Cisco Cisco Firepower Management Center 2000 Guía Del Desarrollador
Version 5.3
Sourcefire 3D System eStreamer Integration Guide
147
Understanding Intrusion and Correlation Data Structures
Understanding Series 2 Data Blocks
Chapter 3
Connection Event
Timestamp
uint32
Timestamp of the connection event.
Direction
uint8
Indicates whether the file was
uploaded or downloaded. Can have the
following values:
•
•
1
— Download
•
2
— Upload
Currently the value depends on the
protocol (for example, if the connection
is HTTP it is a download).
Source IP Address
uint8[16]
IPv4 or IPv6 address for the source of
the connection.
Destination IP
Address
uint8[16]
IPv4 or IPv6 address for the destination
of the connection.
Application ID
uint32
ID number that maps to the application
using the file transfer.
User ID
uint32
Identification number for the user
logged into the destination host, as
identified by the system.
Access Control
Policy UUID
uint8[16]
Identification number that acts as a
unique identifier for the access control
policy that triggered the event.
Disposition
uint8
The malware status of the file. Possible
values include:
•
•
1
— CLEAN — The file is clean and
does not contain malware.
•
2
— UNKNOWN — It is unknown
whether the file contains malware.
•
3
— MALWARE — The file contains
malware.
•
4
— UNAVAILABLE — The software
was unable to send a request to the
Sourcefire cloud for a disposition, or
the Sourcefire cloud services did not
respond to the request.
•
5
— CUSTOM SIGNATURE — The
file matches a user-defined hash, and
is treated in a fashion designated by
the user.
Malware Event Data Block for 5.3+ Fields (Continued)
F
IELD
D
ATA
T
YPE
D
ESCRIPTION