Cisco Cisco Firepower Management Center 2000 Guia Do Programador
Version 5.3
Sourcefire 3D System eStreamer Integration Guide
140
Understanding Intrusion and Correlation Data Structures
Understanding Series 2 Data Blocks
Chapter 3
Malware Event Data Block 5.3+
The eStreamer service uses the malware event data block to store information on
malware events. These events contain information on malware detected or
quarantined within a cloud, the detection method, and hosts and users affected
by the malware. The malware event data block has a block type of 35 in the series
2 group of blocks. You request the event as part of the malware event record by
setting the malware event flag—bit 30 in the request flags field—in the request
message with an event version of 4 and an event code of 101.
Destination
Port
uint16
Port number for the destination of the
connection.
Protocol
uint8
IANA protocol number specified by the user.
For example:
•
•
1
— ICMP
•
4
— IP
•
6
— TCP
•
17
— UDP
This is currently only TCP.
Access
Control Policy
UUID
uint8[16]
Unique identifier for the access control
policy that triggered the event.
Source
Country
uint16
Code for the country of the source host.
Destination
Country
uint16
Code for the country of the destination
host.
Web
Application ID
uint32
The internal identification number for the
web application, if applicable.
Client
Application ID
uint32
The internal identification number for the
client application, if applicable.
File Event Data Block Fields (Continued)
F
IELD
D
ATA
T
YPE
D
ESCRIPTION