Cisco Cisco Firepower Management Center 2000 Guía Del Desarrollador

The following table describes the components of the IOC State data block.

.

Last Event ID, cont.

Last Device ID

Last Device ID, cont.

Last Instance ID

Last Connection Time

Last Connection Time, cont.

Last Counter

Last Counter, cont.

Byte

0

1

2

3

Bit

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

IOC State Data 
Block Type

uint32

Initiates an IOC State data block. This value is always 

150

.

IOC State Data 
Block Length

uint32

Total number of bytes in the IOC State data block, including eight 
bytes for the IOC State data block type and length fields, plus the 
number of bytes of data that follows. 

IOC ID Number

uint32

Unique ID number for the compromise.

Disabled

uint8

Indicates whether the compromise has been disabled on the host:

0

 - The compromise is not disabled.

1

 - The compromise is disabled.

First Seen

uint32

Unix timestamp of when this compromise was first seen.

First Event ID

uint32

ID number of the event on which this compromise was first seen.

First Device ID

uint32

ID of the sensor which first detected the IOC.

First Instance ID

uint16

Numerical ID of the Snort instance on the managed device that first 
detected the compromise.

First Connection 
Time

uint32

Unix timestamp of the connection where this compromise was first 
seen.

First Counter

uint16

Counter for the connection on which this compromise was last seen.

Used to differentiate between multiple connections occurring at the 
same time.

Last Seen

uint32

Unix timestamp of when this compromise was last seen

Last Event ID

uint32

ID number of the event on which this compromise was last seen.

Last Device ID

uint32

ID of the sensor which most recently detected the IOC.

Last Instance ID

uint16

Numerical ID of the Snort instance on the managed device that last 
detected the compromise.