Cisco Cisco Firepower Management Center 4000 Guía Del Desarrollador
Version 5.3
Sourcefire 3D System eStreamer Integration Guide
70
Understanding Intrusion and Correlation Data Structures
Intrusion Event and Metadata Record Types
Chapter 3
The
table describes each priority-specific field.
Intrusion Event Record 5.3+
The fields in the intrusion event record are shaded in the following graphic. The
record type is 400 and the block type is 41.
You can request 5.3+ intrusion events from eStreamer only by extended request,
You can request 5.3+ intrusion events from eStreamer only by extended request,
for which you request event type code 12 and version code 6 in the Stream
Request message (see
information about submitting extended requests).
For version 5.3+ intrusion events, the event ID, the managed device ID, and the
For version 5.3+ intrusion events, the event ID, the managed device ID, and the
event second form a unique identifier. The connection second, connection
instance, and connection counter together form a unique identifier for the
connection event associated with the intrusion event.
Priority Record Fields
F
IELD
D
ATA
T
YPE
D
ESCRIPTION
Priority ID
uint32
Indicates the priority identification number.
Name Length
uint16
Number of bytes included in the priority
name.
Priority Name
variable
Priority name that corresponds with the
priority ID (1 — high, 2 — medium, 3 —
low).
Byte
0
1
2
3
Bit
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Header Version (1)
Message Type (4)
Message Length
Record Type (400)
Record Length
eStreamer Server Timestamp (in events, only if bit 23 is set)
Reserved for Future Use (in events, only if bit 23 is set)
Block Type (41)
Block Length
Device ID