Cisco Cisco Firepower Management Center 2000 Guía Del Desarrollador

Cisco

Version 5.3

Sourcefire 3D System eStreamer Integration Guide

512

Understanding Legacy Data Structures

Legacy Malware Event Data Structures

Appendix B

Access Control

Policy UUID

uint8[16]

Identification number that acts as a

unique identifier for the access control

policy that triggered the event.

Disposition

uint8

The malware status of the file. Possible

values include:
•

1

— CLEAN — The file is clean and

does not contain malware.

•

2

— NEUTRAL — It is unknown

whether the file contains malware.

•

3

— MALWARE — The file contains

malware.

•

4

— CACHE_MISS — The software

was unable to send a request to the

Sourcefire cloud for a disposition, or

the Sourcefire cloud services did not

respond to the request.

Retrospective

Disposition

uint8

Disposition of the file if the disposition

is updated. If the disposition is not

updated, this field contains the same

value as the Disposition field. The

possible values are the same as the

Disposition field.

String Block Type

uint32

Initiates a String data block containing

the URI. This value is always 0.

String Block Length

uint32

The number of bytes included in the

URI data block, including eight bytes for

the block type and header fields plus

the number of bytes in the URI field.

URI

string

URI of the connection.

Source Port

uint16

Port number for the source of the

connection.

Destination Port

uint16

Port number for the destination of the

connection.

Source Country

uint16

Code for the country of the source

host.

Destination

Country

uint 16

Code for the country of the destination

host.

Malware Event Data Block for 5.2.x Fields (Continued)

F

IELD

D

ATA

T

YPE

D

ESCRIPTION