Cisco Cisco Firepower Management Center 2000 Guida Dello Sviluppatore
A-5
FireSIGHT eStreamer Integration Guide
Appendix A Data Structure Examples
Intrusion Event Data Structure Examples
19
This line indicates that the destination IP address is
61.55.184.10
. Note that this field can
contain either IPv4 or IPv6 addresses.
20
The first two bytes in this line indicate that the source port number is
65268
, and the second
two bytes indicate that the destination port number is
53
.
21
This first byte in this line indicates that UDP (
17
) is the protocol used in the event. The
second byte is the impact flag, which indicates that the event is red (vulnerable) since the
second bit is
second bit is
1
; that the event caused the managed event to drop the session, that the source
destination host is potentially compromised, and that there is a vulnerability mapped to the
client. The third byte in this line indicates that either the source or destination host is
monitored by the system and is in the network map, indicating a priority
client. The third byte in this line indicates that either the source or destination host is
monitored by the system and is in the network map, indicating a priority
1
event (red). The
last byte indicates that the event was blocked.
22
This line contains the MPLS label, if present.
23
The first two bytes in this line indicate that the VLAN ID is
2
. The last two bytes are
reserved and set to
0
.
24
This line contains the unique ID number for the intrusion policy.
25
This line contains the internal identification number for the user. Since there is no
applicable user, it is all zeros.
applicable user, it is all zeros.
26
This line contains the internal identification number for the web application. Since there is
no web application, it is all zeros.
no web application, it is all zeros.
27
This line contains the internal identification number for the client application, which is
2000000617
.
28
This line contains the internal identification number for the application protocol, which is
617
.
29
This line contains the unique identifier for the access control rule, which is
1
.
30
This line contains the unique identifier for the access control policy.
31
This line contains the unique identifier for the ingress interface.
32
This line contains unique identifier for the egress interface. Since this event was blocked,
there is no egress interface and the field is populated with zeros.
there is no egress interface and the field is populated with zeros.
33
This line contains the unique identifier for the ingress security zone.
34
This line contains the unique identifier for the egress security zone. Since this event was
blocked, there is no egress interface and the field is populated with zeros.
blocked, there is no egress interface and the field is populated with zeros.
35
This line contains the Unix timestamp of the connection event associated with the intrusion
event.
event.
36
The first two bytes in this line indicate the numerical ID of the Snort instance on the
managed device that generated the connection event. The remaining two bytes indicate the
value used to distinguish between connection events that happen during the same second.
managed device that generated the connection event. The remaining two bytes indicate the
value used to distinguish between connection events that happen during the same second.
37
The first two bytes in this line indicate the code for the country of the source host. The
remaining two bytes indicate the code for the country of the destination host.
remaining two bytes indicate the code for the country of the destination host.
38
This line indicates the ID number of the compromise associated with this event, if any.
Number
Description