 3D System eStreamer Integration Guide
149
Understanding Intrusion and Correlation Data Structures
Understanding Series 2 Data Blocks
Chapter 3
File Event SHA Hash for 5.3+
The eStreamer service uses the File Event SHA Hash data block to contain
metadata of the mapping of the SHA hash of a file to its filename. The block type
is 40 in the series 2 list of data blocks. It can be requested if file log events have
been requested in the extended requests—event code 111—and either bit 20 is
set or metadata is requested with an event version of 5 and an event code of 21.
The following diagram shows the structure of a file event hash data block:
The following diagram shows the structure of a file event hash data block:
Protocol
uint8
IANA protocol number specified by the
user. For example:
•
•
1
— ICMP
•
4
— IP
•
6
— TCP
•
17
— UDP
This is currently only TCP.
Threat Score
uint8
A numeric value from 0 to 100 based
on the potentially malicious behaviors
observed during dynamic analysis.
IOC Number
uint16
ID Number of the compromise
associated with this event.
Malware Event Data Block for 5.3+ Fields (Continued)
F
IELD
D
ATA
T
YPE
D
ESCRIPTION
Byte
0
1
2
3
Bit
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
File Event SHA Hash Block Type (40)
File Event SHA Hash Block Length
SHA Hash
SHA Hash, continued