Cisco Cisco Firepower Management Center 4000 Guía Del Desarrollador
Version 5.3
Sourcefire 3D System eStreamer Integration Guide
160
Understanding Intrusion and Correlation Data Structures
IOC Name Data Block for 5.3+
Chapter 3
IOC Name Data Block for 5.3+
This is a data block that provides the category and event type for an Indication of
Compromise (IOC). The record type is 161, with a block type of 39 in series 2. It is
exposed as metadata for any event that has IOC information. These include
malware events, file events, and intrusion events.
The following diagram shows the structure of an IOC Name data block:
The following diagram shows the structure of an IOC Name data block:
Last Device ID
uint32
ID of the sensor which most recently detected
the IOC.
Last Instance
ID
uint16
Numerical ID of the Snort instance on the
managed device that last detected the
compromise.
Last
Connection
Time
uint32
Unix timestamp of the connection on which
this compromise was last seen.
Last Counter
uint16
Counter for the connection on which this
compromise was last seen.
Used to differentiate between multiple
Used to differentiate between multiple
connections occurring at the same time.
IOC State Data Block Fields (Continued)
F
IELD
D
ATA
T
YPE
D
ESCRIPTION
Byte
0
1
2
3
Bit
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Header Version (1)
Message Type (4)
Message Length
Record Type (161)
IOC Name Block Type (39)