Cisco Cisco Firepower Management Center 4000 开发者指南
3-22
FireSIGHT eStreamer Integration Guide
Chapter 3 Understanding Intrusion and Correlation Data Structures
Intrusion Event and Metadata Record Types
The supported types of extra data include IPv6 source and destination addresses, as well as the
originating IP addresses (v4 or v6) of clients connecting to a web server through an HTTP proxy or load
balancer. The graphic below shows the format of the Intrusion Event Extra Data record.
originating IP addresses (v4 or v6) of clients connecting to a web server through an HTTP proxy or load
balancer. The graphic below shows the format of the Intrusion Event Extra Data record.
If bit 27 is set in the Request Flags field of the request message, you receive the event extra data for each
intrusion event. If you set bit 20, you also receive the event extra data metadata described in
intrusion event. If you set bit 20, you also receive the event extra data metadata described in
. If you enable bit 23, eStreamer will include the extended event
header. See
for information on setting request flags.
Note that the Event Extra Data block structure includes a BLOB block type, which is one of several
variable length data structures introduced in Version 4.10 of the FireSIGHT System.
variable length data structures introduced in Version 4.10 of the FireSIGHT System.
Byte
0
1
2
3
Bit
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Header Version (1)
Message Type (4)
Message Length
Record Type (110)
Record Length
eStreamer Server Timestamp (in events, only if bit 23 is set)
Reserved for Future Use (in events, only if bit 23 is set)
Event Extra Data Data Block Type (4)
Event Extra Data Data Block Length
Device ID
Event ID
Event Second
Type
BLOB Block Type (1)
BLOB Length
Event Extra Data