Cisco Cisco Firepower Management Center 2000 开发者指南

3-36

FireSIGHT eStreamer Integration Guide

Chapter 3 Understanding Intrusion and Correlation Data Structures

Intrusion Event and Metadata Record Types

The following table describes the fields in the FireAMP File Type record.

Correlation Event for 5.1+

Correlation events (called compliance events in pre-5.0 versions) contain information about correlation
policy violations. This message uses the standard eStreamer message header and specifies a record type
of 112, followed by a correlation data block of type 128 in the series 1 set of data blocks. Data block
type 128 differs from its predecessor (block type 116) in including IPv6 support.

You can request 5.1+ correlation events from eStreamer only by extended request, for which you request
event type code

and version code

in the Stream Request message (see

Submitting Extended

Requests, page 2-4

for information about submitting extended requests). You can optionally enable bit

23 in the flags field of the initial event stream request message, to include the extended event header.
You can also enable bit 20 in the flags field to include user metadata.

FireAMP File Type ID

FireAMP File Type Length

FireAMP File Type...

Byte

Bit

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

Table 3-23

FireAMP File Type Record Fields

Field

Data Type

Description

FireAMP File Type ID

uint32

The FireAMP file type ID number.

FireAMP File Type Length

uint32

The number of bytes included in the FireAMP file type.

FireAMP File Type

string

The type of detected file.

Byte

Bit

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

Header Version (1)

Message Type (4)

Message Length

Record Type (112)

Record Length

eStreamer Server Timestamp (in events, only if bit 23 is set)

Reserved for Future Use (in events, only if bit 23 is set)

Correlation Block Type (128)