Cisco Cisco Firepower Management Center 2000 Guía Del Desarrollador
Version 5.3
Sourcefire 3D System eStreamer Integration Guide
91
Understanding Intrusion and Correlation Data Structures
Intrusion Event and Metadata Record Types
Chapter 3
Intrusion Event Extra Data Metadata
The eStreamer service transmits the event extra data metadata associated with
intrusion event extra data records in the Intrusion Event Extra Data Metadata
record. The record type is always 111.
The event extra data metadata appears in an encapsulated Event Extra Data
The event extra data metadata appears in an encapsulated Event Extra Data
Metadata data block, which always has a data block type value of 5. The Event
Extra Data data block is a series 2 data block.
If bit 20 is set in the Request Flags field of a request message, you receive the
If bit 20 is set in the Request Flags field of a request message, you receive the
event extra data metadata. If you want to receive both intrusion events and event
extra data metadata, you must set bit 2 as well. See
you enable bit 23, an extended event header is included in the record.
Length
uint32
Total number of bytes in the BLOB data block.
Extra Data
variable
The content of the extra data. The data type is
indicated in the Type field.
Intrusion Event Extra Data Data Block Fields (Continued)
F
IELD
D
ATA
T
YPE
D
ESCRIPTION
Byte
0
1
2
3
Bit
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Header Version (1)
Message Type (4)
Message Length
Record Type (111)
Record Length
eStreamer Server Timestamp (in events, only if bit 23 is set)
Reserved for Future Use (in events, only if bit 23 is set)
Event Extra Data Metadata Data Block Type (5)
Data Block Length
Type