Cisco Cisco Firepower Management Center 4000 开发者指南
Version 5.3
Sourcefire 3D System eStreamer Integration Guide
133
Understanding Intrusion and Correlation Data Structures
Understanding Series 2 Data Blocks
Chapter 3
The
table describes the fields in the IP
Reputation Category Data Block.
File Event for 5.3+
The file event contains information on files that are sent over the network. This
includes the connection information, whether the file is malware, and specific
information to identify the file. The file event has a block type of 38 in the series 2
group of blocks. It supersedes block type 32. New fields have been added to track
dynamic file analysis and file storage.
You request file event records by setting the file event flag—bit 30 in the Request
You request file event records by setting the file event flag—bit 30 in the Request
Flags field—in the request message with an event version of 3 and an event code
of 111. See
on page 30. If you enable bit 23, an extended event
header is included in the record.
IP Reputation Category Data Block Fields
F
IELD
D
ATA
T
YPE
D
ESCRIPTION
IP Reputation
Category Data
Block Type
uint32
Initiates a IP Reputation Category data block.
This value is always 22.
IP Reputation
Category Data
Block Length
uint32
Total number of bytes in the IP Reputation
Category data block, including eight bytes for
the IP Reputation Category data block type
and length fields, plus the number of bytes of
data that follows.
Rule ID
uint32
Internal identifier for the rule that triggered the
event.
Policy UUID
uint8[16]
UUID of the policy that triggered the event.
String Block
Type
uint32
Initiates a String data block containing the
description of the IP Reputation Category. This
value is always 0.
String Block
Length
uint32
The number of bytes included in the Category
Name String data block, including eight bytes
for the block type and header fields plus the
number of bytes in the Category Name field.
Category Name
string
Name of the category for the rule.