Cisco Cisco Firepower Management Center 2000 Guía Del Desarrollador
A-15
FireSIGHT eStreamer Integration Guide
Appendix A Data Structure Examples
Intrusion Event Data Structure Examples
In the preceding example, the following information appears:
Number
Description
1
The first two bytes of this line indicate the standard header value of
1
. The second two bytes
indicate that the message is a data message (that is, message type four).
2
This line indicates that the message that follows is
153
bytes long.
3
This line indicates a record type value of
95
, which represents a user information update
message block.
4
This line indicates that the data that follows is
137
bytes long.
5
This line contains the archive timestamp. It is included since bit 23 was set. The timestamp
is a Unix timestamp, stored as seconds since 1/1/1970. This time stamp is
is a Unix timestamp, stored as seconds since 1/1/1970. This time stamp is
1,391,789,354
,
which is Mon Feb 3 19:43:49 2014.
6
This line contains zeros and is reserved for future use.
7
This line indicates that the detection engine ID is
3
.
8
This line is for the legacy (IPv4) IP address. It contains all zeros as it is not populated and
the IPv4 address is stored in the IPv6 field.
the IPv4 address is stored in the IPv6 field.
9
This line contains the MAC address associated with the event. As there is no MAC address,
it contains zeros.
it contains zeros.
10
The first half of this line is the remainder of the MAC address, which is zeros. The next
byte indicates the presence of an IPv6 address. The last byte in this line is reserved for
future use and contains zeros.
byte indicates the presence of an IPv6 address. The last byte in this line is reserved for
future use and contains zeros.
11
This line contains the UNIX timestamp (seconds since 01/01/1970)
that the system generated the event.
12
This line contains the microsecond (one millionth of a second) increment that the system
generated the event.
generated the event.
13
This line contains the event type. This has a value of
1004
, which indicates a user
modification message.
14
This line contains the event subtype. This has a value of
2
, which indicates a user login
event.
15
This line contains the serial file number. This field is for internal use and can be
disregarded.
disregarded.
16
This line contains the event’s position in the serial file. This field is for internal use and can
be disregarded.
be disregarded.
17
This line contains the IPv6 address. This field is present and used if the Has IPv6 flag is
set. In this case, however, it contains the IPv4 address
set. In this case, however, it contains the IPv4 address
10.4.15.120
.
18
This line initiates a User Login Information data block, indicated by block type
127
.
19
This line indicates that the block that follows is
81
bytes long.
20
This line indicates that the user login timestamp is
1,391,456,627
, which means it was
generated at Mon, 03 Oct 2014 19:43:47 GMT.
21
This line is for the legacy (IPv4) IP address. It contains all zeros as it is not populated and
the IPv4 address is stored in the IPv6 field.
the IPv4 address is stored in the IPv6 field.