Cisco Cisco Firepower Management Center 2000 Guía Del Desarrollador
Version 5.3
Sourcefire 3D System eStreamer Integration Guide
89
Understanding Intrusion and Correlation Data Structures
Intrusion Event and Metadata Record Types
Chapter 3
Intrusion Event Extra Data Record
The eStreamer service transmits the event extra data associated with an intrusion
event in the Intrusion Event Extra Data record. The record type is always 110.
The event extra data appears in an encapsulated Event Extra Data data block,
The event extra data appears in an encapsulated Event Extra Data data block,
which always has a data block type value of 4. (The Event Extra Data data block is
a series 2 data block. For more information about series 2 data blocks, see
The supported types of extra data include IPv6 source and destination addresses,
as well as the originating IP addresses (v4 or v6) of clients connecting to a web
server through an HTTP proxy or load balancer. The graphic below shows the
format of the Intrusion Event Extra Data record.
If bit 27 is set in the Request Flags field of the request message, you receive the
If bit 27 is set in the Request Flags field of the request message, you receive the
event extra data for each intrusion event. If you set bit 20, you also receive the
event extra data metadata described in
page 91. If you enable bit 23, eStreamer will include the extended event header.
See
on page 30 for information on setting request flags.
Revision UUID
uint8[16]
A correlation rule revision ID number that acts
as a unique identifier for the correlation rule
revision.
Whitelist UUID
uint8[16]
A correlation ID number that acts as a unique
identifier for the event sent as a result of a
whitelist violation.
Correlation Rule Record Fields (Continued)
F
IELD
D
ATA
T
YPE
D
ESCRIPTION
Byte
0
1
2
3
Bit
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Header Version (1)
Message Type (4)
Message Length
Record Type (110)
Record Length
eStreamer Server Timestamp (in events, only if bit 23 is set)
Reserved for Future Use (in events, only if bit 23 is set)
Event Extra Data Data Block Type (4)
Event Extra Data Data Block Length