Cisco Cisco Firepower Management Center 4000 Guía Del Desarrollador
Version 5.3
Sourcefire 3D System eStreamer Integration Guide
82
Understanding Intrusion and Correlation Data Structures
Intrusion Event and Metadata Record Types
Chapter 3
The
table describes the fields in the User record.
Rule Message Record for 4.6.1+
Rule message information for an event is transmitted within a Rule Message
record, the format of which is shown below. The eStreamer service transmits the
Rule Message record for 4.6.1+ when you request Version 2 or Version 3
metadata. The Rule Message record for 4.6.1+ contains the same fields as the
Rule Message record for 4.6 and lower but also has new UUID and Revision
UUID fields. (Version 2, Version 3, or Version 4 metadata information is sent when
the appropriate metadata flag—bit 14 for Version 2, bit 15 for Version 3, or bit 20
for Version 4 in the Request Flags field of a request message—is set. See
on page 30.) Note that the Record Type field, which appears after
the Message Length field, has a value of 66, indicating a Rule Message Version 2
record.
User Record Fields
F
IELD
D
ATA
T
YPE
D
ESCRIPTION
User ID
uint32
The user ID number.
Name Length
uint32
The number of bytes included in the user
name.
Name
string
The name of the user.
Byte
0
1
2
3
Bit
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Header Version (1)
Message Type (4)
Message Length
Record Type (66)
Record Length
Signature
Key
Generator ID
Rule ID
Revision Number
Rendered Signature ID
Message Length
Rule UUID