Руководство Разработчика для Cisco Cisco Firepower Management Center 2000
B-124
FireSIGHT eStreamer Integration Guide
Appendix B Understanding Legacy Data Structures
Legacy Correlation Event Data Structures
Legacy Correlation Event Data Structures
The following topic describes other legacy correlation (compliance) data structures:
•
Correlation Event for 5.0 - 5.0.2
Correlation events (called compliance events in pre-5.0 versions) contain information about correlation
policy violations. This message uses the standard eStreamer message header and specifies a record type
of 112, followed by a correlation data block of type 116. Data block type 116 differs from its predecessor
(block type 107) in including additional information about the associated security zone and interface.
policy violations. This message uses the standard eStreamer message header and specifies a record type
of 112, followed by a correlation data block of type 116. Data block type 116 differs from its predecessor
(block type 107) in including additional information about the associated security zone and interface.
You can request 5.0 correlation events from eStreamer only by extended request, for which you request
event type code 31 and version code 7 in the Stream Request message (see
event type code 31 and version code 7 in the Stream Request message (see
for information about submitting extended requests). You can optionally enable bit
23 in the flags field of the initial event stream request message, to include the extended event header.
You can also enable bit 20 in the flags field to include user metadata.
You can also enable bit 20 in the flags field to include user metadata.
Note that the record structure includes a String block type, which is a block in series 1. For information
about series 1 blocks, see
about series 1 blocks, see
.
String Block
Length
Length
uint32
The number of bytes included in the name String data block,
including eight bytes for the block type and header fields plus the
number of bytes in the Name field.
including eight bytes for the block type and header fields plus the
number of bytes in the Name field.
File Name or
Disposition
Disposition
string
The descriptive name or disposition of the file. If the file is clean,
this value is
this value is
Clean
. If the file’s disposition is unknown, the value is
Neutral
. If the file contains malware, the file name is given.
Table B-28
File Event SHA Hash 5.1.1-5.2.x Data Block Fields (continued)
Field
Data Type
Description
Byt
e
0
1
2
3
Bit
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Header Version (1)
Message Type (4)
Message Length
Record Type (112)
Record Length
eStreamer Server Timestamp (in events, only if bit 23 is set)
Reserved for Future Use (in events, only if bit 23 is set)
Correlation Block Type (116)