Cisco Cisco Firepower Management Center 2000 Guía Del Desarrollador
![Cisco](https://files.manualsbrain.com/attachments/7380d0050044647c30f5c24bbbf5d0c0b6d9bb84/common/fit/150/50/faa183d287233c52228cfea3dbc2a127fe780f60564fcb0955d9c3d1cd23/brand_logo.png)
Version 5.3
Sourcefire 3D System eStreamer Integration Guide
447
Data Structure Examples
Intrusion Event Data Structure Examples
Appendix A
In the preceding example, the following information appears:
A. The first two bytes of this line indicate the standard header value of 1. The
second two bytes indicate that the message is a data message (message
type four).
B. This line indicates that the message that follows is 153 bytes long.
C. This line indicates a record type value of 112, which represents a correlation
event record for Sourcefire 3D System 4.10.
D. This line indicates that the data that follows is 145 bytes long.
Note that bit 23 was not set in the request, so Timestamp data is not
included in the example.
E. This line contains a value of 107, indicating that a correlation event data block
follows.
F. This line indicates that the length of the correlation event block, including the
correlation event block header, is 145 bytes.
G. This line indicates that the detection engine ID is 0, indicating that the
correlation event was generated on the Defense Center.
H. This line contains the correlation event timestamp, 1,098,911,301, which is
Wed, 27 Oct 2004 21:08:21 GMT.
I.
This line indicates that the correlation event ID number is 10.
J. This line indicates a policy ID of 4, which, in this case, maps to a custom
correlation policy on the Defense Center.
K. This line indicates a rule ID of 29, which, in this case, maps to a custom
correlation policy rule on the Defense Center.
L. This line indicates a policy priority of 1.
M. This line contains a value of 0, which indicates the beginning of a string block
for the event description.
N. This line indicates the length of the description. In this example, the length is
19 bytes, including the string block header and the 11 bytes in the event
description. In an actual event, the length is typically much longer.
O. These three lines contain the 11-byte event description, followed by the event
type. The event description has been truncated for the sake of this example.
In this example, the description is “
[1:2008:4]
.” In the actual policy violation
event that this example is based on, however, the description is much longer:
AH
1 0 0 0 0 1 0 1 0 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
AI
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
Byte
0
1
2
3
Bit
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31