Cisco Cisco Firepower Management Center 4000 Guide Du Développeur
2-2
FireSIGHT eStreamer Integration Guide
Chapter 2 Understanding the eStreamer Application Protocol
Understanding eStreamer Communication Stages
Understanding eStreamer Communication Stages
There are four major stages of communication that occur between a client and the eStreamer service:
1.
The client establishes a connection with the eStreamer server and the connection is authenticated by
both parties.
both parties.
See
for more information.
2.
The client requests data from the eStreamer service and specifies the types of data to be streamed.
A single event request message can specify any combination of available event data, including event
metadata. A single host profile request can specify a single host or multiple hosts.
A single event request message can specify any combination of available event data, including event
metadata. A single host profile request can specify a single host or multiple hosts.
Two request modes are available for requesting event data:
–
Event Stream Request - the client submits a message containing request flags that specify the
requested event types and version of each type, and the eStreamer server responds by streaming
the requested data.
requested event types and version of each type, and the eStreamer server responds by streaming
the requested data.
–
Extended Request - the client submits a request with the same message format as for Event
Stream requests but sets a flag for an extended request. This initiates a message interaction
between client and eStreamer server through which the client requests additional information
and version combinations not available via Event Stream requests.
Stream requests but sets a flag for an extended request. This initiates a message interaction
between client and eStreamer server through which the client requests additional information
and version combinations not available via Event Stream requests.
For information on requesting data, see
3.
eStreamer establishes the requested data stream to the client.
See
for more information.
4.
The connection terminates.
See
for more information.
Establishing an Authenticated Connection
Before a client can request data from eStreamer, the client must initiate an SSL-enabled TCP connection
with the eStreamer service. When the client initiates the connection, the eStreamer server responds,
initiating an SSL handshake with the client. As part of the SSL handshake, the eStreamer server requests
the client’s authentication certificate, and verifies that the certificate is valid (signed by the Internal
Certifying Authority [Internal CA] on the eStreamer server).
with the eStreamer service. When the client initiates the connection, the eStreamer server responds,
initiating an SSL handshake with the client. As part of the SSL handshake, the eStreamer server requests
the client’s authentication certificate, and verifies that the certificate is valid (signed by the Internal
Certifying Authority [Internal CA] on the eStreamer server).
Note
Cisco recommends that you also require your client to verify that the certificate presented by the
eStreamer server has been signed by a trusted Certifying Authority. This is the Internal CA certificate
included in the PKCS#12 file that Cisco provides when you register a new eStreamer client with the
Defense Center or managed device. See
eStreamer server has been signed by a trusted Certifying Authority. This is the Internal CA certificate
included in the PKCS#12 file that Cisco provides when you register a new eStreamer client with the
Defense Center or managed device. See
for more information.
After the SSL session is established, the eStreamer server performs an additional post-connection
verification of the certificate. This includes verifying that the client connection originates from the host
specified in the certificate and that the subject name of the certificate contains the appropriate value. If
either post-connection check fails, the eStreamer server closes the connection. If necessary, you can
configure the eStreamer service so that it does not perform a client host name check (see
verification of the certificate. This includes verifying that the client connection originates from the host
specified in the certificate and that the subject name of the certificate contains the appropriate value. If
either post-connection check fails, the eStreamer server closes the connection. If necessary, you can
configure the eStreamer service so that it does not perform a client host name check (see
for more information).