Manualsbrain.com
  1. Manuales
  2. Marcas
  3. Cisco
  4. Cisco Firepower Management Center 2000
  5. Guía Del Desarrollador

Cisco Cisco Firepower Management Center 2000 Guía Del Desarrollador

Descargar
Página de 726
Version 5.3
Sourcefire 3D System eStreamer Integration Guide
440
Data Structure Examples
Intrusion Event Data Structure Examples
Appendix A
M. The last three bytes of this line and first byte of the next line indicate the 
length of the description. In this example, the length is 21 bytes, including the 
string block header and the 13 bytes in the event description. In an actual 
event, the length is typically much longer.
N. The first byte of this line is a continuation of the string block length, followed 
by 13 bytes that contain the event description. The event description has 
been truncated for the sake of this example. In this example, the description 
is “
[1:2008:4] MI
.” In the actual policy violation event that this example is 
based on, however, the description is much longer: “[
1:2008:4] MISC CVS 
invalid user authentication response [Impact: Potentially 
Vulnerable] From sensor "is.sourcefire.com" at Thu Oct 28 
17:07:19 2004 UTC [Classification: Misc Attack] [Priority: 2] 
{tcp} 10.1.1.24:2401-> 10.1.1.25:34174
.”
O. The third byte in this line has a value of one, which indicates that the type of 
event that caused the correlation policy violation is an intrusion event. The 
fourth byte in this line indicates the identification number of the device that 
generated the intrusion event, in this case, this is sensor 1.
P. This line indicates that the signature ID for the rule triggered in the event is 
2008.
Q. This line indicates that the generator ID for the rule that triggered in the event 
is 1, the intrusion Detection Engine.
R. This line indicates that the intrusion event timestamp is 1,098,911,243, which 
means it was generated at Wed, 27 Oct 2004 21:07:23 GMT.
S. This line indicates the microsecond the intrusion event was generated, 
179,035.
T. This line indicates that the ID assigned to the intrusion event is 17,828.
U. This line indicates which of the fields that follow it are valid. Based on how 
the bits are set, impact flags, IP protocol, source IP, source port, destination 
IP, and destination port fields will have values.
V. This line indicates the impact value assigned to the event. Based on how the 
bits are set, the impact is Orange—Potentially Vulnerable.
W. The first byte in this line indicates that the IP protocol is 6 (TCP). The second 
two bytes show the network protocol, which is null. The last byte of this line 
and first three bytes of the next line begins the source IP string, which is 
10.1.1.24.
X. The first three bytes in this line finish the source IP started in line W and the 
last byte shows the host type, which is null.
Y. The first two bytes in this line indicate the VLAN ID, which is null. The second 
two bytes begin a four-byte fingerprint ID, which is also null.
Z. The first two bytes in this line complete the fingerprint ID, the second two 
bytes contain the source host criticality, which is null.