Cisco Cisco Firepower Management Center 2000 Guía Del Desarrollador
Version 5.3
Sourcefire 3D System eStreamer Integration Guide
80
Understanding Intrusion and Correlation Data Structures
Intrusion Event and Metadata Record Types
Chapter 3
Impact
bits[8]
Impact flag value of the event. The low-order
eight bits indicate the impact level. Values are:
• 0x01 (bit 0) — Source or destination host is in
• 0x01 (bit 0) — Source or destination host is in
a network monitored by the system.
• 0x02 (bit 1) — Source or destination host
exists in the network map.
• 0x04 (bit 2) — Source or destination host is
running a server on the port in the event (if
TCP or UDP) or uses the IP protocol.
• 0x08 (bit 3) — There is a vulnerability mapped
to the operating system of the source or
destination host in the event.
• 0x10 (bit 4) — There is a vulnerability mapped
to the server detected in the event.
• 0x20 (bit 5) — The event caused the managed
device to drop the session (used only when
the device is running in inline, switched, or
routed deployment). Corresponds to blocked
status in the Sourcefire 3D System web
interface.
• 0x40 (bit 6) — The rule that generated this
event contains rule metadata setting the
impact flag to red. The source or destination
host is potentially compromised by a virus,
trojan, or other piece of malicious software.
• 0x80 (bit 7) — There is a vulnerability mapped
to the client detected in the event. (version
5.0+ only)
The following impact level values map to specific
priorities on the Defense Center. An
X
indicates
the value can be 0 or 1:
• gray (0, unknown):
• gray (0, unknown):
00X00000
• red (1, vulnerable):
XXXX1XXX, XXX1XXXX,
X1XXXXXX, 1XXXXXXX
(version 5.0+ only)
• orange (2, potentially vulnerable):
00X0011X
• yellow (3, currently not vulnerable):
00X0001X
• blue (4, unknown target):
00X00001
Source IP
Address
uint8[4]
IP address of the host associated with the
impact event, in IP address octets.
Destination IP
Address
uint8[4]
IP address of the destination IP address
associated with the impact event (if applicable),
in IP address octets. This value is 0 if there is no
destination IP address.
Impact Event Data Fields (Continued)
F
IELD
D
ATA
T
YPE
D
ESCRIPTION