Cisco Cisco Firepower Management Center 2000 Guía Del Desarrollador
3-6
FireSIGHT eStreamer Integration Guide
Chapter 3 Understanding Intrusion and Correlation Data Structures
Intrusion Event and Metadata Record Types
Intrusion Event Record 5.3.1+
The fields in the intrusion event record are shaded in the following graphic. The record type is 400 and
the block type is 42 in the series 2 set of data blocks.
the block type is 42 in the series 2 set of data blocks.
You can request 5.3.1+ intrusion events from eStreamer only by extended request, for which you request
event type code 12 and version code 7 in the Stream Request message (see
event type code 12 and version code 7 in the Stream Request message (see
for information about submitting extended requests).
For version 5.3.1+ intrusion events, the event ID, the managed device ID, and the event second form a
unique identifier. The connection second, connection instance, and connection counter together form a
unique identifier for the connection event associated with the intrusion event.
unique identifier. The connection second, connection instance, and connection counter together form a
unique identifier for the connection event associated with the intrusion event.
Byte
0
1
2
3
Bit
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Header Version (1)
Message Type (4)
Message Length
Record Type (400)
Record Length
eStreamer Server Timestamp (in events, only if bit 23 is set)
Reserved for Future Use (in events, only if bit 23 is set)
Block Type (42)
Block Length
Device ID
Event ID
Event Second
Event Microsecond
Rule ID (Signature ID)
Generator ID
Rule Revision
Classification ID
Priority ID