Cisco Cisco Firepower Management Center 2000 Guía Del Desarrollador
Version 5.3
Sourcefire 3D System eStreamer Integration Guide
87
Understanding Intrusion and Correlation Data Structures
Intrusion Event and Metadata Record Types
Chapter 3
Correlation Rule Record
The eStreamer service transmits metadata containing information on the
correlation rule that triggered a correlation event within a Correlation Rule record,
the format of which is shown below. (Correlation rule information is sent when
the Version 3 or Version 4 metadata flag—bit 15 or bit 20 in the Request Flags
field of a request message—is set. See
on page 30.) Note that the
Record Type field, which appears after the Message Length field, has a value of
70, indicating a Correlation Rule record.
UUID
uint8[16]
A correlation policy ID number that acts as a
unique identifier for the correlation policy.
Revision UUID
uint8[16]
A correlation policy revision ID number that
acts as a unique identifier for the correlation
policy.
Correlation Policy Record Fields (Continued)
F
IELD
D
ATA
T
YPE
D
ESCRIPTION
Byte
0
1
2
3
Bit
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Header Version (1)
Message Type (4)
Message Length
Record Type (70)
Record Length
Correlation Rule ID
Name Length
Name..
Name...
Description Length
Description...
Event Type Length
Event Type..
Event Type...
Correlation Rule UUID
Correlation Rule
UU
ID
Correlation Rule UUID, continued
Correlation Rule UUID, continued
Correlation Rule UUID, continued
Correlation Rule UUID, continued
Correlation Revision UUID,