Cisco Cisco Firepower Management Center 2000 Guia Do Programador

3-12

FireSIGHT eStreamer Integration Guide

Chapter 3 Understanding Intrusion and Correlation Data Structures

Intrusion Event and Metadata Record Types

Intrusion Impact Alert Data 5.3+

The Intrusion Impact Alert 5.3+ event contains information about impact events. It is transmitted when
an intrusion event is compared to the system network map data and the impact is determined. It uses the
standard record header with a record type of 9, followed by an Intrusion Impact Alert data block with a
series 1 data block type of 153 in the series 1 group of blocks. (The Impact Alert data block is a type of
series 1 data block. For more information about series 1 data blocks, see

Understanding Discovery

(Series 1) Blocks, page 4-55

You can request that eStreamer only transmit intrusion impact events by setting bit 5 in the Flags field
of the request message. See

Event Stream Request Message Format, page 2-10

for more information

about request messages. Version 1 of these alerts only handles IPv4. Version 2, introduced in 5.3, handles
IPv6 events in addition to IPv4.

Byte

Bit

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

Header Version (1)

Message Type (4)

Message Length

Record Type (9)

eStreamer Server Timestamp (in events, only if bit 23 is set)

Reserved for Future Use (in events, only if bit 23 is set)

Intrusion Impact Alert Block Length

Event ID

Device ID

Event Second

Impact

Source IP Address

Source IP Address, continued

Destination IP Address

Destination IP Address, continued