Cisco Cisco Firepower Management Center 2000 Guía Del Desarrollador
B-11
FireSIGHT eStreamer Integration Guide
Appendix B Understanding Legacy Data Structures
Legacy Intrusion Data Structures
Intrusion Event Record 5.2.x
The fields in the intrusion event record are shaded in the following graphic. The record type is 400 and
the block type is 34 in the series 2 set of data blocks.
the block type is 34 in the series 2 set of data blocks.
You can request 5.2.x intrusion events from eStreamer only by extended request, for which you request
event type code 12 and version code 5 in the Stream Request message (see
event type code 12 and version code 5 in the Stream Request message (see
for information about submitting extended requests).
For version 5.2.x intrusion events, the event ID, the managed device ID, and the event second form a
unique identifier. The connection second, connection instance, and connection counter together form a
unique identifier for the connection event associated with the intrusion event.
unique identifier. The connection second, connection instance, and connection counter together form a
unique identifier for the connection event associated with the intrusion event.
Blocked
uint8
Value indicating whether the event was blocked:
•
0
- not blocked
•
1
- blocked
•
2
- would be blocked (but not permitted by configuration)
MPLS Label
uint32
MPLS label. (Applies to 4.9+ events only.)
VLAN ID
uint16
Indicates the ID of the VLAN where the packet originated. (Applies to
4.9+ events only.)
4.9+ events only.)
Pad
uint16
Reserved for future use.
Policy UUID
uint8[16]
A policy ID number that acts as a unique identifier for the intrusion
policy.
policy.
User ID
uint32
The internal identification number for the user, if applicable.
Web
Application ID
Application ID
uint32
The internal identification number for the web application, if
applicable.
applicable.
Client
Application ID
Application ID
uint32
The internal identification number for the client application, if
applicable.
applicable.
Application
Protocol ID
Protocol ID
uint32
The internal identification number for the application protocol, if
applicable.
applicable.
Access Control
Rule ID
Rule ID
uint32
A rule ID number that acts as a unique identifier for the access control
rule.
rule.
Access Control
Policy UUID
Policy UUID
uint8[16]
A policy ID number that acts as a unique identifier for the access
control policy.
control policy.
Ingress Interface
UUID
UUID
uint8[16]
An interface ID number that acts as a unique identifier for the ingress
interface.
interface.
Egress Interface
UUID
UUID
uint8[16]
An interface ID number that acts as a unique identifier for the egress
interface.
interface.
Ingress Security
Zone UUID
Zone UUID
uint8[16]
A zone ID number that acts as a unique identifier for the ingress
security zone.
security zone.
Egress Security
Zone UUID
Zone UUID
uint8[16]
A zone ID number that acts as a unique identifier for the egress
security zone.
security zone.
Table B-2
Intrusion Event (IPv6) Record Fields (continued)
Field
Data Type
Description