Cisco Cisco Firepower Management Center 2000 Guida Dello Sviluppatore
Version 5.3
Sourcefire 3D System eStreamer Integration Guide
163
Understanding Intrusion and Correlation Data Structures
IOC Name Data Block for 5.3+
Chapter 3
String Block
Length
uint32
The number of bytes included in the name
String data block, including eight bytes for the
block type and header fields plus the number
of bytes in the Event Type field.
Event Type
string
The event type for the compromise. Possible
values include:
• Adobe Reader launched shell
• Adobe Reader launched shell
• Dropper Infection Detected by FireAMP
• Excel Compromise Detected by FireAMP
• Excel launched shell |
• Impact 1 Intrusion Event—attempted-admin
• Impact 1 Intrusion Event—attempted-user
• Impact 1 Intrusion Event—successful-admin
• Impact 1 Intrusion Event—successful-user
• Impact 1 Intrusion Event—web-application-
attack
• Impact 2 Intrusion Event—attempted-admin
• Impact 2 Intrusion Event—attempted-user
• Impact 2 Intrusion Event—successful-admin
• Impact 2 Intrusion Event—successful-user
• Impact 2 Intrusion Event—web-application-
attack
• Intrusion Event—exploit-kit
• Intrusion Event—malware-backdoor
• Intrusion Event—malware-CnC
• Java Compromise Detected by FireAMP
• Java launched shell
• PDF Compromise Detected by FireAMP
• PowerPoint Compromise Detected by
FireAMP
• PowerPoint launched shell
• QuickTime Compromise Detected by
FireAMP
• QuickTime launched shell
• Security Intelligence Event—CnC
• Suspected Botnet Detected by FireAMP
• Threat Detected by FireAMP—Subtype is
'executed'
• Threat Detected by FireAMP—Subtype is
not 'executed'
• Threat Detected in File Transfer—Action is
not 'block'
• Word Compromise Detected by FireAMP
• Word launched shell
IOC Name Data Block Fields (Continued)
F
IELD
D
ATA
T
YPE
D
ESCRIPTION