Cisco Cisco Firepower Management Center 4000 Guide Du Développeur
Version 5.3
Sourcefire 3D System eStreamer Integration Guide
104
Understanding Intrusion and Correlation Data Structures
Intrusion Event and Metadata Record Types
Chapter 3
on page 30.) Note that the record type field, which appears after
the message length field, has a value of 129, indicating a malware event subtype
record.
The
table describes the fields in the
malware event subtype record.
FireAMP Detector Type Metadata
The eStreamer service transmits metadata containing FireAMP detector type
information for an event within a FireAMP Detector Type record, the format of
which is shown below. (FireAMP detector type information is sent when one of
the metadata flags—bits 1, 14, 15, or 20 in the Request Flags field of a request
Byte
0
1
2
3
Bit
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Header Version (1)
Message Type (4)
Message Length
Record Type (129)
Record Length
Malware Event Subtype ID
Malware Event Subtype Length
Malware Event Subtype...
Malware Event Subtype Record Fields
F
IELD
D
ATA
T
YPE
D
ESCRIPTION
Malware Event
Subtype ID
uint32
The malware event subtype ID number.
Malware Event
Subtype Length
uint32
The number of bytes included in the malware
event subtype.
Malware Event
Subtype
string
The malware event subtype.