Cisco Cisco Firepower Management Center 2000 开发者指南

Version 5.3

Sourcefire 3D System eStreamer Integration Guide

Understanding the eStreamer Application Protocol

Event Data Message Format

Chapter 2

The

Discovery Event Message Header Fields

table describes the fields in the

record header and the event header of the discovery event message.

Connection Event Message Format

Messages with connection statistics have a structure identical to discovery event

messages. See

Discovery Event Message Format

on page 40 for general

message format information. Connection event messages are distinct in terms of

the data block types they incorporate.

Correlation Event Message Format

The graphic below shows the general structure of correlation (compliance) event

messages. The standard eStreamer message header and record header are

Discovery Event Message Header Fields

IELD

ATA

YPE

ESCRIPTION

Record

Type

uint32

Identifies the data record content type. See the

Discovery and Connection Event Record Types

table

on page 166 for the list of record types.

Record

Length

uint32

Length of the content of the message after the

record header. Does not include the 8 or 16 bytes

of the record header. (Record Length plus the

length of the record header equals Message

Length.)

eStreamer

Server

Timestamp

uint32

Indicates the timestamp applied when the event

was archived by the eStreamer server. Also called

the archival timestamp. Field present only if bit 23

is set in the request flags field of the event

stream request.

Reserved

for future

use

uint32

Reserved for future use. Field present only if bit

23 is set in the request message flags.

Discovery

Event

Header

Varied

Contains a number of fields, including the event

type and subtype, which together form a unique

key to the data structure that follows. See

Discovery Event Header 5.2+

on page 198 for

definitions of fields in the discovery event header.