Cisco Cisco Firepower Management Center 4000 Guía Del Desarrollador

Version 5.3

Sourcefire 3D System eStreamer Integration Guide

85

Understanding Intrusion and Correlation Data Structures

Intrusion Event and Metadata Record Types

Chapter 3

The 

 table describes the fields in the Classification 

record.

Correlation Policy Record

The eStreamer service transmits metadata containing the correlation policy for a 

correlation event within a Correlation Policy record, the format of which is shown 
below. (Correlation policy information is sent when the Version 3 or Version 4 

metadata flag—bit 15 or bit 20 in the Request Flags field of a request message—

is set. See 

 on page 30.) Note that the Record Type field, which 

appears after the Message Length field, has a value of 69, indicating a Correlation 

Policy record.

Classification Record Fields 

Classification 

ID

uint32

The classification ID number.

Name Length

uint16

The number of bytes included in the name.

Name

string

The classification name.

Description 

Length

uint16

The number of bytes included in the 

description.

Description

string

The classification description.

UUID

uint8[16]

A classification ID number that acts as a 

unique identifier for the classification.

Revision UUID

uint8[16]

A classification revision ID number that acts as 

a unique identifier for the classification 

revision.

Byte

0

1

2

3

Bit

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

Header Version (1)

Message Type (4)

Message Length

Record Type (69)

Record Length

Correlation Policy ID