Cisco Cisco Firepower Management Center 4000 Guía Del Desarrollador

Version 5.3

Sourcefire 3D System eStreamer Integration Guide

Understanding the eStreamer Application Protocol

Event Data Message Format

Chapter 2

The

Correlation Event Message Record Header Fields

table describes each field

in the record header of correlation event messages.

Event Extra Data Message Format

The graphic below shows the structure of event extra data messages. The

Intrusion Event Extra Data message is an example of this message group.

Correlation Event Message Record Header Fields

IELD

ATA

YPE

ESCRIPTION

Record

Type

uint32

Identifies the data record content type. See the

Intrusion Event and General Metadata Record

Types table

on page 65 for the list of intrusion,

correlation, and metadata record types.

Record

Length

uint32

Length of the content of the message after the

record header. Does not include the 8 or 16 bytes

of the record header. (Record Length plus the

length of the record header equals Message

Length.)

eStreamer

Server

Timestamp

uint32

Indicates the timestamp applied when the event

was archived by the eStreamer server. Also called

the archival timestamp.
Field present only if bit 23 is set in the request

message flags.
Field is zero for data generated by the Defense

Center such as host profiles and metadata.

Reserved

for future

use

uint32

Reserved for future use.
Field present only if bit 23 is set in the request

message flags.

Byte

Bit

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

Message Header

See

eStreamer Message Header

on page 24

Record Header

See

Event Extra Data Message Record Header

on page 45

Data Blocks...

See

Understanding Series 2 Data Blocks

on page 116