Cisco Cisco Firepower Management Center 2000 Guía Del Desarrollador
4-26
FireSIGHT eStreamer Integration Guide
Chapter 4 Understanding Discovery & Connection Data Structures
Metadata for Discovery Events
The following table describes the components of the IOC State data block.
.
Last Event ID, cont.
Last Device ID
Last Device ID, cont.
Last Instance ID
Last Connection Time
Last Connection Time, cont.
Last Counter
Last Counter, cont.
Byte
0
1
2
3
Bit
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Table 4-21
IOC State Data Block Fields
Field
Data Type
Description
IOC State Data
Block Type
Block Type
uint32
Initiates an IOC State data block. This value is always
150
.
IOC State Data
Block Length
Block Length
uint32
Total number of bytes in the IOC State data block, including eight
bytes for the IOC State data block type and length fields, plus the
number of bytes of data that follows.
bytes for the IOC State data block type and length fields, plus the
number of bytes of data that follows.
IOC ID Number
uint32
Unique ID number for the compromise.
Disabled
uint8
Indicates whether the compromise has been disabled on the host:
•
0
- The compromise is not disabled.
•
1
- The compromise is disabled.
First Seen
uint32
Unix timestamp of when this compromise was first seen.
First Event ID
uint32
ID number of the event on which this compromise was first seen.
First Device ID
uint32
ID of the sensor which first detected the IOC.
First Instance ID
uint16
Numerical ID of the Snort instance on the managed device that first
detected the compromise.
detected the compromise.
First Connection
Time
Time
uint32
Unix timestamp of the connection where this compromise was first
seen.
seen.
First Counter
uint16
Counter for the connection on which this compromise was last seen.
Used to differentiate between multiple connections occurring at the
same time.
same time.
Last Seen
uint32
Unix timestamp of when this compromise was last seen
Last Event ID
uint32
ID number of the event on which this compromise was last seen.
Last Device ID
uint32
ID of the sensor which most recently detected the IOC.
Last Instance ID
uint16
Numerical ID of the Snort instance on the managed device that last
detected the compromise.
detected the compromise.