Cisco Cisco Firepower Management Center 2000 Guía Del Desarrollador
Version 5.3
Sourcefire 3D System eStreamer Integration Guide
38
Understanding the eStreamer Application Protocol
Event Data Message Format
Chapter 2
Understanding the Organization of Event Data Messages
The event data and metadata messages that eStreamer sends contain the
following sections:
•
eStreamer message header — the standard message header defined at
•
Event-specific sub-headers — sets of fields that vary by event type, with
codes that describe additional event details and determine the structure of
the payload data that follows.
•
Data record — fixed-length fields and a data block.
IMPORTANT!
The client should unpack all messages on the basis of field length.
For the event message formats by event type, see the following:
•
on page 39 — for intrusion
event data records and all metadata records. These messages have fixed-
length fields.
•
on page 40 — for messages with
discovery event or user event data. In addition to the standard eStreamer
message header and a record header similar to the intrusion event
message, discovery messages have a distinctive discovery event header
with an event type and subtype field. The data record in discovery event
messages is packaged in a series 1 block that can have variable length fields
and multiple layers of encapsulated blocks.
•
on page 42 — for messages with
connection statistics. Their general structure is identical to discovery event
messages. Their data block types, however, are specific for connection
statistics.
•
on page 42 — for messages with
correlation (compliance) event data. The headers in these messages are the
same as in intrusion event messages but the data blocks are series 1
blocks.
•
on page 44 — for a series of messages
that deliver intrusion-related record types with variable-length fields and
multiple layers of nested data blocks such as intrusion event extra data. See
on page 44 for general information on
information about the structures of this series of blocks which are similar to
series 1 blocks but numbered separately.