Cisco Cisco Firepower Management Center 4000 Guía Del Desarrollador
2-12
FireSIGHT eStreamer Integration Guide
Chapter 2 Understanding the eStreamer Application Protocol
Event Stream Request Message Format
Note that you request metadata by version, not by the individual metadata record. For information about
each supported version of metadata, see
each supported version of metadata, see
.
The following diagram shades the bits in the flags field that are currently used:
For information on each request flag bit, see the following table.
Byte
0
1
2
3
Bit
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0
0 0 1 1 1 1 1 0 1 1 1 1 1 1 1 1 1 0 1 0 1 1 1 0 1 1 0 1 0 0 0 1
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 1 1
Flag Bit
3
0
2
9
2
8
2
7
2
6
2
5
2
4
2
3
2
2
2
1
2
0
1
9
1
8
1
7
1
6
1
5
1
4
1
3
1
2
1
1
1
0
9 8 7 6 5 4 3 2 1 0
Table 2-6
Request Flags
Bit Field
Description
Bit 0
Requests the transmission of packet data associated with intrusion events. If set to
1
, packet data is transmitted
with intrusion events. If set to
0
, packet data is not transmitted.
Bit 1
Requests the transmission of version 1 metadata associated with intrusion, discovery, correlation, and connection
events. If set to
events. If set to
1
, version 1 metadata is transmitted with events. If set to
0
, version 1 metadata is not transmitted.
You can use metadata to resolve coded and numeric fields in events. See
for
general information on the way eStreamer transmits metadata to clients and how a client can use metadata.
Bit 2
Requests the transmission of intrusion events. If bit 2, bit 6, or both bit 2 and 6 are set to
1
, but the extended
request flag, bit 30, is set to
0
, the system interprets this as a request from a Version 4.x client and record type
104/105 is sent. If no event type is specified when bit 2, bit 6, or both bit 2 and 6 are set to
1
, and bit 30 is set to
1
, the system interprets this as a request from a Version 5.0-5.1 client and record type 207/208 is sent. If bit 30
is set to
1
, and a specific event type is requested, intrusion events are sent regardless of bits 2 and 6.
For details on requesting record types, see
If bit 2, bit 6, and bit 30 are all set to
0
, intrusion events are not sent.
Bit 6 is used in a manner identical to bit 2. Either bit can be set to request intrusion events. Setting one of these
bits to
0
will not override the other bit; setting bit 2 to
0
and bit 6 to
1
, or setting bit 2 to
1
and bit 6 to
0
, will be
interpreted as a request for intrusion events.
Bit 3
Requests the transmission of discovery data version 1 (Defense Center 3.2). If set to
0
, discovery data version 1
is not transmitted.
For more information about discovery events, see
Bit 4
Requests the transmission of correlation data version 1 (Defense Center 3.2). If set to
0
, correlation data version
1 is not transmitted.