Cisco Cisco Firepower Management Center 2000 开发者指南

Version 5.3

Sourcefire 3D System eStreamer Integration Guide

158

Understanding Intrusion and Correlation Data Structures

Understanding Series 2 Data Blocks

Chapter 3

IOC State Data Block for 5.3+

The IOC State data block provides information about an Indication of Compromise 

(IOC). It is block type of 150 in series 1. It is used by the host tracker to store 

information about a compromise on a host. The following diagram shows the 

structure of an IOC State data block:

Byte

0

1

2

3

Bit

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

IOC State Block Type (150)

IOC State Block Length

IOC ID Number

Disabled

First Seen

First Seen, continued

First Event ID

First Event ID, cont.

First Device ID

First Device ID, cont.

First Instance ID

First Connection Time

First Connection Time, cont.

First Counter

First Counter, cont.

Last Seen

Last Seen, cont.

Last Event ID

Last Event ID, cont.

Last Device ID

Last Device ID, cont.

Last Instance ID

Last Connection Time

Last Connection Time, cont.

Last Counter

Last Counter, cont.