Cisco Cisco Firepower Management Center 2000 Guía Del Desarrollador

Version 5.3

Sourcefire 3D System eStreamer Integration Guide

148

Understanding Intrusion and Correlation Data Structures

Understanding Series 2 Data Blocks

Chapter 3

Retrospective

Disposition

uint8

Disposition of the file if the disposition

is updated. If the disposition is not

updated, this field contains the same

value as the Disposition field. The

possible values are the same as the

Disposition field.

String Block Type

uint32

Initiates a String data block containing

the URI. This value is always 0.

String Block Length

uint32

The number of bytes included in the

URI data block, including eight bytes for

the block type and header fields plus

the number of bytes in the URI field.

URI

string

URI of the connection.

Source Port

uint16

Port number for the source of the

connection.

Destination Port

uint16

Port number for the destination of the

connection.

Source Country

uint16

Code for the country of the source

host.

Destination

Country

uint 16

Code for the country of the destination

host.

Web Application ID

uint32

The internal identification number of

the detected web application, if

applicable.

Client Application

uint32

The internal identification number of

the detected client application, if

applicable.

Action

uint8

The action taken on the file based on

the file type. Can have the following

values:
•

— Detect

•

— Block

•

— Malware Cloud Lookup

•

— Malware Block

•

— Malware Whitelist

Malware Event Data Block for 5.3+ Fields (Continued)

IELD

ATA

YPE

ESCRIPTION