Cisco Cisco Firepower Management Center 4000 Guía Del Desarrollador
Version 5.3
Sourcefire 3D System eStreamer Integration Guide
635
Understanding Legacy Data Structures
Legacy Correlation Event Data Structures
Appendix B
Event Impact
Flags
bits[32]
Impact level of the event. The low-order six bits
are used and the impact is determined by how
the bits are set. Values are:
• 0x00000001 — Source or destination host is
• 0x00000001 — Source or destination host is
in a monitored network monitored (bit 0).
• 0x00000002 — Source or destination host
exists in the network map (bit 1).
• 0x00000004 — Source or destination host is
running a server on the port in the event (if
TCP or UDP) or uses the IP protocol (bit 2).
• 0x00000008 — There is a vulnerability
mapped to the operating system of the source
or destination host in the event (bit 3).
• 0x00000010 — There is a vulnerability
mapped to the server detected in the event
(bit 4).
• 0x00000020 — The event caused the sensor
to drop the session (used only when the
sensor is running in inline mode) (bit 5).
Corresponds to blocked status in Inline Result
column in the Sourcefire 3D System web
interface.
On the Defense Center, the following values
map to specific priorities. An
X
indicates that the
value can be 0 or 1:
• Gray (0, unknown):
• Gray (0, unknown):
X00000
• Red (1, vulnerable):
XX1XXX, X1XXXX
• Orange (2, potentially vulnerable):
X00111
• Yellow (3, currently not vulnerable):
X00011
• Blue (4, unknown target):
X00001
• Black (dropped packet):
1XXXXX
IP Protocol
uint8
IP protocol associated with the event, if
applicable.
Network
Protocol
uint16
Network protocol associated with the event, if
applicable.
Source IP
uint8[4]
IP address of the source host in the event, in IP
address octets.
Source Host
Type
uint8
Source host’s type:
• 0 — Host
• 0 — Host
• 1 — Router
• 2 — Bridge
Correlation Event Data 4.8.0.2 - 4.9.1.x Fields (Continued)
F
IELD
D
ATA
T
YPE
D
ESCRIPTION