Cisco Cisco Firepower Management Center 2000 Guia Do Programador

Version 5.3

Sourcefire 3D System eStreamer Integration Guide

Understanding the eStreamer Application Protocol

Event Data Message Format

Chapter 2

Event extra data messages have the same format as correlation event messages,

with a data block directly after the record header. Unlike correlation messages,

they use series 2 data blocks, not series 1 data blocks, which have a separate

numbering sequence. For information about series 2 block types, see

Understanding Series 2 Data Blocks

on page 116.

Event Extra Data Message Record Header

The shaded section of the following graphic shows the fields of the record header

in event extra data messages. The table that follows defines the record header

fields for event extra data messages.

The

Event Extra Data Message Record Header Fields

table describes each field in

the record header of event extra data messages.

Byte

Bit

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

Header Version (1)

Message Type (3)

Message Length

Record Type

See

Intrusion Event and General Metadata Record Types

on page 65

Record Length

eStreamer Server Timestamp

(for events only, not used in metadata records)

Reserved for Future Use

(for events only, not used in metadata records)

Data Record Block

Uses series 2 block, see

Understanding Series 2 Data Blocks

on page 116

...

Event Extra Data Message Record Header Fields

IELD

ATA

YPE

ESCRIPTION

Record

Type

uint32

Identifies the data record content type. See the

Intrusion Event and General Metadata Record

Types table

on page 65 for the list of event extra

data record types.

Record

Length

uint32

Length of the content of the message after the

record header. Does not include the 8 or 16 bytes

of the record header. (Record Length plus the

length of the record header equals Message

Length.)