Cisco Cisco Firepower Management Center 2000 Guía Del Desarrollador

Cisco

Version 5.3

Sourcefire 3D System eStreamer Integration Guide

511

Understanding Legacy Data Structures

Legacy Malware Event Data Structures

Appendix B

String Block Length

uint32

The number of bytes included in the

Event Description String data block,

including eight bytes for the block type

and header fields plus the number of

bytes in the Event Description field.

Event Description

string

The additional event information

associated with the event type.

Device ID

uint32

ID for the device that generated the

event.

Connection

Instance

uint16

Snort instance on the device that

generated the event. Used to link the

event with a connection or IDS event.

Connection

Counter

uint16

Value used to distinguish between

connection events that happen during

the same second.

Connection Event

Timestamp

uint32

Timestamp of the connection event.

Direction

uint8

Indicates whether the file was

uploaded or downloaded. Can have the

following values:
•

1

— Download

•

2

— Upload

Currently the value depends on the

protocol (for example, if the connection

is HTTP it is a download).

Source IP Address

uint8[16]

IPv4 or IPv6 address for the source of

the connection.

Destination IP

Address

uint8[16]

IPv4 or IPv6 address for the destination

of the connection.

Application ID

uint32

ID number that maps to the application

using the file transfer.

User ID

uint32

Identification number for the user

logged into the destination host, as

identified by the system.

Malware Event Data Block for 5.2.x Fields (Continued)

F

IELD

D

ATA

T

YPE

D

ESCRIPTION