Cisco Cisco Firepower Management Center 2000 Guía Del Desarrollador
B-123
FireSIGHT eStreamer Integration Guide
Appendix B Understanding Legacy Data Structures
Legacy File Event Data Structures
File Event SHA Hash for 5.1.1-5.2.x
The eStreamer service uses the File Event SHA Hash data block to contain metadata of the mapping of
the SHA hash of a file to its filename. The block type is 26 in the series 2 list of data blocks. It can be
requested if file log events have been requested in the extended requests—event code 111—and either
bit 20 is set or metadata is requested with an event version of 4 and an event code of 21.
the SHA hash of a file to its filename. The block type is 26 in the series 2 list of data blocks. It can be
requested if file log events have been requested in the extended requests—event code 111—and either
bit 20 is set or metadata is requested with an event version of 4 and an event code of 21.
The following diagram shows the structure of a file event hash data block:
The following table describes the fields in the file event SHA hash data block.
Byte
0
1
2
3
Bit
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
File Event SHA Hash Block Type (26)
File Event SHA Hash Block Length
SHA Hash
SHA Hash, continued
SHA Hash, continued
SHA Hash, continued
SHA Hash, continued
SHA Hash, continued
SHA Hash, continued
SHA Hash, continued
File Name
String Block Type (0)
String Block Length
File Name or Disposition...
Table B-28
File Event SHA Hash 5.1.1-5.2.x Data Block Fields
Field
Data Type
Description
File Event SHA
Hash Block Type
Hash Block Type
uint32
Initiates a File Event SHA Hash block. This value is always
26
.
File Event SHA
Hash Block
Length
Hash Block
Length
uint32
Total number of bytes in the File Event SHA Hash block, including
eight bytes for the File Event SHA Hash block type and length fields,
plus the number of bytes of data that follows.
eight bytes for the File Event SHA Hash block type and length fields,
plus the number of bytes of data that follows.
SHA Hash
uint8[32]
The SHA-256 hash of the file in binary format.
String Block Type
uint32
Initiates a String data block containing the descriptive name
associated with the file. This value is always
associated with the file. This value is always
0
.