Cisco Cisco Firepower Management Center 2000 Guía Del Desarrollador
3-36
FireSIGHT eStreamer Integration Guide
Chapter 3 Understanding Intrusion and Correlation Data Structures
Intrusion Event and Metadata Record Types
The following table describes the fields in the FireAMP File Type record.
Correlation Event for 5.1+
Correlation events (called compliance events in pre-5.0 versions) contain information about correlation
policy violations. This message uses the standard eStreamer message header and specifies a record type
of 112, followed by a correlation data block of type 128 in the series 1 set of data blocks. Data block
type 128 differs from its predecessor (block type 116) in including IPv6 support.
policy violations. This message uses the standard eStreamer message header and specifies a record type
of 112, followed by a correlation data block of type 128 in the series 1 set of data blocks. Data block
type 128 differs from its predecessor (block type 116) in including IPv6 support.
You can request 5.1+ correlation events from eStreamer only by extended request, for which you request
event type code
event type code
31
and version code
8
in the Stream Request message (see
for information about submitting extended requests). You can optionally enable bit
23 in the flags field of the initial event stream request message, to include the extended event header.
You can also enable bit 20 in the flags field to include user metadata.
You can also enable bit 20 in the flags field to include user metadata.
FireAMP File Type ID
FireAMP File Type Length
FireAMP File Type...
Byte
0
1
2
3
Bit
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Table 3-23
FireAMP File Type Record Fields
Field
Data Type
Description
FireAMP File Type ID
uint32
The FireAMP file type ID number.
FireAMP File Type Length
uint32
The number of bytes included in the FireAMP file type.
FireAMP File Type
string
The type of detected file.
Byte
0
1
2
3
Bit
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Header Version (1)
Message Type (4)
Message Length
Record Type (112)
Record Length
eStreamer Server Timestamp (in events, only if bit 23 is set)
Reserved for Future Use (in events, only if bit 23 is set)
Correlation Block Type (128)