Руководство Разработчика для Cisco Cisco Firepower Management Center 4000
3-45
FireSIGHT eStreamer Integration Guide
Chapter 3 Understanding Intrusion and Correlation Data Structures
Understanding Series 2 Data Blocks
In the following table, the Data Block Status field indicates whether the block is current (the latest
version) or legacy (used in an older version and can still be requested through eStreamer).
version) or legacy (used in an older version and can still be requested through eStreamer).
.
Table 3-26
Series 2 Block Types
Type
Content
Data Block
Status
Status
Description
0
String
Current
Encapsulates variable string data. See
for more information.
1
BLOB
Current
Encapsulates binary data and is used specifically for
banners. See
banners. See
for more
information.
2
List
Current
Encapsulates a list of other data blocks. See
for more information.
3
Generic List
Current
Encapsulates a list of other data blocks. For deserialization,
it is the equivalent of the List data block. See
it is the equivalent of the List data block. See
for more information.
4
Event Extra Data
Current
Contains intrusion event extra data. See
for more information.
5
Extra Data Type
Current
Contains extra data metadata. See
for more information.
14
UUID String
Mapping
Mapping
Current
Block used by various metadata messages to map UUID
values to descriptive strings. See
values to descriptive strings. See
15
Access Control
Policy Rule ID
Metadata
Policy Rule ID
Metadata
Current
Contains metadata for access control rules. See
16
Malware Event
Legacy
Contains information on malware events, such as the
malware detected or quarantined within a Collective
Security Intelligence Cloud, the detection method, and
hosts and users affected by the malware. See
malware detected or quarantined within a Collective
Security Intelligence Cloud, the detection method, and
hosts and users affected by the malware. See
. Deprecated by block 24,
.
19
ICMP Type Data
Block
Block
Current
Contains metadata describing ICMP types. See
20
ICMP Code Data
Block
Block
Current
Contains metadata describing ICMP codes. See
21
Access Control
Policy Rule
Reason Data Block
Policy Rule
Reason Data Block
Current
Contains information explaining access control policy rule
reasons. See
reasons. See
22
IP Reputation
Category Data
Block
Category Data
Block
Current
Contains information on IP reputation categories
explaining why an IP address was blocked. See
explaining why an IP address was blocked. See
23
File Event
Legacy
Contains information on file events, such as the source,
SHA hash, and the disposition of the file. See
SHA hash, and the disposition of the file. See
. It is superseded by block 32,