Cisco Cisco Firepower Management Center 4000 開発者ガイド

Version 5.3

Sourcefire 3D System eStreamer Integration Guide

159

Understanding Intrusion and Correlation Data Structures

Understanding Series 2 Data Blocks

Chapter 3

The 

 table describes the components of the IOC State data block.

.

IOC State Data Block Fields 

IOC State Data 

Block Type

uint32

Initiates an IOC State data block. This value is 

always 150.

IOC State Data 

Block Length

uint32

Total number of bytes in the IOC State data 

block, including eight bytes for the IOC State 

data block type and length fields, plus the 

number of bytes of data that follows. 

IOC ID Number

uint32

Unique ID number for the compromise.

Disabled

uint8

Indicates whether the compromise has been 

disabled on the host:

0

 — The compromise is not disabled.

1

 — The compromise is disabled.

First Seen

uint32

Unix timestamp of when this compromise 

was first seen.

First Event ID

uint32

ID number of the event on which this 

compromise was first seen.

First Device ID

uint32

ID of the sensor which first detected the IOC.

First Instance 

ID

uint16

Numerical ID of the Snort instance on the 

managed device that first detected the 

compromise.

First 

Connection 

Time

uint32

Unix timestamp of the connection where this 

compromise was first seen.

First Counter

uint16

Counter for the connection on which this 

compromise was last seen.
Used to differentiate between multiple 

connections occurring at the same time.

Last Seen

uint32

Unix timestamp of when this compromise 

was last seen

Last Event ID

uint32

ID number of the event on which this 

compromise was last seen.