Cisco Cisco Firepower Management Center 2000 Guía Del Desarrollador
![Cisco](https://files.manualsbrain.com/attachments/7380d0050044647c30f5c24bbbf5d0c0b6d9bb84/common/fit/150/50/faa183d287233c52228cfea3dbc2a127fe780f60564fcb0955d9c3d1cd23/brand_logo.png)
Version 5.3
Sourcefire 3D System eStreamer Integration Guide
440
Data Structure Examples
Intrusion Event Data Structure Examples
Appendix A
M. The last three bytes of this line and first byte of the next line indicate the
length of the description. In this example, the length is 21 bytes, including the
string block header and the 13 bytes in the event description. In an actual
event, the length is typically much longer.
N. The first byte of this line is a continuation of the string block length, followed
by 13 bytes that contain the event description. The event description has
been truncated for the sake of this example. In this example, the description
is “
[1:2008:4] MI
.” In the actual policy violation event that this example is
based on, however, the description is much longer: “[
1:2008:4] MISC CVS
invalid user authentication response [Impact: Potentially
Vulnerable] From sensor "is.sourcefire.com" at Thu Oct 28
17:07:19 2004 UTC [Classification: Misc Attack] [Priority: 2]
{tcp} 10.1.1.24:2401-> 10.1.1.25:34174
Vulnerable] From sensor "is.sourcefire.com" at Thu Oct 28
17:07:19 2004 UTC [Classification: Misc Attack] [Priority: 2]
{tcp} 10.1.1.24:2401-> 10.1.1.25:34174
.”
O. The third byte in this line has a value of one, which indicates that the type of
event that caused the correlation policy violation is an intrusion event. The
fourth byte in this line indicates the identification number of the device that
generated the intrusion event, in this case, this is sensor 1.
P. This line indicates that the signature ID for the rule triggered in the event is
2008.
Q. This line indicates that the generator ID for the rule that triggered in the event
is 1, the intrusion Detection Engine.
R. This line indicates that the intrusion event timestamp is 1,098,911,243, which
means it was generated at Wed, 27 Oct 2004 21:07:23 GMT.
S. This line indicates the microsecond the intrusion event was generated,
179,035.
T. This line indicates that the ID assigned to the intrusion event is 17,828.
U. This line indicates which of the fields that follow it are valid. Based on how
the bits are set, impact flags, IP protocol, source IP, source port, destination
IP, and destination port fields will have values.
V. This line indicates the impact value assigned to the event. Based on how the
bits are set, the impact is Orange—Potentially Vulnerable.
W. The first byte in this line indicates that the IP protocol is 6 (TCP). The second
two bytes show the network protocol, which is null. The last byte of this line
and first three bytes of the next line begins the source IP string, which is
10.1.1.24.
X. The first three bytes in this line finish the source IP started in line W and the
last byte shows the host type, which is null.
Y. The first two bytes in this line indicate the VLAN ID, which is null. The second
two bytes begin a four-byte fingerprint ID, which is also null.
Z. The first two bytes in this line complete the fingerprint ID, the second two
bytes contain the source host criticality, which is null.