Cisco Cisco Firepower Management Center 2000 Guia Do Programador

Version 5.3

Sourcefire 3D System eStreamer Integration Guide

140

Understanding Intrusion and Correlation Data Structures

Understanding Series 2 Data Blocks

Chapter 3

Malware Event Data Block 5.3+

The eStreamer service uses the malware event data block to store information on 

malware events. These events contain information on malware detected or 

quarantined within a cloud, the detection method, and hosts and users affected 

by the malware. The malware event data block has a block type of 35 in the series 

2 group of blocks. You request the event as part of the malware event record by 

setting the malware event flag—bit 30 in the request flags field—in the request 

message with an event version of 4 and an event code of 101. 

Destination 

Port

uint16

Port number for the destination of the 

connection.

Protocol

uint8

IANA protocol number specified by the user. 

For example:
•

1

 — ICMP

4

 — IP

6

 — TCP

17

 — UDP

This is currently only TCP.

Access 

Control Policy 

UUID

uint8[16]

Unique identifier for the access control 

policy that triggered the event.

Source 

Country

uint16

Code for the country of the source host.

Destination 

Country

uint16

Code for the country of the destination 

host.

Web 

Application ID

uint32

The internal identification number for the 

web application, if applicable.

Client 

Application ID

uint32

The internal identification number for the 

client application, if applicable.

File Event Data Block Fields (Continued)