Cisco Cisco Firepower Management Center 2000 Guia Do Programador
Version 5.3
Sourcefire 3D System eStreamer Integration Guide
81
Understanding Intrusion and Correlation Data Structures
Intrusion Event and Metadata Record Types
Chapter 3
User Record
When you request metadata, you can retrieve information about the users
referenced in events generated by components in your Sourcefire 3D System.
The eStreamer service transmits metadata containing user information for an
event within a User record, the format of which is shown below. The user
metadata record can be used to determine a user name associated with an event
by correlating the metadata with the user ID value from a User Vulnerability
Change Data Block, User Host Deletion Data Block, User Service Deletion Data
Block, User Criticality Change Blocks, Attribute Definition Data Block, User
Attribute Value Data Block, or Scan Result Data Block. (User information is sent
when one of the metadata flags—bits 1, 14, 15, or 20 in the Request Flags field of
a request message—is set. See
on page 30.) Note that the Record
Type field, which appears after the Message Length field, has a value of 62,
indicating a User record.
indicating a User record.
String Block
Type
uint32
Initiates a string data block that contains the
impact name. This value is always set to 0. For
more information about string blocks, see
String Block
Length
uint32
Number of bytes in the event description string
block. This includes the four bytes for the string
block type, the four bytes for the string block
length, and the number of bytes in the
description.
Description
string
Description of the impact event.
Impact Event Data Fields (Continued)
F
IELD
D
ATA
T
YPE
D
ESCRIPTION
Byte
0
1
2
3
Bit
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Header Version (1)
Message Type (4)
Message Length
Record Type (62)
Record Length
User ID
Name Length
Name...