Cisco Cisco Firepower Management Center 4000 Guide Du Développeur
3-57
FireSIGHT eStreamer Integration Guide
Chapter 3 Understanding Intrusion and Correlation Data Structures
Understanding Series 2 Data Blocks
The following table describes the fields in the IP Reputation Category Data
Block.
File Event for 5.3.1+
The file event contains information on files that are sent over the network. This includes the connection
information, whether the file is malware, and specific information to identify the file. The file event has
a block type of 43 in the series 2 group of blocks. It supersedes block type 38. A security context field
has been added.
information, whether the file is malware, and specific information to identify the file. The file event has
a block type of 43 in the series 2 group of blocks. It supersedes block type 38. A security context field
has been added.
You request file event records by setting the file event flag—bit 30 in the Request Flags field—in the
request message with an event version of 4 and an event code of 111. See
request message with an event version of 4 and an event code of 111. See
. If
you enable bit 23, an extended event header is included in the record.
The following graphic shows the structure of the File Event data block.
Description
String Block Type (0)
String Block Length
Category Name...
Byte
0
1
2
3
Bit
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Table 3-36
IP Reputation Category Data Block Fields
Field
Data Type
Description
IP Reputation
Category Data
Block Type
Category Data
Block Type
uint32
Initiates a IP Reputation Category data block. This value is always
22
.
IP Reputation
Category Data
Block Length
Category Data
Block Length
uint32
Total number of bytes in the IP Reputation Category data block,
including eight bytes for the IP Reputation Category data block type
and length fields, plus the number of bytes of data that follows.
including eight bytes for the IP Reputation Category data block type
and length fields, plus the number of bytes of data that follows.
Rule ID
uint32
Internal identifier for the rule that triggered the event.
Policy UUID
uint8[16]
UUID of the policy that triggered the event.
String Block Type
uint32
Initiates a String data block containing the description of the IP
Reputation Category. This value is always
Reputation Category. This value is always
0
.
String Block
Length
Length
uint32
The number of bytes included in the Category Name String data
block, including eight bytes for the block type and header fields plus
the number of bytes in the Category Name field.
block, including eight bytes for the block type and header fields plus
the number of bytes in the Category Name field.
Category Name
string
Name of the category for the rule.