Cisco Cisco Firepower Management Center 2000 Guía Del Desarrollador
3-63
FireSIGHT eStreamer Integration Guide
Chapter 3 Understanding Intrusion and Correlation Data Structures
Understanding Series 2 Data Blocks
SHA Hash
uint8[32]
SHA-256 hash of the file, in binary format.
File Type ID
uint32
ID number that maps to the file type. The meaning of this
field is transmitted in the metadata with this event. See
field is transmitted in the metadata with this event. See
information.
File Name
string
Name of the file.
File Size
uint64
Size of the file in bytes.
Direction
uint8
Value that indicates whether the file was uploaded or
downloaded. Can have the following values:
downloaded. Can have the following values:
•
1
- Download
•
2
- Upload
Currently the value depends on the protocol (for example,
if the connection is HTTP it is a download).
if the connection is HTTP it is a download).
Application ID
uint32
ID number that maps to the application using the file
transfer.
transfer.
User ID
uint32
ID number for the user logged into the destination host,
as identified by the system.
as identified by the system.
URI
string
Uniform Resource Identifier (URI) of the connection.
Signature
string
SHA-256 hash of the file, in string format.
Source Port
uint16
Port number for the source of the connection.
Destination Port
uint16
Port number for the destination of the connection.
Protocol
uint8
IANA protocol number specified by the user. For
example:
example:
•
1
- ICMP
•
4
- IP
•
6
- TCP
•
17
- UDP
This is currently only TCP.
Access Control Policy
UUID
UUID
uint8[16]
Unique identifier for the access control policy that
triggered the event.
triggered the event.
Source Country
uint16
Code for the country of the source host.
Destination Country
uint16
Code for the country of the destination host.
Web Application ID
uint32
The internal identification number for the web
application, if applicable.
application, if applicable.
Client Application ID
uint32
The internal identification number for the client
application, if applicable.
application, if applicable.
Security Context
uint8(16)
ID number for the security context (virtual firewall) that
the traffic passed through. Note that the system only
populates this field for ASA FirePOWER devices in
multi-context mode.
the traffic passed through. Note that the system only
populates this field for ASA FirePOWER devices in
multi-context mode.
Table 3-37
File Event Data Block for 5.3.1+ Fields (continued)
Field
Data Type
Description