Cisco Cisco Firepower Management Center 2000 Guía Del Desarrollador

Version 5.3

Sourcefire 3D System eStreamer Integration Guide

147

Understanding Intrusion and Correlation Data Structures

Understanding Series 2 Data Blocks

Chapter 3

Connection Event

Timestamp

uint32

Timestamp of the connection event.

Direction

uint8

Indicates whether the file was

uploaded or downloaded. Can have the

following values:
•

— Download

•

— Upload

Currently the value depends on the

protocol (for example, if the connection

is HTTP it is a download).

Source IP Address

uint8[16]

IPv4 or IPv6 address for the source of

the connection.

Destination IP

Address

uint8[16]

IPv4 or IPv6 address for the destination

of the connection.

Application ID

uint32

ID number that maps to the application

using the file transfer.

User ID

uint32

Identification number for the user

logged into the destination host, as

identified by the system.

Access Control

Policy UUID

uint8[16]

Identification number that acts as a

unique identifier for the access control

policy that triggered the event.

Disposition

uint8

The malware status of the file. Possible

values include:
•

— CLEAN — The file is clean and

does not contain malware.

•

— UNKNOWN — It is unknown

whether the file contains malware.

•

— MALWARE — The file contains

malware.

•

— UNAVAILABLE — The software

was unable to send a request to the

Sourcefire cloud for a disposition, or

the Sourcefire cloud services did not

respond to the request.

•

— CUSTOM SIGNATURE — The

file matches a user-defined hash, and

is treated in a fashion designated by

the user.

Malware Event Data Block for 5.3+ Fields (Continued)

IELD

ATA

YPE

ESCRIPTION