Cisco Cisco Firepower Management Center 4000 Guía Del Desarrollador
3-69
FireSIGHT eStreamer Integration Guide
Chapter 3 Understanding Intrusion and Correlation Data Structures
Understanding Series 2 Data Blocks
Event Description
string
The additional event information associated with the event
type.
type.
Device ID
uint32
ID for the device that generated the event.
Connection Instance
uint16
Snort instance on the device that generated the event. Used
to link the event with a connection or IDS event.
to link the event with a connection or IDS event.
Connection Counter
uint16
Value used to distinguish between connection events that
happen during the same second.
happen during the same second.
Connection Event
Timestamp
Timestamp
uint32
Timestamp of the connection event.
Direction
uint8
Indicates whether the file was uploaded or downloaded. Can
have the following values:
have the following values:
•
1
- Download
•
2
- Upload
Currently the value depends on the protocol (for example, if
the connection is HTTP it is a download).
the connection is HTTP it is a download).
Source IP Address
uint8[16]
IPv4 or IPv6 address for the source of the connection.
Destination IP
Address
Address
uint8[16]
IPv4 or IPv6 address for the destination of the connection.
Application ID
uint32
ID number that maps to the application using the file
transfer.
transfer.
User ID
uint32
Identification number for the user logged into the
destination host, as identified by the system.
destination host, as identified by the system.
Access Control Policy
UUID
UUID
uint8[16]
Identification number that acts as a unique identifier for the
access control policy that triggered the event.
access control policy that triggered the event.
Disposition
uint8
The malware status of the file. Possible values include:
•
1
- CLEAN The file is clean and does not contain
malware.
•
2
- UNKNOWN It is unknown whether the file contains
malware.
•
3
- MALWARE The file contains malware.
•
4
- UNAVAILABLE The software was unable to send a
request to the Cisco cloud for a disposition, or the Cisco
cloud services did not respond to the request.
cloud services did not respond to the request.
•
5
- CUSTOM SIGNATURE The file matches a
user-defined hash, and is treated in a fashion designated
by the user.
by the user.
Retrospective
Disposition
Disposition
uint8
Disposition of the file if the disposition is updated. If the
disposition is not updated, this field contains the same value
as the Disposition field. The possible values are the same as
the Disposition field.
disposition is not updated, this field contains the same value
as the Disposition field. The possible values are the same as
the Disposition field.
Table 3-38
Malware Event Data Block for 5.3.1+ Fields (continued)
Field
Data Type
Description