Руководство Разработчика для Cisco Cisco Firepower Management Center 2000
Version 5.3
Sourcefire 3D System eStreamer Integration Guide
46
Understanding the eStreamer Application Protocol
Event Data Message Format
Chapter 2
Data Block Header
Series 1 blocks and series 2 blocks have similar structures but distinct numbering.
These blocks can appear anywhere in the data portion of a discovery, correlation,
connection, or event extra data message. These blocks encapsulate other blocks
at multiple levels of nesting.
The data blocks in both the first and second series begin with the header
The data blocks in both the first and second series begin with the header
structure shown in the graphic below. The following table provides information
about the header fields. The header is followed immediately by the data structure
associated with the data block type.
eStreamer
Server
Timestamp
uint32
Indicates the timestamp applied when the event
was archived by the eStreamer server. Also called
the archival timestamp.
Field present only if bit 23 is set in the request
Field present only if bit 23 is set in the request
message flags. Field is not present for events
generated by the Defense Center.
Reserved
for future
use
uint32
Reserved for future use.
Field present only if bit 23 is set in the request
Field present only if bit 23 is set in the request
message flags. Field is not present for events
generated by the Defense Center.
Event Extra Data Message Record Header Fields (Continued)
F
IELD
D
ATA
T
YPE
D
ESCRIPTION
Byte
0
1
2
3
Bit
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Data Block Type
Data Block Length
F
IELD
D
ATA
T
YPE
D
ESCRIPTION
Data Block Type
uint32
For series 1 block types, see
For series 2 block types, see the
Data Block
Length
uint32
Length of the data block. Includes the
number of bytes of data plus the 8 bytes in
the two data block header fields.