Cisco Cisco Firepower Management Center 4000 Guide Du Développeur
B-17
FireSIGHT eStreamer Integration Guide
Appendix B Understanding Legacy Data Structures
Legacy Intrusion Data Structures
Intrusion Event Record 5.3
The fields in the intrusion event record are shaded in the following graphic. The record type is 400 and
the block type is 41 in the series 2 set of data blocks.
the block type is 41 in the series 2 set of data blocks.
You can request 5.3 intrusion events from eStreamer only by extended request, for which you request
event type code 12 and version code 6 in the Stream Request message (see
event type code 12 and version code 6 in the Stream Request message (see
for information about submitting extended requests).
MPLS Label
uint32
MPLS label.
VLAN ID
uint16
Indicates the ID of the VLAN where the packet originated.
Pad
uint16
Reserved for future use.
Policy UUID
uint8[16]
A policy ID number that acts as a unique identifier for the intrusion
policy.
policy.
User ID
uint32
The internal identification number for the user, if applicable.
Web
Application ID
Application ID
uint32
The internal identification number for the web application, if
applicable.
applicable.
Client
Application ID
Application ID
uint32
The internal identification number for the client application, if
applicable.
applicable.
Application
Protocol ID
Protocol ID
uint32
The internal identification number for the application protocol, if
applicable.
applicable.
Access Control
Rule ID
Rule ID
uint32
A rule ID number that acts as a unique identifier for the access control
rule.
rule.
Access Control
Policy UUID
Policy UUID
uint8[16]
A policy ID number that acts as a unique identifier for the access
control policy.
control policy.
Ingress Interface
UUID
UUID
uint8[16]
An interface ID number that acts as a unique identifier for the ingress
interface.
interface.
Egress Interface
UUID
UUID
uint8[16]
An interface ID number that acts as a unique identifier for the egress
interface.
interface.
Ingress Security
Zone UUID
Zone UUID
uint8[16]
A zone ID number that acts as a unique identifier for the ingress
security zone.
security zone.
Egress Security
Zone UUID
Zone UUID
uint8[16]
A zone ID number that acts as a unique identifier for the egress
security zone.
security zone.
Connection
Timestamp
Timestamp
uint32
UNIX timestamp (seconds since 01/01/1970) of the connection event
associated with the intrusion event.
associated with the intrusion event.
Connection
Instance ID
Instance ID
uint16
Numerical ID of the Snort instance on the managed device that
generated the connection event.
generated the connection event.
Connection
Counter
Counter
uint16
Value used to distinguish between connection events that happen
during the same second.
during the same second.
Source Country
uint16
Code for the country of the source host.
Destination
Country
Country
uint 16
Code for the country of the destination host.
Table B-3
Intrusion Event Record 5.2.x Fields (continued)
Field
Data Type
Description