Manualsbrain.com
  1. Manuals
  2. Brands
  3. Cisco
  4. Cisco Firepower Management Center 4000
  5. Developer's Guide

Cisco Cisco Firepower Management Center 4000 Developer's Guide

Download
Page of 726
Version 5.3
Sourcefire 3D System eStreamer Integration Guide
451
Data Structure Examples
Intrusion Event Data Structure Examples
Appendix A
C. This line indicates a record type value of 95, which represents a user 
information update message block.
D. This line indicates that the data that follows is 137 bytes long.
E. This line contains the archive timestamp. It is included since bit 23 was set. 
The timestamp is a Unix timestamp, stored as seconds since 1/1/1970. This 
time stamp is 1,391,789,354, which is Mon Feb  3 19:43:49 2014.
F. This line contains zeros and is reserved for future use.
G. This line indicates that the length of the correlation event block, including the 
correlation event block header, is 145 bytes.
H. This line indicates that the detection engine ID is 0, indicating that the 
correlation event was generated on the Defense Center. 
I.
This line contains the correlation event timestamp, 1,098,911,301, which is 
Wed, 27 Oct 2004 21:08:21 GMT.
J. This line indicates that the correlation event ID number is 10.
K. This line indicates a policy ID of 4, which, in this case, maps to a custom 
correlation policy on the Defense Center.
L. This line indicates a rule ID of 29, which, in this case, maps to a custom 
correlation policy rule on the Defense Center.
M. This line indicates a policy priority of 1.
N. This line contains a value of 0, which indicates the beginning of a string block 
for the event description.
O. This line indicates the length of the description. In this example, the length is 
19 bytes, including the string block header and the 11 bytes in the event 
description. In an actual event, the length is typically much longer.
P. These three lines contain the 11-byte event description, followed by the event 
type. The event description has been truncated for the sake of this example. 
In this example, the description is “
[1:2008:4] 
.” In the actual policy violation 
event that this example is based on, however, the description is much longer: 
“[
1:2008:4] MISC CVS invalid user authentication response [Impact: 
Potentially Vulnerable] From sensor "is.sourcefire.com" at Thu Oct 28 
17:07:19 2004 UTC [Classification: Misc Attack] [Priority: 2] {tcp} 
10.1.1.24:2401-> 10.1.1.25:34174
.” The fourth byte in the third line has a 
value of one, which indicates that the type of event that caused the policy 
violation is an intrusion event.
Q. This line indicates the identification number of the detection engine that 
generated the intrusion event, in this case, this is detection engine 1.
R. This line indicates that the signature ID for the rule triggered in the event is 
2008.
S. This line indicates that the generator ID for the rule that triggered in the event 
is 1, the intrusion detection engine.