Cisco Cisco Firepower Management Center 4000 Guía Del Desarrollador

Version 5.3

Sourcefire 3D System eStreamer Integration Guide

Understanding Intrusion and Correlation Data Structures

Intrusion Event and Metadata Record Types

Chapter 3

Security Zone Name Record

The eStreamer service transmits metadata containing information on the name of

the security zone associated with an intrusion event or connection event within a

Security Zone Name record, the format of which is shown below. (Security zone

information is sent when the Version 4 metadata flag—bit 20 in the Request Flags

field of a request message—is set. See

Request Flags

on page 30.) Note that the

Record Type field, which appears after the Message Length field, has a value of

115, indicating a Security Zone Name record.

String Block

Type

uint32

Initiates a string data block for the client

application URL. This value is always 0. This

block type is a series 2 block.

String Block

Length

uint32

Number of bytes in the client application URL

String data block, including eight bytes for the

string block type and length fields, plus the

number of bytes in the URL string.

Encoding

string

Encoding used for the event extra data, for

example, IPv4, IPv6, or string.

Event Extra Data Metadata Data Block Fields (Continued)

IELD

ATA

YPE

ESCRIPTION

Byte

Bit

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

Header Version (1)

Message Type (4)

Message Length

Record Type (115)

Record Length

Security Zone Name Data Block (14)

Security Zone Name Data Block Length

Security Zone UUID

String Block Type (0)

String Block Length

Security Zone Name...