Cisco Cisco Firepower Management Center 2000 开发者指南
3-20
FireSIGHT eStreamer Integration Guide
Chapter 3 Understanding Intrusion and Correlation Data Structures
Intrusion Event and Metadata Record Types
Correlation Rule Record
The eStreamer service transmits metadata containing information on the correlation rule that triggered
a correlation event within a Correlation Rule record, the format of which is shown below. (Correlation
rule information is sent when the Version 3 or Version 4 metadata flag—bit 15 or bit 20 in the Request
Flags field of a request message—is set. See
a correlation event within a Correlation Rule record, the format of which is shown below. (Correlation
rule information is sent when the Version 3 or Version 4 metadata flag—bit 15 or bit 20 in the Request
Flags field of a request message—is set. See
.) Note that the Record Type field,
which appears after the Message Length field, has a value of
70
, indicating a Correlation Rule record.
UUID
uint8[16]
A correlation policy ID number that acts as a unique identifier
for the correlation policy.
for the correlation policy.
Revision UUID
uint8[16]
A correlation policy revision ID number that acts as a unique
identifier for the correlation policy.
identifier for the correlation policy.
Table 3-9
Correlation Policy Record Fields (continued)
Field
Data Type
Description
Byte
0
1
2
3
Bit
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Header Version (1)
Message Type (4)
Message Length
Record Type (70)
Record Length
Correlation Rule ID
Name Length
Name...
Name...
Description Length
Description...
Event Type Length
Event Type...
Event Type...
Correlation Rule UUID
Correlation Rule
UUID
Correlation Rule UUID, continued
Correlation Rule UUID, continued
Correlation Rule UUID, continued
Correlation Rule UUID, continued
Correlation Revision UUID,