Cisco Cisco Firepower Management Center 4000 Guía Del Desarrollador
3-10
FireSIGHT eStreamer Integration Guide
Chapter 3 Understanding Intrusion and Correlation Data Structures
Intrusion Event and Metadata Record Types
Impact Flags
bits[8]
Impact flag value of the event. The low-order eight bits indicate the
impact level. Values are:
impact level. Values are:
•
0x01
(bit 0) - Source or destination host is in a network monitored
by the system.
•
0x02
(bit 1) - Source or destination host exists in the network map.
•
0x04
(bit 2) - Source or destination host is running a server on the
port in the event (if TCP or UDP) or uses the IP protocol.
•
0x08
(bit 3) - There is a vulnerability mapped to the operating
system of the source or destination host in the event.
•
0x10
(bit 4) - There is a vulnerability mapped to the server
detected in the event.
•
0x20
(bit 5) - The event caused the managed device to drop the
session (used only when the device is running in inline, switched,
or routed deployment). Corresponds to blocked status in the
FireSIGHT System web interface.
or routed deployment). Corresponds to blocked status in the
FireSIGHT System web interface.
•
0x40
(bit 6) - The rule that generated this event contains rule
metadata setting the impact flag to red. The source or destination
host is potentially compromised by a virus, trojan, or other piece
of malicious software.
host is potentially compromised by a virus, trojan, or other piece
of malicious software.
•
0x80
(bit 7) - There is a vulnerability mapped to the client detected
in the event. (version 5.0+ only)
The following impact level values map to specific priorities on the
Defense Center. An
Defense Center. An
X
indicates the value can be
0
or
1
:
•
gray (0, unknown):
00X00000
•
red (1, vulnerable):
XXXX1XXX, XXX1XXXX, X1XXXXXX, 1XXXXXXX
(version 5.0+ only)
•
orange (2, potentially vulnerable):
00X0011X
•
yellow (3, currently not vulnerable):
00X0001X
•
blue (4, unknown target):
00X00001
Impact
uint8
Impact flag value of the event. Values are:
•
1
- Red (vulnerable)
•
2
- Orange (potentially vulnerable)
•
3
- Yellow (currently not vulnerable)
•
4
- Blue (unknown target)
•
5
- Gray (unknown impact)
Blocked
uint8
Value indicating whether the event was blocked:
•
0
- not blocked
•
1
- blocked
•
2
- would be blocked (but not permitted by configuration)
Table 3-4
Intrusion Event Record 5.3.1+ Fields (continued)
Field
Data Type
Description