Руководство Разработчика для Cisco Cisco Firepower Management Center 4000
A-16
FireSIGHT eStreamer Integration Guide
Appendix A Data Structure Examples
Discovery Data Structure Examples
Discovery Data Structure Examples
This section contains examples of data structures that can be transmitted by eStreamer for discovery
events. The following examples are provided:
events. The following examples are provided:
•
•
Example of a New Network Protocol Message
The following diagram illustrates a sample new network protocol message for 3.0+:
22
This line indicates that a string block follows, containing a string block length and a text
string which, in this case, contains the user name. For more information about string
blocks, see
string which, in this case, contains the user name. For more information about string
blocks, see
23
This line indicates that the length of the data in the string block is
16
bytes.
24
This line indicates that the name of the user is “
301@10.4.11.175
.”
25
The line indicates the ID number of the user.
26
This line indicates the application ID for the application protocol used in the connection
that the login information was derived from.
that the login information was derived from.
27
This line indicates that a string block follows, containing a string block length and a text
string which, in this case, contains the email address. For more information about string
blocks, see
string which, in this case, contains the email address. For more information about string
blocks, see
28
This line indicates that the length of the data in the string block is
0
bytes. This is because
there is no email address associated with this user.
29
This line contains IP address from the host where the user was detected logging in.
30
The first byte contains the login type. The remainder of this line indicates that a string
block follows, containing a string block length and a text string which, in this case, contains
the name of the Active Directory server reporting a login. For more information about
string blocks, see
block follows, containing a string block length and a text string which, in this case, contains
the name of the Active Directory server reporting a login. For more information about
string blocks, see
31
The first byte of this line completes the initiation of the string data block. This remainder
of this line indicates that the length of the data in the string block is
of this line indicates that the length of the data in the string block is
0
bytes. This is because
there is no Active Directory server associated with this login.
Number
Description
Byte
0
1
2
3
Bit
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Header Version
1
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 Start Standard
Message
Header with
Event Msg (4)
Message
Length (49B)
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 1