- Firepower System Event Streamer Integration Guide, Version 7.1.0
- Introduction to Event Streamer
- Understanding the eStreamer Application Protocol
- Understanding Intrusion and Correlation Data Structures
- Understanding Discovery & Connection Data Structures
- Understanding Host Data Structures
- Configuring eStreamer
- Data Structure Examples
- Understanding Legacy Data Structures
- Legacy Intrusion Data Structures
- Intrusion Event (IPv4) Record 5.0.x - 5.1
- Intrusion Event (IPv6) Record 5.0.x - 5.1
- Intrusion Event Record 5.2.x
- Intrusion Event Record 5.3
- Intrusion Event Record 5.1.1.x
- Intrusion Event Record 5.3.1
- Intrusion Event Record 5.4.x
- Intrusion Event Record 6.x
- Intrusion Event Record 7.0
- Intrusion Impact Alert Data
- Intrusion Event Extra Data Record
- Intrusion Event Extra Data Metadata
- Legacy Malware Event Data Structures
- Legacy Discovery Data Structures
- Legacy Discovery Event Header
- Legacy Server Data Blocks
- Attribute Address Data Block for 5.0 - 5.1.1.x
- Legacy Client Application Data Blocks
- Legacy Scan Result Data Blocks
- Legacy User Login Data Blocks
- User Login Information Data Block 6.1.x
- Legacy Host Profile Data Blocks
- Legacy OS Fingerprint Data Blocks
- Connection Statistics Data Block 5.0 - 5.0.2
- Connection Statistics Data Block 5.1
- Connection Statistics Data Block 5.2.x
- Connection Chunk Data Block for 5.0 - 5.1
- Connection Chunk Data Block for 5.1.1-6.0.x
- Connection Statistics Data Block 5.1.1.x
- Connection Statistics Data Block 5.3
- Connection Statistics Data Block 5.3.1
- Connection Statistics Data Block 5.4
- Connection Statistics Data Block 5.4.1
- Connection Statistics Data Block 6.0.x
- Connection Statistics Data Block 6.1.x
- Connection Statistics Data Block 6.2-6.7.x
- Connection Statistics Data Block 7.0
Understanding Legacy Data Structures
This appendix contains information about data structures supported by eStreamer at previous versions of Firepower System products.
If your client uses event stream requests with bits set to request data in older version formats, you can use the information in this appendix to identify the data structures of the data messages you receive.
Note that prior to version 5.0, separate detection engines were assigned IDs. For version 5.0, devices are assigned IDs. Based on the version, data structures reflect this.
Note This appendix describes only data structures from version 4.9 or later of the Firepower System. If you require documentation for structures from earlier data structure versions, contact Cisco Customer Support.
Legacy Intrusion Data Structures
- Intrusion Event (IPv4) Record 5.0.x - 5.1
- Intrusion Event (IPv6) Record 5.0.x - 5.1
- Intrusion Event Record 5.2.x
- Intrusion Event Record 5.3
- Intrusion Event Record 5.1.1.x
- Intrusion Event Record 5.3.1
- Intrusion Event Record 5.4.x
- Intrusion Event Record 6.x
- Intrusion Event Record 7.0
- Intrusion Impact Alert Data
- Intrusion Event Extra Data Record
- Intrusion Event Extra Data Metadata
Intrusion Event (IPv4) Record 5.0.x - 5.1
The fields in the intrusion event (IPv4) record are shaded in the following graphic. The record type is 207.
You request intrusion event records by setting the intrusion event flag or the extended requests flag in the request message. See Request Flags and Submitting Extended Requests.
For version 5.0.x - 5.1 intrusion events, the event ID, the managed device ID, and the event second form a unique identifier.
eStreamer Server Timestamp (in events, only if bit 23 is set) |
||||||||||||||||||||||||||||||||
The following table describes each intrusion event record data field.
|
|
|
---|---|---|
Contains the identification number of the detecting managed device. You can obtain the managed device name by requesting Version 3 or 4 metadata. See Managed Device Record Metadata for more information. |
||
UNIX timestamp (seconds since 01/01/1970) of the event’s detection. |
||
Microsecond (one millionth of a second) increment of the timestamp of the event’s detection. |
||
Identification number of the Firepower System preprocessor that generated the event. |
||
Identification number of the priority associated with the event. |
||
Destination IPv4 address used in the event, in address octets. |
||
The source port number if the event protocol type is TCP or UDP. |
||
The destination port number if the event protocol type is TCP or UDP. |
||
Impact flag value of the event. The low-order eight bits indicate the impact level. Values are:
The following impact level values map to specific priorities on the Defense Center. An |
||
A policy ID number that acts as a unique identifier for the intrusion policy. |
||
The internal identification number for the user, if applicable. |
||
The internal identification number for the web application, if applicable. |
||
The internal identification number for the client application, if applicable. |
||
The internal identification number for the application protocol, if applicable. |
||
A rule ID number that acts as a unique identifier for the access control rule. |
||
A policy ID number that acts as a unique identifier for the access control policy. |
||
An interface ID number that acts as a unique identifier for the ingress interface. |
||
An interface ID number that acts as a unique identifier for the egress interface. |
||
A zone ID number that acts as a unique identifier for the ingress security zone. |
||
A zone ID number that acts as a unique identifier for the egress security zone. |
Intrusion Event (IPv6) Record 5.0.x - 5.1
The fields in the intrusion event (IPv6) record are shaded in the following graphic. The record type is 208.
You request intrusion event records by setting the intrusion event flag or the extended requests flag in the request message. See Request Flags and Submitting Extended Requests.
For version 5.0.x - 5.1 intrusion events, the event ID, the managed device ID, and the event second form a unique identifier.
eStreamer Server Timestamp (in events, only if bit 23 is set) |
||||||||||||||||||||||||||||||||
The following table describes each intrusion event record data field.
|
|
|
---|---|---|
Contains the identification number of the detecting device. You can obtain the managed device name by requesting Version 3 or 4 metadata. See Managed Device Record Metadata for more information. |
||
UNIX timestamp (seconds since 01/01/1970) of the event’s detection. |
||
Microsecond (one millionth of a second) increment of the timestamp of the event’s detection. |
||
Identification number of the Firepower System preprocessor that generated the event. |
||
Identification number of the priority associated with the event. |
||
Destination IPv6 address used in the event, in address octets. |
||
The source port number if the event protocol type is TCP or UDP. If the protocol type is ICMP, this indicates the ICMP type. |
||
The destination port number if the event protocol type is TCP or UDP. If the protocol type is ICMP, this indicates the ICMP code. |
||
Impact flag value of the event. The low-order eight bits indicate the impact level. Values are:
The following impact level values map to specific priorities on the Defense Center. An |
||
Indicates the ID of the VLAN where the packet originated. (Applies to 4.9+ events only.) |
||
A policy ID number that acts as a unique identifier for the intrusion policy. |
||
The internal identification number for the user, if applicable. |
||
The internal identification number for the web application, if applicable. |
||
The internal identification number for the client application, if applicable. |
||
The internal identification number for the application protocol, if applicable. |
||
A rule ID number that acts as a unique identifier for the access control rule. |
||
A policy ID number that acts as a unique identifier for the access control policy. |
||
An interface ID number that acts as a unique identifier for the ingress interface. |
||
An interface ID number that acts as a unique identifier for the egress interface. |
||
A zone ID number that acts as a unique identifier for the ingress security zone. |
||
A zone ID number that acts as a unique identifier for the egress security zone. |
Intrusion Event Record 5.2.x
The fields in the intrusion event record are shaded in the following graphic. The record type is 400 and the block type is 34 in the series 2 set of data blocks.
You can request 5.2.x intrusion events from eStreamer only by extended request, for which you request event type code 12 and version code 5 in the Stream Request message (see Submitting Extended Requests for information about submitting extended requests).
For version 5.2.x intrusion events, the event ID, the managed device ID, and the event second form a unique identifier. The connection second, connection instance, and connection counter together form a unique identifier for the connection event associated with the intrusion event.
eStreamer Server Timestamp (in events, only if bit 23 is set) |
||||||||||||||||||||||||||||||||
Destination IP Address, continued |
||||||||||||||||||||||||||||||||
The following table describes each intrusion event record data field.
|
|
|
---|---|---|
Initiates an Intrusion Event data block. This value is always |
||
Total number of bytes in the Intrusion Event data block, including eight bytes for the Intrusion Event block type and length fields, plus the number of bytes of data that follows. |
||
Contains the identification number of the detecting managed device. You can obtain the managed device name by requesting Version 3 or 4 metadata. See Managed Device Record Metadata for more information. |
||
UNIX timestamp (seconds since 01/01/1970) of the event’s detection. |
||
Microsecond (one millionth of a second) increment of the timestamp of the event’s detection. |
||
Identification number of the Firepower System preprocessor that generated the event. |
||
Identification number of the priority associated with the event. |
||
The source port number if the event protocol type is TCP or UDP, or the ICMP type if the event is caused by ICMP traffic. |
||
The destination port number if the event protocol type is TCP or UDP, or the ICMP code if the event is caused by ICMP traffic. |
||
Impact flag value of the event. The low-order eight bits indicate the impact level. Values are:
The following impact level values map to specific priorities on the Defense Center. An |
||
A policy ID number that acts as a unique identifier for the intrusion policy. |
||
The internal identification number for the user, if applicable. |
||
The internal identification number for the web application, if applicable. |
||
The internal identification number for the client application, if applicable. |
||
The internal identification number for the application protocol, if applicable. |
||
A rule ID number that acts as a unique identifier for the access control rule. |
||
A policy ID number that acts as a unique identifier for the access control policy. |
||
An interface ID number that acts as a unique identifier for the ingress interface. |
||
An interface ID number that acts as a unique identifier for the egress interface. |
||
A zone ID number that acts as a unique identifier for the ingress security zone. |
||
A zone ID number that acts as a unique identifier for the egress security zone. |
||
UNIX timestamp (seconds since 01/01/1970) of the connection event associated with the intrusion event. |
||
Numerical ID of the Snort instance on the managed device that generated the connection event. |
||
Value used to distinguish between connection events that happen during the same second. |
||
Intrusion Event Record 5.3
The fields in the intrusion event record are shaded in the following graphic. The record type is 400 and the block type is 41 in the series 2 set of data blocks.
You can request 5.3 intrusion events from eStreamer only by extended request, for which you request event type code 12 and version code 6 in the Stream Request message (see Submitting Extended Requests for information about submitting extended requests).
For version 5.3 intrusion events, the event ID, the managed device ID, and the event second form a unique identifier. The connection second, connection instance, and connection counter together form a unique identifier for the connection event associated with the intrusion event.
eStreamer Server Timestamp (in events, only if bit 23 is set) |
||||||||||||||||||||||||||||||||
Destination IP Address, continued |
||||||||||||||||||||||||||||||||
The following table describes each intrusion event record data field.
|
|
|
---|---|---|
Initiates an Intrusion Event data block. This value is always |
||
Total number of bytes in the Intrusion Event data block, including eight bytes for the Intrusion Event block type and length fields, plus the number of bytes of data that follows. |
||
Contains the identification number of the detecting managed device. You can obtain the managed device name by requesting Version 3 or 4 metadata. See Managed Device Record Metadata for more information. |
||
UNIX timestamp (seconds since 01/01/1970) of the event’s detection. |
||
Microsecond (one millionth of a second) increment of the timestamp of the event’s detection. |
||
Identification number of the Firepower System preprocessor that generated the event. |
||
Identification number of the priority associated with the event. |
||
The source port number if the event protocol type is TCP or UDP, or the ICMP type if the event is caused by ICMP traffic. |
||
The destination port number if the event protocol type is TCP or UDP, or the ICMP code if the event is caused by ICMP traffic. |
||
Impact flag value of the event. The low-order eight bits indicate the impact level. Values are:
The following impact level values map to specific priorities on the Defense Center. An |
||
A policy ID number that acts as a unique identifier for the intrusion policy. |
||
The internal identification number for the user, if applicable. |
||
The internal identification number for the web application, if applicable. |
||
The internal identification number for the client application, if applicable. |
||
The internal identification number for the application protocol, if applicable. |
||
A rule ID number that acts as a unique identifier for the access control rule. |
||
A policy ID number that acts as a unique identifier for the access control policy. |
||
An interface ID number that acts as a unique identifier for the ingress interface. |
||
An interface ID number that acts as a unique identifier for the egress interface. |
||
A zone ID number that acts as a unique identifier for the ingress security zone. |
||
A zone ID number that acts as a unique identifier for the egress security zone. |
||
UNIX timestamp (seconds since 01/01/1970) of the connection event associated with the intrusion event. |
||
Numerical ID of the Snort instance on the managed device that generated the connection event. |
||
Value used to distinguish between connection events that happen during the same second. |
||
Intrusion Event Record 5.1.1.x
The fields in the intrusion event record are shaded in the following graphic. The record type is 400 and the block type is 25.
You can request 5.1.1.x intrusion events from eStreamer only by extended request, for which you request event type code 12 and version code 4 in the Stream Request message (see Submitting Extended Requests for information about submitting extended requests).
For version 5.1.1.x intrusion events, the event ID, the managed device ID, and the event second form a unique identifier. The connection second, connection instance, and connection counter together form a unique identifier for the connection event associated with the intrusion event.
eStreamer Server Timestamp (in events, only if bit 23 is set) |
||||||||||||||||||||||||||||||||
Destination IP Address, continued |
||||||||||||||||||||||||||||||||
The following table describes each intrusion event record data field.
|
|
|
---|---|---|
Initiates an Intrusion Event data block. This value is always |
||
Total number of bytes in the Intrusion Event data block, including eight bytes for the Intrusion Event block type and length fields, plus the number of bytes of data that follows. |
||
Contains the identification number of the detecting managed device. You can obtain the managed device name by requesting Version 3 or 4 metadata. See Managed Device Record Metadata for more information. |
||
UNIX timestamp (seconds since 01/01/1970) of the event’s detection. |
||
Microsecond (one millionth of a second) increment of the timestamp of the event’s detection. |
||
Identification number of the Firepower System preprocessor that generated the event. |
||
Identification number of the priority associated with the event. |
||
The source port number if the event protocol type is TCP or UDP, or the ICMP type if the event is caused by ICMP traffic. |
||
The destination port number if the event protocol type is TCP or UDP, or the ICMP code if the event is caused by ICMP traffic. |
||
Impact flag value of the event. The low-order eight bits indicate the impact level. Values are:
The following impact level values map to specific priorities on the Defense Center. An |
||
A policy ID number that acts as a unique identifier for the intrusion policy. |
||
The internal identification number for the user, if applicable. |
||
The internal identification number for the web application, if applicable. |
||
The internal identification number for the client application, if applicable. |
||
The internal identification number for the application protocol, if applicable. |
||
A rule ID number that acts as a unique identifier for the access control rule. |
||
A policy ID number that acts as a unique identifier for the access control policy. |
||
An interface ID number that acts as a unique identifier for the ingress interface. |
||
An interface ID number that acts as a unique identifier for the egress interface. |
||
A zone ID number that acts as a unique identifier for the ingress security zone. |
||
A zone ID number that acts as a unique identifier for the egress security zone. |
||
UNIX timestamp (seconds since 01/01/1970) of the connection event associated with the intrusion event. |
||
Numerical ID of the Snort instance on the managed device that generated the connection event. |
||
Value used to distinguish between connection events that happen during the same second. |
Intrusion Event Record 5.3.1
The fields in the intrusion event record are shaded in the following graphic. The record type is 400 and the block type is 42 in the series 2 set of data blocks.
You can request 5.3.1 intrusion events from eStreamer only by extended request, for which you request event type code 12 and version code 7 in the Stream Request message (see Submitting Extended Requests for information about submitting extended requests).
For version 5.3.1 intrusion events, the event ID, the managed device ID, and the event second form a unique identifier. The connection second, connection instance, and connection counter together form a unique identifier for the connection event associated with the intrusion event.
eStreamer Server Timestamp (in events, only if bit 23 is set) |
||||||||||||||||||||||||||||||||
Destination IP Address, continued |
||||||||||||||||||||||||||||||||
The following table describes each intrusion event record data field.
|
|
|
---|---|---|
Initiates an Intrusion Event data block. This value is always 42. |
||
Total number of bytes in the Intrusion Event data block, including eight bytes for the Intrusion Event block type and length fields, plus the number of bytes of data that follows. |
||
Contains the identification number of the detecting managed device. You can obtain the managed device name by requesting Version 3 or 4 metadata. See Managed Device Record Metadata for more information. |
||
UNIX timestamp (seconds since 01/01/1970) of the event’s detection. |
||
Microsecond (one millionth of a second) increment of the timestamp of the event’s detection. |
||
Identification number of the Firepower System preprocessor that generated the event. |
||
Identification number of the priority associated with the event. |
||
The source port number if the event protocol type is TCP or UDP, or the ICMP type if the event is caused by ICMP traffic. |
||
The destination port number if the event protocol type is TCP or UDP, or the ICMP code if the event is caused by ICMP traffic. |
||
Impact flag value of the event. The low-order eight bits indicate the impact level. Values are:
The following impact level values map to specific priorities on the Defense Center. An |
||
A policy ID number that acts as a unique identifier for the intrusion policy. |
||
The internal identification number for the user, if applicable. |
||
The internal identification number for the web application, if applicable. |
||
The internal identification number for the client application, if applicable. |
||
The internal identification number for the application protocol, if applicable. |
||
A rule ID number that acts as a unique identifier for the access control rule. |
||
A policy ID number that acts as a unique identifier for the access control policy. |
||
An interface ID number that acts as a unique identifier for the ingress interface. |
||
An interface ID number that acts as a unique identifier for the egress interface. |
||
A zone ID number that acts as a unique identifier for the ingress security zone. |
||
A zone ID number that acts as a unique identifier for the egress security zone. |
||
UNIX timestamp (seconds since 01/01/1970) of the connection event associated with the intrusion event. |
||
Numerical ID of the Snort instance on the managed device that generated the connection event. |
||
Value used to distinguish between connection events that happen during the same second. |
||
ID number for the security context (virtual firewall) that the traffic passed through. Note that the system only populates this field for ASA FirePOWER devices in multi-context mode. |
Intrusion Event Record 5.4.x
The fields in the intrusion event record are shaded in the following graphic. The record type is 400 and the block type is 45 in the series 2 set of data blocks. It supersedes block type 42, and is superseded by block type 60. Fields for SSL support and Network Analysis Policy have been added.
You can request 5.4.x intrusion events from eStreamer only by extended request, for which you request event type code 12 and version code 8 in the Stream Request message (see Submitting Extended Requests for information about submitting extended requests).
eStreamer Server Timestamp (in events, only if bit 23 is set) |
||||||||||||||||||||||||||||||||
Destination IP Address, continued |
||||||||||||||||||||||||||||||||
The following table describes each intrusion event record data field.
|
|
|
---|---|---|
Initiates an Intrusion Event data block. This value is always 45. |
||
Total number of bytes in the Intrusion Event data block, including eight bytes for the Intrusion Event block type and length fields, plus the number of bytes of data that follows. |
||
Contains the identification number of the detecting managed device. You can obtain the managed device name by requesting Version 3 or 4 metadata. See Managed Device Record Metadata for more information. |
||
UNIX timestamp (seconds since 01/01/1970) of the event’s detection. |
||
Microsecond (one millionth of a second) increment of the timestamp of the event’s detection. |
||
Identification number of the Firepower System preprocessor that generated the event. |
||
Identification number of the priority associated with the event. |
||
The source port number if the event protocol type is TCP or UDP, or the ICMP type if the event is caused by ICMP traffic. |
||
The destination port number if the event protocol type is TCP or UDP, or the ICMP code if the event is caused by ICMP traffic. |
||
Impact flag value of the event. The low-order eight bits indicate the impact level. Values are:
The following impact level values map to specific priorities on the Defense Center. An |
||
A policy ID number that acts as a unique identifier for the intrusion policy. |
||
The internal identification number for the user, if applicable. |
||
The internal identification number for the web application, if applicable. |
||
The internal identification number for the client application, if applicable. |
||
The internal identification number for the application protocol, if applicable. |
||
A rule ID number that acts as a unique identifier for the access control rule. |
||
A policy ID number that acts as a unique identifier for the access control policy. |
||
An interface ID number that acts as a unique identifier for the ingress interface. |
||
An interface ID number that acts as a unique identifier for the egress interface. |
||
A zone ID number that acts as a unique identifier for the ingress security zone. |
||
A zone ID number that acts as a unique identifier for the egress security zone. |
||
UNIX timestamp (seconds since 01/01/1970) of the connection event associated with the intrusion event. |
||
Numerical ID of the Snort instance on the managed device that generated the connection event. |
||
Value used to distinguish between connection events that happen during the same second. |
||
ID number for the security context (virtual firewall) that the traffic passed through. Note that the system only populates this field for ASA FirePOWER devices in multi-context mode. |
||
The action performed on the connection based on the SSL Rule. This may differ from the expected action, as the action as specified in the rule may be impossible. Possible values include: |
||
Status of the SSL Flow. These values describe the reason behind the action taken or the error message seen. Possible values include:
|
||
The UUID of the Network Analysis Policy that created the intrusion event. |
Intrusion Event Record 6.x
The fields in the intrusion event record are shaded in the following graphic. The record type is 400 and the block type is 60 in the series 2 set of data blocks. It supersedes block type 45, and is superseded by block type 81 in 7.0. An HTTP Response field has been added.
You can request 6.x intrusion events from eStreamer only by extended request, for which you request event type code 12 and version code 9 in the Stream Request message (see Submitting Extended Requests for information about submitting extended requests).
eStreamer Server Timestamp (in events, only if bit 23 is set) |
||||||||||||||||||||||||||||||||
Destination IP Address, continued |
||||||||||||||||||||||||||||||||
The following table describes each intrusion event record data field.
|
|
|
---|---|---|
Initiates an Intrusion Event data block. This value is always 60. |
||
Total number of bytes in the Intrusion Event data block, including eight bytes for the Intrusion Event block type and length fields, plus the number of bytes of data that follows. |
||
Contains the identification number of the detecting managed device. You can obtain the managed device name by requesting Version 3 or 4 metadata. See Managed Device Record Metadata for more information. |
||
UNIX timestamp (seconds since 01/01/1970) of the event’s detection. |
||
Microsecond (one millionth of a second) increment of the timestamp of the event’s detection. |
||
Identification number of the Firepower System preprocessor that generated the event. |
||
Identification number of the priority associated with the event. |
||
The source port number if the event protocol type is TCP or UDP, or the ICMP type if the event is caused by ICMP traffic. |
||
The destination port number if the event protocol type is TCP or UDP, or the ICMP code if the event is caused by ICMP traffic. |
||
Impact flag value of the event. The low-order eight bits indicate the impact level. Values are:
The following impact level values map to specific priorities on the Management Center. An |
||
A policy ID number that acts as a unique identifier for the intrusion policy. |
||
The internal identification number for the user, if applicable. |
||
The internal identification number for the web application, if applicable. |
||
The internal identification number for the client application, if applicable. |
||
The internal identification number for the application protocol, if applicable. |
||
A rule ID number that acts as a unique identifier for the access control rule. |
||
A policy ID number that acts as a unique identifier for the access control policy. |
||
An interface ID number that acts as a unique identifier for the ingress interface. |
||
An interface ID number that acts as a unique identifier for the egress interface. |
||
A zone ID number that acts as a unique identifier for the ingress security zone. |
||
A zone ID number that acts as a unique identifier for the egress security zone. |
||
UNIX timestamp (seconds since 01/01/1970) of the connection event associated with the intrusion event. |
||
Numerical ID of the Snort instance on the managed device that generated the connection event. |
||
Value used to distinguish between connection events that happen during the same second. |
||
ID number for the security context (virtual firewall) that the traffic passed through. Note that the system only populates this field for ASA FirePOWER devices in multi-context mode. |
||
The action performed on the connection based on the SSL Rule. This may differ from the expected action, as the action as specified in the rule may be impossible. Possible values include: |
||
Status of the SSL Flow. These values describe the reason behind the action taken or the error message seen. Possible values include:
|
||
The UUID of the Network Analysis Policy that created the intrusion event. |
||
Intrusion Event Record 7.0
The fields in the intrusion event record are shaded in the following graphic. The record type is 400 and the block type is 81 in the series 2 set of data blocks. It supersedes block type 60, and is superseded by block type 85. Inline Result Reason, Ingress and Egress Virtual Route Forwarding, and Snort Version fields have been added. The Blocked field has been renamed Inline Result.
You can request 7.0 intrusion events from eStreamer only by extended request, for which you request event type code 12 and version code 10in the Stream Request message (see Submitting Extended Requests for information about submitting extended requests).
eStreamer Server Timestamp (in events, only if bit 23 is set) |
||||||||||||||||||||||||||||||||
Destination IP Address, continued |
||||||||||||||||||||||||||||||||
The following table describes each intrusion event record data field.
|
|
|
---|---|---|
Initiates an Intrusion Event data block. This value is always 81. |
||
Total number of bytes in the Intrusion Event data block, including eight bytes for the Intrusion Event block type and length fields, plus the number of bytes of data that follows. |
||
Contains the identification number of the detecting managed device. You can obtain the managed device name by requesting Version 3 or 4 metadata. See Managed Device Record Metadata for more information. |
||
UNIX timestamp (seconds since 01/01/1970) of the event’s detection. |
||
Microsecond (one millionth of a second) increment of the timestamp of the event’s detection. |
||
Identification number of the Firepower System preprocessor that generated the event. |
||
Identification number of the priority associated with the event. |
||
The source port number if the event protocol type is TCP or UDP, or the ICMP type if the event is caused by ICMP traffic. |
||
The destination port number if the event protocol type is TCP or UDP, or the ICMP code if the event is caused by ICMP traffic. |
||
Impact flag value of the event. The low-order eight bits indicate the impact level. Values are:
The following impact level values map to specific priorities on the Management Center. An |
||
A policy ID number that acts as a unique identifier for the intrusion policy. |
||
The internal identification number for the user, if applicable. |
||
The internal identification number for the web application, if applicable. |
||
The internal identification number for the client application, if applicable. |
||
The internal identification number for the application protocol, if applicable. |
||
A rule ID number that acts as a unique identifier for the access control rule. |
||
A policy ID number that acts as a unique identifier for the access control policy. |
||
An interface ID number that acts as a unique identifier for the ingress interface. |
||
An interface ID number that acts as a unique identifier for the egress interface. |
||
A zone ID number that acts as a unique identifier for the ingress security zone. |
||
A zone ID number that acts as a unique identifier for the egress security zone. |
||
UNIX timestamp (seconds since 01/01/1970) of the connection event associated with the intrusion event. |
||
Numerical ID of the Snort instance on the managed device that generated the connection event. |
||
Value used to distinguish between connection events that happen during the same second. |
||
ID number for the security context (virtual firewall) that the traffic passed through. Note that the system only populates this field for ASA FirePOWER devices in multi-context mode. |
||
The action performed on the connection based on the SSL Rule. This may differ from the expected action, as the action as specified in the rule may be impossible. Possible values include: |
||
Status of the SSL Flow. These values describe the reason behind the action taken or the error message seen. Possible values include:
|
||
The UUID of the Network Analysis Policy that created the intrusion event. |
||
Initiates a String data block containing the name of the ingress VRF. This value is always |
||
The number of bytes included in the name String data block, including eight bytes for the block type and header fields plus the number of bytes in the Ingress VRF name field. |
||
The virtual router through which traffic entered the network. |
||
Initiates a String data block containing the name of the egress VRF. This value is always |
||
The number of bytes included in the name String data block, including eight bytes for the block type and header fields plus the number of bytes in the Egress VRF name field. |
||
The name of the virtual router through which traffic exited the network. |
||
Intrusion Impact Alert Data
The Intrusion Impact Alert event contains information about impact events. It is transmitted when an intrusion event is compared to the system network map data and the impact is determined. It uses the standard record header with a record type of 9, followed by an Intrusion Impact Alert data block with a data block type of 20 in the series 1 group of blocks. (The Impact Alert data block is a type of series 1 data block. For more information about series 1 data blocks, see Understanding Discovery (Series 1) Blocks.)
You can request that eStreamer only transmit intrusion impact events by setting bit 5 in the Flags field of the request message. See Event Stream Request Message Format for more information about request messages. Version 1 of these alerts only handles IPv4. Version 2, introduced in 5.3, handles IPv6 events in addition to IPv4.
The following table describes each data field in an impact event.
|
|
|
---|---|---|
Indicates that an intrusion impact alert data block follows. This field will always have a value of |
||
Indicates the length of the intrusion impact alert data block, including all data that follows and 8 bytes for the intrusion impact alert block type and length. |
||
Indicates the second (from 01/01/1970) that the event was detected. |
||
Impact flag value of the event. The low-order eight bits indicate the impact level. Values are:
The following impact level values map to specific priorities on the Defense Center. An |
||
IP address of the host associated with the impact event, in IP address octets. |
||
IP address of the destination IP address associated with the impact event (if applicable), in IP address octets. This value is |
||
Initiates a string data block that contains the impact name. This value is always set to |
||
Number of bytes in the event description string block. This includes the four bytes for the string block type, the four bytes for the string block length, and the number of bytes in the description. |
||
Intrusion Event Extra Data Record
The eStreamer service transmits the event extra data associated with an intrusion event in the Intrusion Event Extra Data record. The record type is always 110
.
This record is deprecated in version 7.1. While it can still be requested no records will be generated.
The event extra data appears in an encapsulated Event Extra Data data block, which always has a data block type value of 4
. (The Event Extra Data data block is a series 2 data block. For more information about series 2 data blocks, see Understanding Series 2 Data Blocks.)
The supported types of extra data include IPv6 source and destination addresses, as well as the originating IP addresses (v4 or v6) of clients connecting to a web server through an HTTP proxy or load balancer. The graphic below shows the format of the Intrusion Event Extra Data record.
If bit 27 is set in the Request Flags field of the request message, you receive the event extra data for each intrusion event. If you set bit 20, you also receive the event extra data metadata described in Intrusion Event Extra Data Metadata. If you enable bit 23, eStreamer will include the extended event header. See Request Flags for information on setting request flags.
eStreamer Server Timestamp (in events, only if bit 23 is set) |
||||||||||||||||||||||||||||||||
Note that the Event Extra Data block structure includes a BLOB block type, which is one of several variable length data structures introduced in Version 4.10 of the Firepower System.
The following table describes the fields in the Intrusion Event Extra Data record.
|
|
|
---|---|---|
Initiates an Event Extra Data data block. This value is always |
||
Length of the data block. Includes the number of bytes of data plus the 8 bytes in the two data block header fields. |
||
Initiates a BLOB data block containing extra data. This value is always |
||
The content of the extra data. The data type is indicated in the Type field. |
Intrusion Event Extra Data Metadata
The eStreamer service transmits the event extra data metadata associated with intrusion event extra data records in the Intrusion Event Extra Data Metadata record. The record type is always 111
.
This record is deprecated in version 7.1. While it can still be requested no records will be generated.
The event extra data metadata appears in an encapsulated Event Extra Data Metadata data block, which always has a data block type value of 5
. The Event Extra Data data block is a series 2 data block.
If bit 20 is set in the Request Flags field of a request message, you receive the event extra data metadata. If you want to receive both intrusion events and event extra data metadata, you must set bit 2 as well. See Request Flags. If you enable bit 23, an extended event header is included in the record.
eStreamer Server Timestamp (in events, only if bit 23 is set) |
||||||||||||||||||||||||||||||||
Note that the block structure includes encapsulated String block types, one of several series 2 variable length data structures introduced in Version 4.10 of the Firepower System.
The following table describes the fields in the Event Extra Data Metadata record.
Legacy Malware Event Data Structures
- Malware Event Data Block 5.1
- Malware Event Data Block 5.1.1.x
- Malware Event Data Block 5.2.x
- Malware Event Data Block 5.3
- Malware Event Data Block 5.3.1
- Malware Event Data Block 5.4.x
- Malware Event Data Block 6.x
Malware Event Data Block 5.1
The eStreamer service uses the malware event data block to store information on malware events. These events contain information on malware detected or quarantined within a cloud, the detection method, and hosts and users affected by the malware. The malware event data block has a block type of 16 in the series 2 group of blocks. You request the event as part of the malware event record by setting the malware event flag—bit 30 in the request flags field—in the request message with an event version of 1 and an event code of 101.
The following graphic shows the structure of the malware event data block:
The following table describes the fields in the malware event data block.
Malware Event Data Block 5.1.1.x
The eStreamer service uses the malware event data block to store information on malware events. These events contain information on malware detected or quarantined within a cloud, the detection method, and hosts and users affected by the malware. The malware event data block has a block type of 24 in the series 2 group of blocks. You request the event as part of the malware event record by setting the malware event flag—bit 30 in the request flags field—in the request message with an event version of 2 and an event code of 101.
The following graphic shows the structure of the malware event data block:
The following table describes the fields in the malware event data block.
Malware Event Data Block 5.2.x
The eStreamer service uses the malware event data block to store information on malware events. These events contain information on malware detected or quarantined within a cloud, the detection method, and hosts and users affected by the malware. The malware event data block has a block type of 33 in the series 2 group of blocks. You request the event as part of the malware event record by setting the malware event flag—bit 30 in the request flags field—in the request message with an event version of 3 and an event code of 101.
The following graphic shows the structure of the malware event data block:
The following table describes the fields in the malware event data block.
Malware Event Data Block 5.3
The eStreamer service uses the malware event data block to store information on malware events. These events contain information on malware detected or quarantined within a cloud, the detection method, and hosts and users affected by the malware. The malware event data block has a block type of 35 in the series 2 group of blocks. You request the event as part of the malware event record by setting the malware event flag—bit 30 in the request flags field—in the request message with an event version of 4 and an event code of 101.
The following graphic shows the structure of the malware event data block:
The following table describes the fields in the malware event data block.
|
|
|
---|---|---|
Initiates a malware event data block. This value is always |
||
Total number of bytes in the malware event data block, including eight bytes for the malware event block type and length fields, plus the number of bytes of data that follows. |
||
The internal unique ID of the AMP for Endpoints agent reporting the malware event. |
||
The internal unique ID of the malware awareness network from which the malware event originated. |
||
The internal ID of the action that led to malware detection. |
||
The internal ID of the detection technology that detected the malware. |
||
Initiates a String data block containing the detection name. This value is always |
||
The number of bytes included in the Detection Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the Detection Name field. |
||
Initiates a String data block containing the username. This value is always |
||
The number of bytes included in the User String data block, including eight bytes for the block type and header fields plus the number of bytes in the User field. |
||
The user of the computer where the Cisco Agent is installed and where the malware event occurred. Note that these users are not tied to user discovery. |
||
Initiates a String data block containing the file name. This value is always |
||
The number of bytes included in the File Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the File Name field. |
||
Initiates a String data block containing the file path. This value is always |
||
The number of bytes included in the File Path String data block, including eight bytes for the block type and header fields plus the number of bytes in the File Path field. |
||
The file path, not including the file name, of the detected or quarantined file. |
||
Initiates a String data block containing the file SHA hash. This value is always |
||
The number of bytes included in the File SHA Hash String data block, including eight bytes for the block type and header fields plus the number of bytes in the File SHA Hash field. |
||
The rendered string of the SHA-256 hash value of the detected or quarantined file. |
||
The file type of the detected or quarantined file. The meaning of this field is transmitted in the metadata with this event. See AMP for Endpoints File Type Metadata for more information. |
||
UNIX timestamp (seconds since 01/01/1970) of the creation of the detected or quarantined file. |
||
Initiates a String data block containing the parent file name. This value is always |
||
The number of bytes included in the Parent File Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the Parent File Name field. |
||
The name of the file accessing the detected or quarantined file when detection occurred. |
||
Initiates a String data block containing the parent file SHA hash. This value is always |
||
The number of bytes included in the Parent File SHA Hash String data block, including eight bytes for the block type and header fields plus the number of bytes in the Parent File SHA Hash field. |
||
The SHA-256 hash value of the parent file accessing the detected or quarantined file when detection occurred. |
||
Initiates a String data block containing the event description. This value is always |
||
The number of bytes included in the Event Description String data block, including eight bytes for the block type and header fields plus the number of bytes in the Event Description field. |
||
The additional event information associated with the event type. |
||
Snort instance on the device that generated the event. Used to link the event with a connection or IDS event. |
||
Value used to distinguish between connection events that happen during the same second. |
||
Indicates whether the file was uploaded or downloaded. Can have the following values: Currently the value depends on the protocol (for example, if the connection is HTTP it is a download). |
||
ID number that maps to the application using the file transfer. |
||
Identification number for the user logged into the destination host, as identified by the system. |
||
Identification number that acts as a unique identifier for the access control policy that triggered the event. |
||
The malware status of the file. Possible values include:
|
||
Disposition of the file if the disposition is updated. If the disposition is not updated, this field contains the same value as the Disposition field. The possible values are the same as the Disposition field. |
||
Initiates a String data block containing the URI. This value is always |
||
The number of bytes included in the URI data block, including eight bytes for the block type and header fields plus the number of bytes in the URI field. |
||
The internal identification number of the detected web application, if applicable. |
||
The internal identification number of the detected client application, if applicable. |
||
The action taken on the file based on the file type. Can have the following values: |
||
A numeric value from |
||
Malware Event Data Block 5.3.1
The eStreamer service uses the malware event data block to store information on malware events. These events contain information on malware detected or quarantined within a cloud, the detection method, and hosts and users affected by the malware. The malware event data block has a block type of 44 in the series 2 group of blocks. It supersedes block 35. You request the event as part of the malware event record by setting the malware event flag—bit 30 in the request flags field—in the request message with an event version of 5 and an event code of 101.
The following graphic shows the structure of the malware event data block:
The following table describes the fields in the malware event data block.
|
|
|
---|---|---|
Initiates a malware event data block. This value is always |
||
Total number of bytes in the malware event data block, including eight bytes for the malware event block type and length fields, plus the number of bytes of data that follows. |
||
The internal unique ID of the AMP for Endpoints agent reporting the malware event. |
||
The internal unique ID of the Cisco Advanced Malware Protection cloud from which the malware event originated. |
||
The internal ID of the action that led to malware detection. |
||
The internal ID of the detection technology that detected the malware. |
||
Initiates a String data block containing the detection name. This value is always 0. |
||
The number of bytes included in the Detection Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the Detection Name field. |
||
Initiates a String data block containing the username. This value is always 0. |
||
The number of bytes included in the User String data block, including eight bytes for the block type and header fields plus the number of bytes in the User field. |
||
The user of the computer where the Cisco Agent is installed and where the malware event occurred. Note that these users are not tied to user discovery. |
||
Initiates a String data block containing the file name. This value is always 0. |
||
The number of bytes included in the File Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the File Name field. |
||
Initiates a String data block containing the file path. This value is always 0. |
||
The number of bytes included in the File Path String data block, including eight bytes for the block type and header fields plus the number of bytes in the File Path field. |
||
The file path, not including the file name, of the detected or quarantined file. |
||
Initiates a String data block containing the file SHA hash. This value is always 0. |
||
The number of bytes included in the File SHA Hash String data block, including eight bytes for the block type and header fields plus the number of bytes in the File SHA Hash field. |
||
The rendered string of the SHA-256 hash value of the detected or quarantined file. |
||
The file type of the detected or quarantined file. The meaning of this field is transmitted in the metadata with this event. See AMP for Endpoints File Type Metadata for more information. |
||
UNIX timestamp (seconds since 01/01/1970) of the creation of the detected or quarantined file. |
||
Initiates a String data block containing the parent file name. This value is always 0. |
||
The number of bytes included in the Parent File Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the Parent File Name field. |
||
The name of the file accessing the detected or quarantined file when detection occurred. |
||
Initiates a String data block containing the parent file SHA hash. This value is always 0. |
||
The number of bytes included in the Parent File SHA Hash String data block, including eight bytes for the block type and header fields plus the number of bytes in the Parent File SHA Hash field. |
||
The SHA-256 hash value of the parent file accessing the detected or quarantined file when detection occurred. |
||
Initiates a String data block containing the event description. This value is always 0. |
||
The number of bytes included in the Event Description String data block, including eight bytes for the block type and header fields plus the number of bytes in the Event Description field. |
||
The additional event information associated with the event type. |
||
Snort instance on the device that generated the event. Used to link the event with a connection or IDS event. |
||
Value used to distinguish between connection events that happen during the same second. |
||
Indicates whether the file was uploaded or downloaded. Can have the following values: Currently the value depends on the protocol (for example, if the connection is HTTP it is a download). |
||
ID number that maps to the application using the file transfer. |
||
Identification number for the user logged into the destination host, as identified by the system. |
||
Identification number that acts as a unique identifier for the access control policy that triggered the event. |
||
The malware status of the file. Possible values include:
|
||
Disposition of the file if the disposition is updated. If the disposition is not updated, this field contains the same value as the Disposition field. The possible values are the same as the Disposition field. |
||
Initiates a String data block containing the URI. This value is always 0. |
||
The number of bytes included in the URI data block, including eight bytes for the block type and header fields plus the number of bytes in the URI field. |
||
The internal identification number of the detected web application, if applicable. |
||
The internal identification number of the detected client application, if applicable. |
||
The action taken on the file based on the file type. Can have the following values: |
||
A numeric value from 0 to 100 based on the potentially malicious behaviors observed during dynamic analysis. |
||
ID number for the security context (virtual firewall) that the traffic passed through. Note that the system only populates this field for ASA FirePOWER devices in multi-context mode. |
Malware Event Data Block 5.4.x
The eStreamer service uses the malware event data block to store information on malware events. These events contain information on malware detected or quarantined within a cloud, the detection method, and hosts and users affected by the malware. The malware event data block has a block type of 47 in the series 2 group of blocks. It supersedes block 44 and is superseded by block. Fields for SSL and file archive support have been added.
You request the event as part of the malware event record by setting the malware event flag—bit 30 in the request flags field—in the request message with an event version of 6 and an event code of 101.
The following graphic shows the structure of the malware event data block:
The following table describes the fields in the malware event data block.
|
|
|
---|---|---|
Initiates a malware event data block. This value is always 47. |
||
Total number of bytes in the malware event data block, including eight bytes for the malware event block type and length fields, plus the number of bytes of data that follows. |
||
The internal unique ID of the AMP for Endpoints agent reporting the malware event. |
||
The internal unique ID of the Cisco Advanced Malware Protection cloud from which the malware event originated. |
||
The internal ID of the action that led to malware detection. |
||
The internal ID of the detection technology that detected the malware. |
||
Initiates a String data block containing the detection name. This value is always |
||
The number of bytes included in the Detection Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the Detection Name field. |
||
Initiates a String data block containing the username. This value is always |
||
The number of bytes included in the User String data block, including eight bytes for the block type and header fields plus the number of bytes in the User field. |
||
The user of the computer where the Cisco Agent is installed and where the malware event occurred. Note that these users are not tied to user discovery. |
||
Initiates a String data block containing the file name. This value is always |
||
The number of bytes included in the File Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the File Name field. |
||
Initiates a String data block containing the file path. This value is always |
||
The number of bytes included in the File Path String data block, including eight bytes for the block type and header fields plus the number of bytes in the File Path field. |
||
The file path, not including the file name, of the detected or quarantined file. |
||
Initiates a String data block containing the file SHA hash. This value is always |
||
The number of bytes included in the File SHA Hash String data block, including eight bytes for the block type and header fields plus the number of bytes in the File SHA Hash field. |
||
The rendered string of the SHA-256 hash value of the detected or quarantined file. |
||
The file type of the detected or quarantined file. The meaning of this field is transmitted in the metadata with this event. See AMP for Endpoints File Type Metadata for more information. |
||
UNIX timestamp (seconds since 01/01/1970) of the creation of the detected or quarantined file. |
||
Initiates a String data block containing the parent file name. This value is always |
||
The number of bytes included in the Parent File Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the Parent File Name field. |
||
The name of the file accessing the detected or quarantined file when detection occurred. |
||
Initiates a String data block containing the parent file SHA hash. This value is always |
||
The number of bytes included in the Parent File SHA Hash String data block, including eight bytes for the block type and header fields plus the number of bytes in the Parent File SHA Hash field. |
||
The SHA-256 hash value of the parent file accessing the detected or quarantined file when detection occurred. |
||
Initiates a String data block containing the event description. This value is always |
||
The number of bytes included in the Event Description String data block, including eight bytes for the block type and header fields plus the number of bytes in the Event Description field. |
||
The additional event information associated with the event type. |
||
Snort instance on the device that generated the event. Used to link the event with a connection or IDS event. |
||
Value used to distinguish between connection events that happen during the same second. |
||
Indicates whether the file was uploaded or downloaded. Can have the following values: Currently the value depends on the protocol (for example, if the connection is HTTP it is a download). |
||
ID number that maps to the application using the file transfer. |
||
Identification number for the user logged into the destination host, as identified by the system. |
||
Identification number that acts as a unique identifier for the access control policy that triggered the event. |
||
The malware status of the file. Possible values include:
|
||
Disposition of the file if the disposition is updated. If the disposition is not updated, this field contains the same value as the Disposition field. The possible values are the same as the Disposition field. |
||
Initiates a String data block containing the URI. This value is always |
||
The number of bytes included in the URI data block, including eight bytes for the block type and header fields plus the number of bytes in the URI field. |
||
The internal identification number of the detected web application, if applicable. |
||
The internal identification number of the detected client application, if applicable. |
||
The action taken on the file based on the file type. Can have the following values: |
||
A numeric value from 0 to 100 based on the potentially malicious behaviors observed during dynamic analysis. |
||
ID number for the security context (virtual firewall) that the traffic passed through. Note that the system only populates this field for ASA FirePOWER devices in multi-context mode. |
||
The action performed on the connection based on the SSL Rule. This may differ from the expected action, as the action as specified in the rule may be impossible. Possible values include: |
||
Status of the SSL Flow. These values describe the reason behind the action taken or the error message seen. Possible values include:
|
||
Initiates a String data block containing the Archive SHA. This value is always |
||
The number of bytes included in the Archive SHA String data block, including eight bytes for the block type and header fields plus the number of bytes in the intrusion policy name. |
||
SHA1 hash of the parent archive in which the file is contained. |
||
Initiates a String data block containing the Archive Name. This value is always |
||
The number of bytes included in the Archive Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the intrusion policy name. |
||
Number of layers in which the file is nested. For example, if a text file is in a zip archive, this has a value of |
Malware Event Data Block 6.x
The eStreamer service uses the malware event data block to store information on malware events. These events contain information on malware detected or quarantined within a cloud, the detection method, and hosts and users affected by the malware. The malware event data block has a block type of 62 in the series 2 group of blocks. It supersedes block 47. A field for HTTP response has been added. It is superseded by block 80.
You request the event as part of the malware event record by setting the malware event flag—bit 30 in the request flags field—in the request message with an event version of 7 and an event code of 101.
The following graphic shows the structure of the malware event data block.
The following table describes the fields in the malware event data block.
|
|
|
---|---|---|
Initiates a malware event data block. This value is always 62. |
||
Total number of bytes in the malware event data block, including eight bytes for the malware event block type and length fields, plus the number of bytes of data that follows. |
||
The internal unique ID of the AMP for Endpoints agent reporting the malware event. |
||
The internal unique ID of the AMP cloud from which the malware event originated. |
||
The internal ID of the action that led to malware detection. |
||
The internal ID of the detection technology that detected the malware. |
||
Initiates a String data block containing the detection name. This value is always |
||
The number of bytes included in the Detection Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the Detection Name field. |
||
Initiates a String data block containing the username. This value is always |
||
The number of bytes included in the User String data block, including eight bytes for the block type and header fields plus the number of bytes in the User field. |
||
The user of the computer where the Cisco Agent is installed and where the malware event occurred. Note that these users are not tied to user discovery. |
||
Initiates a String data block containing the file name. This value is always |
||
The number of bytes included in the File Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the File Name field. |
||
Initiates a String data block containing the file path. This value is always |
||
The number of bytes included in the File Path String data block, including eight bytes for the block type and header fields plus the number of bytes in the File Path field. |
||
The file path, not including the file name, of the detected or quarantined file. |
||
Initiates a String data block containing the file SHA hash. This value is always |
||
The number of bytes included in the File SHA Hash String data block, including eight bytes for the block type and header fields plus the number of bytes in the File SHA Hash field. |
||
The rendered string of the SHA-256 hash value of the detected or quarantined file. |
||
The file type of the detected or quarantined file. The meaning of this field is transmitted in the metadata with this event. See AMP for Endpoints File Type Metadata for more information. |
||
UNIX timestamp (seconds since 01/01/1970) of the creation of the detected or quarantined file. |
||
Initiates a String data block containing the parent file name. This value is always |
||
The number of bytes included in the Parent File Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the Parent File Name field. |
||
The name of the file accessing the detected or quarantined file when detection occurred. |
||
Initiates a String data block containing the parent file SHA hash. This value is always |
||
The number of bytes included in the Parent File SHA Hash String data block, including eight bytes for the block type and header fields plus the number of bytes in the Parent File SHA Hash field. |
||
The SHA-256 hash value of the parent file accessing the detected or quarantined file when detection occurred. |
||
Initiates a String data block containing the event description. This value is always |
||
The number of bytes included in the Event Description String data block, including eight bytes for the block type and header fields plus the number of bytes in the Event Description field. |
||
The additional event information associated with the event type. |
||
Snort instance on the device that generated the event. Used to link the event with a connection or IDS event. |
||
Value used to distinguish between connection events that happen during the same second. |
||
Indicates whether the file was uploaded or downloaded. Can have the following values: Currently the value depends on the protocol (for example, if the connection is HTTP it is a download). |
||
ID number that maps to the application using the file transfer. |
||
Identification number for the user logged into the destination host, as identified by the system. |
||
Identification number that acts as a unique identifier for the access control policy that triggered the event. |
||
The malware status of the file. Possible values include:
|
||
Disposition of the file if the disposition is updated. If the disposition is not updated, this field contains the same value as the Disposition field. The possible values are the same as the Disposition field. |
||
Initiates a String data block containing the URI. This value is always |
||
The number of bytes included in the URI data block, including eight bytes for the block type and header fields plus the number of bytes in the URI field. |
||
The internal identification number of the detected web application, if applicable. |
||
The internal identification number of the detected client application, if applicable. |
||
The action taken on the file based on the file type. Can have the following values: |
||
A numeric value from 0 to 100 based on the potentially malicious behaviors observed during dynamic analysis. |
||
ID number for the security context (virtual firewall) that the traffic passed through. Note that the system only populates this field for ASA FirePOWER devices in multi-context mode. |
||
The action performed on the connection based on the SSL Rule. This may differ from the expected action, as the action as specified in the rule may be impossible. Possible values include: |
||
Status of the SSL Flow. These values describe the reason behind the action taken or the error message seen. Possible values include:
|
||
Initiates a String data block containing the Archive SHA. This value is always |
||
The number of bytes included in the Archive SHA String data block, including eight bytes for the block type and header fields plus the number of bytes in the intrusion policy name. |
||
SHA1 hash of the parent archive in which the file is contained. |
||
Initiates a String data block containing the Archive Name. This value is always |
||
The number of bytes included in the Archive Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the intrusion policy name. |
||
Number of layers in which the file is nested. For example, if a text file is in a zip archive, this has a value of |
||
Legacy Discovery Data Structures
- Legacy Discovery Event Header
- Legacy Server Data Blocks
- Legacy Client Application Data Blocks
- Legacy Scan Result Data Blocks
- Legacy Host Profile Data Blocks
- Legacy OS Fingerprint Data Blocks
Legacy Discovery Event Header
Discovery Event Header 5.0 - 5.1.1.x
Discovery and connection event messages contain a discovery event header. It conveys the type and subtype of the event, the time the event occurred, the device on which the event occurred, and the structure of the event data in the message. This header is followed by the actual host discovery, user, or connection event data. The structures associated with the different event type/subtype values are described in Host Discovery Structures by Event Type.
The event type and event subtype fields of the discovery event header identify the structure of the transmitted event message. Once the structure of the event data block is determined, your program can parse the message appropriately.
The shaded rows in the following diagram illustrate the format of the discovery event header.
eStreamer Server Timestamp (in events, only if bit 23 is set) |
||||||||||||||||||||||||||||||||
The following table describes the discovery event header.
|
|
|
---|---|---|
ID number of the device that generated the discovery event. You can obtain the metadata for the device by requesting Version 3 and 4 metadata. See Managed Device Record Metadata for more information. |
||
UNIX timestamp (seconds since 01/01/1970) that the system generated the event. |
||
Microsecond (one millionth of a second) increment that the system generated the event. |
||
Event type ( |
||
Event subtype. See Host Discovery Structures by Event Type for a list of available event subtypes. |
||
Serial file number. This field is for Cisco internal use and can be disregarded. |
||
Event’s position in the serial file. This field is for Cisco internal use and can be disregarded. |
Legacy Server Data Blocks
Attribute Address Data Block for 5.0 - 5.1.1.x
The Attribute Address data block contains an attribute list item and is used within an Attribute Definition data block. It has a block type of 38.
The following diagram shows the basic structure of an Attribute Address data block:
The following table describes the fields of the Attribute Address data block.
Legacy Client Application Data Blocks
User Client Application Data Block for 5.0 - 5.1
The User Client Application data block contains information about the source of the client application data, the identification number for the user who added the data, and the lists of IP address range data blocks. The User Client Application data block has a block type of 59.
The following diagram shows the basic structure of a User Client Application data block:
The following table describes the fields of the User Client Application data block.
|
|
|
---|---|---|
Initiates a User Client Application data block. This value is always. |
||
Total number of bytes in the User Client Application data block, including eight bytes for the user client application block type and length fields, plus the number of bytes of user client application data that follows. |
||
Initiates a Generic List data block comprising IP Range Specification data blocks conveying IP address range data. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated IP Range Specification data blocks. |
||
IP Range Specification data blocks containing information about the IP address ranges for the user input. See User Server Data Block Fields for a description of this data block. |
||
The internal identification number for the application protocol, if applicable. |
||
The internal identification number of the detected client application, if applicable. |
||
Initiates a String data block that contains the client application version. This value is always |
||
Number of bytes in the client application version String data block, including the string block type and length fields, plus the number of bytes in the version. |
||
Legacy Scan Result Data Blocks
Scan Result Data Block 5.0 - 5.1.1.x
The Scan Result data block describes a vulnerability and is used within Add Scan Result events (event type 1002, subtype 11). The Scan Result data block has a block type of 102.
The following diagram shows the format of a Scan Result data block:
The following table describes the fields of the Scan Result data block.
|
|
|
---|---|---|
Initiates a Scan Result data block. This value is always |
||
Number of bytes in the Scan Vulnerability data block, including eight bytes for the scan vulnerability block type and length fields, plus the number of bytes of scan vulnerability data that follows. |
||
Contains the user identification number for the user who imported the scan result or ran the scan that produced the scan result. |
||
IP address of the host affected by the vulnerabilities in the result, in IP address octets. |
||
Port used by the sub-server affected by the vulnerabilities in the results. |
||
Initiates a List data block comprising Scan Vulnerability data blocks conveying transport Scan Vulnerability data. This value is always |
||
Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus all encapsulated Scan Vulnerability data blocks. This field is followed by zero or more Scan Vulnerability data blocks. |
||
Initiates a Scan Vulnerability data block describing a vulnerability detected during a scan. This value is always |
||
Number of bytes in the Scan Vulnerability data block, including eight bytes for the scan vulnerability block type and length fields, plus the number of bytes in the scan vulnerability data that follows. |
||
Initiates a List data block comprising Scan Vulnerability data blocks conveying transport Scan Vulnerability data. This value is always |
||
Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus all encapsulated Scan Vulnerability data blocks. This field is followed by zero or more Scan Vulnerability data blocks. |
||
Initiates a Generic Scan Results data block describing server and operating system data detected during a scan. This value is always 108. |
||
Number of bytes in the Generic Scan Results data block, including eight bytes for the generic scan results block type and length fields, plus the number of bytes in the scan result data that follows. |
||
Initiates a Generic List data block comprising User Product data blocks conveying host input data from a third party application. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated User Product data blocks. |
||
User Product data blocks containing host input data. See User Product Data Block 5.1+ for a description of this data block. |
User Product Data Block for 5.0.x
The User Product data block conveys host input data imported from a third party application, including third party application string mappings. This data block is used in Connection Statistics Data Block 6.0.x and User Server and Operating System Messages. The User Product data block has a block type of 65 for 4.10.x, and a block type of 118 for 5.0 - 5.0.x. The block types have the same structure.
Note An asterisk(*) next to a data block name in the following diagram indicates that multiple instances of the data block may occur.
The following diagram shows the format of the User Product data block:
The following table describes the components of the User Product data block.
|
|
|
---|---|---|
Initiates a User Product data block. This value is |
||
Total number of bytes in the User Product data block, including eight bytes for the user product block type and length fields, plus the number of bytes in the user product data that follows. |
||
Initiates a Generic List data block comprising IP Range Specification data blocks conveying IP address range data. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated IP Range Specification data blocks. |
||
IP Range Specification data blocks containing information about the IP address ranges for the user input. See IP Address Range Data Block for 5.2+ for a description of this data block. |
||
Indicates whether the user OS definition was deleted from the host: |
||
Initiates a String data block containing the custom vendor name specified in the user input. This value is always |
||
Number of bytes in the custom vendor String data block, including eight bytes for the block type and length fields, plus the number of bytes in the vendor name. |
||
Initiates a String data block containing the custom product name specified in the user input. This value is always |
||
Number of bytes in the custom product String data block, including eight bytes for the block type and length fields, plus the number of bytes in the product name. |
||
Initiates a String data block containing the custom version specified in the user input. This value is always |
||
Number of bytes in the custom version String data block, including eight bytes for the block type and length fields, plus the number of bytes in the version. |
||
The identifier for a specific revision of a server or operating system in the Cisco database. |
||
The Cisco application identifier for the application protocol on the host server specified in user input. |
||
The identifier for the vendor of a third party operating system specified when the third party operating system is mapped to a Cisco 3D operating system definition. |
||
The product identification string of a third party operating system string specified when the third party operating system string is mapped to a Cisco 3D operating system definition. |
||
Initiates a String data block containing the major version number of the Cisco 3D operating system definition that a third party operating system string in the user input is mapped to. This value is always |
||
Number of bytes in the major String data block, including eight bytes for the block type and length fields, plus the number of bytes in the version. |
||
Major version of the Cisco 3D operating system definition that a third party operating system string is mapped to. |
||
Initiates a String data block containing the minor version number of the Cisco 3D operating system definition that a third party operating system string is mapped to. This value is always |
||
Number of bytes in the minor String data block, including eight bytes for the block type and length fields, plus the number of bytes in the version. |
||
Minor version number of the Cisco 3D operating system definition that a third party operating system string in the user input is mapped to. |
||
Initiates a String data block containing the revision number of the Cisco operating system definition that a third party operating system string in the user input is mapped to. This value is always |
||
Number of bytes in the revision String data block, including eight bytes for the block type and length fields, plus the number of bytes in the revision number. |
||
Revision number of the Cisco 3D operating system definition that a third party operating system string in the user input is mapped to. |
||
Initiates a String data block containing the last major version of the Cisco 3D operating system definition that a third party operating system string is mapped to. This value is always |
||
Number of bytes in the To Major String data block, including eight bytes for the block type and length fields, plus the number of bytes in the version. |
||
Last version number in a range of major version numbers of the Cisco 3D operating system definition that a third party operating system string in the user input is mapped to. |
||
Initiates a String data block containing the last minor version of the Cisco 3D operating system definition that a third party operating system string is mapped to. This value is always |
||
Number of bytes in the To Minor String data block, including eight bytes for the block type and length fields, plus the number of bytes in the version. |
||
Last version number in a range of minor version numbers of the Cisco 3D operating system definition that a third party operating system string in the user input is mapped to. |
||
Initiates a String data block containing the Last revision number of the Cisco 3D operating system definition that a third party operating system string is mapped to. This value is always |
||
Number of bytes in the To Revision String data block, including eight bytes for the block type and length fields, plus the number of bytes in the revision number. |
||
Last revision number in a range of revision numbers of the Cisco 3D operating system definitions that a third party operating system string in the user input is mapped to. |
||
Initiates a String data block containing the build number of the Cisco 3D operating system that the third party operating system string is mapped. This value is always |
||
Number of bytes in the build String data block, including eight bytes for the block type and length fields, plus the number of bytes in the build number. |
||
Build number of the Cisco 3D operating system that the third party operating system string in the user input is mapped to. |
||
Initiates a String data block containing the patch number of the Cisco 3D operating system that the third party operating system string is mapped to. This value is always |
||
Number of bytes in the patch String data block, including eight bytes for the block type and length fields, plus the number of bytes in the patch number. |
||
Patch number of the Cisco 3D operating system that the third party operating system string in the user input is mapped to. |
||
Initiates a String data block containing the extension number of the Cisco 3D operating system that the third party operating system string is mapped. This value is always |
||
Number of bytes in the extension String data block, including eight bytes for the block type and length fields, plus the number of bytes in the extension number. |
||
Extension number of the Cisco 3D operating system that the third party operating system string in the user input is mapped to. |
||
Contains the unique identification number for the operating system. |
||
Initiates a Generic List data block comprising Fix List data blocks conveying user input data regarding what fixes have been applied to hosts in the specified IP address ranges. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Fix List data blocks. |
||
Fix List data blocks containing information about fixes applied to the hosts. See Fix List Data Block for a description of this data block. |
Legacy User Login Data Blocks
User Login Information Data Block for 5.0 - 5.0.2
The User Login Information data block is used in User Information Update messages and conveys changes in login information for a detected user. For more information, see User Information Update Message Block.
The User Login Information data block has a block type of 121 for version 5.0 - 5.0.2.
The graphic below shows the format of the User Login Information data block:
The following table describes the components of the User Login Information data block.
User Login Information Data Block 5.1-5.4.x
The User Login Information data block is used in User Information Update messages and conveys changes in login information for a detected user. For more information, see User Account Update Message Data Block.
The User Login Information data block has a block type of 73 for version 4.7 - 4.10.x, a block type of 121 in the series 1 group of blocks for version 5.0 - 5.0.2, and a block type of 127 in the series 1 group of blocks for version 5.1-5.4.x.
The graphic below shows the format of the User Login Information data block:
The following table describes the components of the User Login Information data block.
|
|
|
---|---|---|
Initiates a User Login Information data block. This value is |
||
Total number of bytes in the User Login Information data block, including eight bytes for the user login information block type and length fields, plus the number of bytes in the user login information data that follows. |
||
This field is reserved but no longer populated. The IPv4 address is stored in the IPv6 Address field. See IP Addresses for more information. |
||
Initiates a String data block containing the username for the user. This value is always |
||
Number of bytes in the username String data block, including eight bytes for the block type and length fields, plus the number of bytes in the username. |
||
The application ID for the application protocol used in the connection that the login information was derived from. |
||
Initiates a String data block containing the email address for the user. This value is always |
||
Number of bytes in the email address String data block, including eight bytes for the block type and length fields, plus the number of bytes in the email address. |
||
IPv6 address from the host where the user was detected logging in, in IP address octets. |
||
Initiates a String data block containing the Reported By value. This value is always |
||
Number of bytes in the Reported By String data block, including eight bytes for the block type and length fields, plus the number of bytes in the Reported By field. |
||
User Login Information Data Block 6.0.x
The User Login Information data block is used in User Information Update messages and conveys changes in login information for a detected user. For more information, see User Account Update Message Data Block.
he User Login Information data block has a block type of 159 for version 6.0.x. It has new ISE integration endpoint profile, Security Intelligence fields.
The User Login Information data block has a block type of 73 for version 4.7 - 4.10.x, a block type of 121 in the series 1 group of blocks for version 5.0 - 5.0.2, and a block type of 127 in the series 1 group of blocks for version 5.1+. See User Login Information Data Block 5.1-5.4.x for more information.
The graphic below shows the format of the User Login Information data block:
The following table describes the components of the User Login Information data block.
|
|
|
---|---|---|
Initiates a User Login Information data block. This value is |
||
Total number of bytes in the User Login Information data block, including eight bytes for the user login information block type and length fields, plus the number of bytes in the user login information data that follows. |
||
This field is reserved but no longer populated. The IPv4 address is stored in the IPv6 Address field. See IP Addresses for more information. |
||
Initiates a String data block containing the username for the user. This value is always |
||
Number of bytes in the username String data block, including eight bytes for the block type and length fields, plus the number of bytes in the username. |
||
Initiates a String data block containing the domain. This value is always |
||
Number of bytes in the username String data block, including eight bytes for the block type and length fields, plus the number of bytes in the domain. |
||
ID number of the type of device used by the connection endpoint. This is unique for each DC and resolved in metadata. |
||
Protocol used to detect or report the user. Possible values are: |
||
Initiates a String data block containing the email address for the user. This value is always |
||
Number of bytes in the email address String data block, including eight bytes for the block type and length fields, plus the number of bytes in the email address. |
||
IPv6 address from the host where the user was detected logging in, in IP address octets. |
||
Most recent IP address on which the user logged in. Can be either an IPv4 or IPv6 address. |
||
Initiates a String data block containing the Reported By value. This value is always |
||
Number of bytes in the Reported By String data block, including eight bytes for the block type and length fields, plus the number of bytes in the Reported By field. |
||
User Login Information Data Block 6.1.x
The User Login Information data block has a block type of 165 in the series 1 group of blocks for version 6.1+. It has new port and tunneling fields. It supersedes block type 159. See User Login Information Data Block 6.0.x for more information. It is superseded by block type 167.
The graphic below shows the format of the User Login Information data block:
The following table describes the components of the User Login Information data block.
|
|
|
---|---|---|
Initiates a User Login Information data block. This value is |
||
Total number of bytes in the User Login Information data block, including eight bytes for the user login information block type and length fields, plus the number of bytes in the user login information data that follows. |
||
This field is reserved but no longer populated. The IPv4 address is stored in the IPv6 Address field. See IP Addresses for more information. |
||
Initiates a String data block containing the username for the user. This value is always |
||
Number of bytes in the username String data block, including eight bytes for the block type and length fields, plus the number of bytes in the username. |
||
Initiates a String data block containing the domain. This value is always |
||
Number of bytes in the username String data block, including eight bytes for the block type and length fields, plus the number of bytes in the domain. |
||
ID number of the type of device used by the connection endpoint. This is unique for each DC and resolved in metadata. |
||
Protocol used to detect or report the user. Possible values are: |
||
The start port in the range the TS Agent assigned to the individual user. |
||
The end port in the range the TS Agent assigned to the individual user. |
||
Initiates a String data block containing the email address for the user. This value is always |
||
Number of bytes in the email address String data block, including eight bytes for the block type and length fields, plus the number of bytes in the email address. |
||
IPv6 address from the host where the user was detected logging in, in IP address octets. |
||
Most recent IP address on which the user logged in. Can be either an IPv4 or IPv6 address. |
||
Initiates a String data block containing the Reported By value. This value is always |
||
Number of bytes in the Reported By String data block, including eight bytes for the block type and length fields, plus the number of bytes in the Reported By field. |
||
User Login Information Data Block 6.1.x
The User Login Information data block is used in User Information Update messages and conveys changes in login information for a detected user. For more information, see User Information Update Message Block.
The User Login Information data block has a block type of 165 in the series 1 group of blocks for version 6.1x. It has new port and tunneling fields. It supersedes block type 159. It is superseded by block type 167. See User Login Information Data Block 6.0.x for more information.
The graphic below shows the format of the User Login Information data block:
The following table describes the components of the User Login Information data block.
|
|
|
---|---|---|
Initiates a User Login Information data block. This value is |
||
Total number of bytes in the User Login Information data block, including eight bytes for the user login information block type and length fields, plus the number of bytes in the user login information data that follows. |
||
This field is reserved but no longer populated. The IPv4 address is stored in the IPv6 Address field. See IP Addresses for more information. |
||
Initiates a String data block containing the username for the user. This value is always |
||
Number of bytes in the username String data block, including eight bytes for the block type and length fields, plus the number of bytes in the username. |
||
Initiates a String data block containing the domain. This value is always |
||
Number of bytes in the username String data block, including eight bytes for the block type and length fields, plus the number of bytes in the domain. |
||
ID number of the type of device used by the connection endpoint. This is unique for each DC and resolved in metadata. |
||
Protocol used to detect or report the user. Possible values are: |
||
The start port in the range the TS Agent assigned to the individual user. |
||
The end port in the range the TS Agent assigned to the individual user. |
||
Initiates a String data block containing the email address for the user. This value is always |
||
Number of bytes in the email address String data block, including eight bytes for the block type and length fields, plus the number of bytes in the email address. |
||
IPv6 address from the host where the user was detected logging in, in IP address octets. |
||
Most recent IP address on which the user logged in. Can be either an IPv4 or IPv6 address. |
||
Initiates a String data block containing the Reported By value. This value is always |
||
Number of bytes in the Reported By String data block, including eight bytes for the block type and length fields, plus the number of bytes in the Reported By field. |
||
User Information Data Block for 5.x
The User Information data block is used in User Modification messages and conveys information for a user detected, removed, or dropped. For more information, see User Modification Messages
The User Information data block has a block type of 75 in the series 1 group of blocks for version 4.7 - 4.10.x and a block type of 120 in the series 1 group of blocks for 5.x. The structures are the same for block types 75 and 120.
The following diagram shows the format of the User Information data block:
The following table describes the components of the User Information data block.
Legacy Host Profile Data Blocks
Host Profile Data Block for 5.0 - 5.0.2
The following diagram shows the format of a Host Profile data block in versions 5.0 to 5.0.2. The Host Profile data block also does not include a host criticality value, but does include a VLAN presence indicator. In addition, a Host Profile data block can convey a NetBIOS name for the host. This Host Profile data block has a block type of 91.
Note An asterisk(*) next to a block type field in the following diagram indicates the message may contain zero or more instances of the series 1 data block.
The following table describes the fields of the host profile data block returned by version 4.9 to version 5.0.2.
|
|
|
---|---|---|
Initiates the Host Profile data block for 4.9 to 5.0.2. This data block has a block type of |
||
Number of bytes in the Host Profile data block, including eight bytes for the host profile block type and length fields, plus the number of bytes included in the host profile data that follows. |
||
IP address of the host described in the profile, in IP address octets. |
||
Indicates whether the host is in the primary or secondary network of the device that detected it: |
||
Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using a server fingerprint. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks. |
||
Operating System Fingerprint (Server Fingerprint) Data Blocks * |
Operating System Fingerprint data blocks containing information about the operating system on a host identified using a server fingerprint. See Operating System Fingerprint Data Block for 5.0 - 5.0.2 for a description of this data block. |
|
Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using a client fingerprint. This value is always 31. |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks. |
||
Operating System Fingerprint (Client Fingerprint) Data Blocks * |
Operating System Fingerprint data blocks containing information about the operating system on a host identified using a client fingerprint. See Operating System Fingerprint Data Block for 5.0 - 5.0.2 for a description of this data block. |
|
Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using an SMB fingerprint. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks. |
||
Operating System Fingerprint (SMB Fingerprint) Data Blocks * |
Operating System Fingerprint data blocks containing information about the operating system on a host identified using an SMB fingerprint. See Operating System Fingerprint Data Block for 5.0 - 5.0.2 for a description of this data block. |
|
Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using a DHCP fingerprint. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks. |
||
Operating System Fingerprint (DHCP Fingerprint) Data Blocks * |
Operating System Fingerprint data blocks containing information about the operating system on a host identified using a DHCP fingerprint. See Operating System Fingerprint Data Block for 5.0 - 5.0.2 for a description of this data block. |
|
Initiates a List data block comprising Server data blocks conveying TCP server data. This value is always |
||
Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus all encapsulated Server data blocks. |
||
Number of bytes in the Server data block, including eight bytes for the server block type and length fields, plus the number of bytes of TCP server data that follows. |
||
Data fields describing a TCP server (as documented for earlier versions of the product). |
||
Initiates a List data block comprising Server data blocks conveying UDP server data. This value is always |
||
Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus all encapsulated Server data blocks. |
||
Initiates a Server data block describing a UDP server. This value is always |
||
Number of bytes in the Server data block, including eight bytes for the server block type and length fields, plus the number of bytes of UDP server data that follows. |
||
Data fields describing a UDP server (as documented for earlier versions of the product). |
||
Initiates a List data block comprising Protocol data blocks conveying network protocol data. This value is always |
||
Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus all encapsulated Protocol data blocks. This field is followed by zero or more Protocol data blocks. |
||
Initiates a Protocol data block describing a network protocol. This value is always |
||
Number of bytes in the Protocol data block, including eight bytes for the protocol block type and length fields, plus the number of bytes in the protocol data that follows. |
||
Data field containing a network protocol number, as documented in Protocol Data Block. |
||
Initiates a List data block comprising Protocol data blocks conveying transport protocol data. This value is always |
||
Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus all encapsulated Protocol data blocks. This field is followed by zero or more transport protocol data blocks. |
||
Initiates a Protocol data block describing a transport protocol. This value is always |
||
Number of bytes in the protocol data block, including eight bytes for the protocol block type and length, plus the number of bytes in the protocol data that follows. |
||
Data field containing a transport protocol number, as documented in Protocol Data Block. |
||
Initiates a List data block comprising MAC Address data blocks. This value is always |
||
Number of bytes in the list, including the list header and all encapsulated MAC Address data blocks. |
||
Initiates a Host MAC Address data block. This value is always |
||
Number of bytes in the Host MAC Address data block, including eight bytes for the Host MAC address block type and length fields, plus the number of bytes in the Host MAC address data that follows. |
||
Host MAC address data fields described in Host MAC Address 4.9+. |
||
UNIX timestamp that represents the last time the system detected host activity. |
||
VLAN identification number that indicates which VLAN the host is a member of. |
||
Initiates a Generic List data block comprising Client Application data blocks conveying client application data. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated client application data blocks. |
||
Initiates a client application block. This value is always |
||
Number of bytes in the client application block, including eight bytes for the client application block type and length fields, plus the number of bytes in the client application data that follows. |
||
Client application data fields describing a client application, as documented in Host Client Application Data Block for 5.0+. |
||
Initiates a string data block for the NetBIOS name. This value is set to |
||
Indicates the number of bytes in the NetBIOS name data block, including eight bytes for the string block type and length, plus the number of bytes in the NetBIOS name. |
||
Contains the NetBIOS name of the host described in the host profile. |
Legacy OS Fingerprint Data Blocks
Operating System Fingerprint Data Block for 5.0 - 5.0.2
The Operating System Fingerprint data block has a block type of 87. The block includes a fingerprint Universally Unique Identifier (UUID), as well as the fingerprint type, the fingerprint source type, and the fingerprint source ID. The following diagram shows the format of an Operating System Fingerprint data block for version 5.0 to version 5.0.2.
The following table describes the fields of the operating system fingerprint data block.
Legacy Connection Data Structures
For more information, see the following sections:
- Connection Statistics Data Block 5.0 - 5.0.2
- Connection Statistics Data Block 5.1
- Connection Statistics Data Block 5.2.x
- Connection Chunk Data Block for 5.0 - 5.1
- Connection Chunk Data Block for 5.1.1-6.0.x
- Connection Statistics Data Block 5.1.1.x
- Connection Statistics Data Block 5.3
- Connection Statistics Data Block 5.3.1
- Connection Statistics Data Block 5.4
- Connection Statistics Data Block 5.4.1
- Connection Statistics Data Block 6.0.x
- Connection Statistics Data Block 6.1.x
- Connection Statistics Data Block 6.2-6.7.x
- Connection Statistics Data Block 7.0
Connection Statistics Data Block 5.0 - 5.0.2
The Connection Statistics data block is used in Connection Data messages. The Connection Statistics data block for version 5.0 - 5.0.2 has a block type of 115.
For more information on the Connection Statistics Data message, see Connection Statistics Data Message.
The following diagram shows the format of a Connection Statistics data block for 5.0 - 5.0.2:
The following table describes the fields of the Connection Statistics data block for 5.0 - 5.0.2.
Connection Statistics Data Block 5.1
The Connection Statistics data block is used in Connection Data messages. Changes to the Connection data block between 5.0.2 and 5.1 include the addition of new fields with configuration parameters introduced in 5.1 (rule action reason, monitor rules, Security Intelligence source/destination, Security Intelligence layer). The Connection Statistics data block for version 5.1 has a block type of 126.
For more information on the Connection Statistics Data message, see Connection Statistics Data Message.
The following diagram shows the format of a Connection Statistics data block for 5.1:
The following table describes the fields of the Connection Statistics data block for 5.1.
Connection Statistics Data Block 5.2.x
The connection statistics data block is used in connection data messages. Changes to the connection data block between versions 5.1.1 and 5.2 include the addition of new fields to support geolocation. The connection statistics data block for version 5.2.x has a block type of 144 in the series 1 group of blocks. It deprecates block type 137, Connection Statistics Data Block 5.1.1.x.
For more information on the Connection Statistics Data message, see Connection Statistics Data Message.
The following diagram shows the format of a Connection Statistics data block for 5.2.x:
The following table describes the fields of the Connection Statistics data block for 5.2.x:
Connection Chunk Data Block for 5.0 - 5.1
The Connection Chunk data block conveys connection data detected by a NetFlow device. The Connection Chunk data block has a block type of 66 for pre-4.10.1 versions. For versions 5.0 - 5.1, it has a block type of 119.
The following diagram shows the format of the Connection Chunk data block:
The following table describes the components of the Connection Chunk data block:
Connection Chunk Data Block for 5.1.1-6.0.x
The Connection Chunk data block conveys connection data. It stores connection log data that aggregates over a five-minute period. The Connection Chunk data block has a block type of 136 in the series 1 group of blocks. It supersedes block type 119.
The following diagram shows the format of the Connection Chunk data block:
The following table describes the components of the Connection Chunk data block.
Connection Statistics Data Block 5.1.1.x
The connection statistics data block is used in connection data messages. Changes to the connection data block between versions 5.1 and 5.1.1 include the addition of new fields to identify associated intrusion events. The connection statistics data block for version 5.1.1.x has a block type of 137. It deprecates block type 126, Connection Statistics Data Block 5.1.
For more information on the Connection Statistics Data message, see Connection Statistics Data Message.
The following diagram shows the format of a Connection Statistics data block for 5.1.1:
The following table describes the fields of the Connection Statistics data block for 5.1.1.x.
Connection Statistics Data Block 5.3
The connection statistics data block is used in connection data messages. Changes to the connection data block between versions 5.2.x and 5.3 include the addition of new fields for NetFlow information. The connection statistics data block for version 5.3 has a block type of 152 in the series 1 group of blocks. It deprecates block type 144, Connection Statistics Data Block 5.2.x.
You request connection event records by setting the extended event flag—bit 30 in the Request Flags field—in the request message with an event version of 10 and an event code of 71. See Request Flags. If you enable bit 23, an extended event header is included in the record.
For more information on the Connection Statistics Data message, see Connection Statistics Data Message.
The following diagram shows the format of a Connection Statistics data block for 5.3+:
The following table describes the fields of the Connection Statistics data block for 5.3.
Connection Statistics Data Block 5.3.1
The connection statistics data block is used in connection data messages. The only changes to the connection data block between versions 5.3 and 5.3.1 is the addition of a security context field. The connection statistics data block for version 5.3.1 has a block type of 154 in the series 1 group of blocks. It deprecates block type 152, Connection Statistics Data Block 5.3.
You request connection event records by setting the extended event flag—bit 30 in the Request Flags field—in the request message with an event version of 11 and an event code of 71. See Request Flags. If you enable bit 23, an extended event header is included in the record.For more information on the Connection Statistics Data message, see Connection Statistics Data Message.
The following diagram shows the format of a Connection Statistics data block for 5.3.1:
The following table describes the fields of the Connection Statistics data block for 5.3.1.
Connection Statistics Data Block 5.4
The connection statistics data block is used in connection data messages. Several new fields have been added to the Connection Statistics Data Block for 5.4. Fields have been added to support SSL connections, HTTP redirection, and network analysis policies. The connection statistics data block for version 5.4 has a block type of 155 in the series 1 group of blocks. It deprecates block type 154, Connection Statistics Data Block 5.3.1.
You request connection event records by setting the extended event flag—bit 30 in the Request Flags field—in the request message with an event version of 12 and an event code of 71. See Request Flags. If you enable bit 23, an extended event header is included in the record.
For more information on the Connection Statistics Data message, see Connection Statistics Data Message.
The following diagram shows the format of a Connection Statistics data block for 5.4:
The following table describes the fields of the Connection Statistics data block for 5.4+.
Connection Statistics Data Block 5.4.1
The connection statistics data block is used in connection data messages. Several new fields have been added to the Connection Statistics Data Block for 5.4. Fields have been added to support SSL connections, HTTP redirection, and network analysis policies. The connection statistics data block for version 5.4+ has a block type of 157 in the series 1 group of blocks. It deprecates block type 155, Connection Statistics Data Block 5.3.1.
You request connection event records by setting the extended event flag—bit 30 in the Request Flags field—in the request message with an event version of 12 and an event code of 71. See Request Flags. If you enable bit 23, an extended event header is included in the record.
For more information on the Connection Statistics Data message, see Connection Statistics Data Message.
The following diagram shows the format of a Connection Statistics data block for 5.4+:
The following table describes the fields of the Connection Statistics data block for 5.4+.
Connection Statistics Data Block 6.0.x
The connection statistics data block is used in connection data messages. Several new fields have been added to the Connection Statistics Data Block for 6.0. Fields have been added to support ISE Integration and Multiple Network Maps. The connection statistics data block for version 6.0.x has a block type of 160 in the series 1 group of blocks. It supersedes block type 157, Connection Statistics Data Block 5.4.1. New fields have been added to support DNS lookup and Security Intelligence.
You request connection event records by setting the extended event flag—bit 30 in the Request Flags field—in the request message with an event version of 13 and an event code of 71. See Request Flags. If you enable bit 23, an extended event header is included in the record.
The following diagram shows the format of a Connection Statistics data block for 6.0.x:
The following table describes the fields of the Connection Statistics data block for 6.0.x.
Connection Statistics Data Block 6.1.x
The connection statistics data block is used in connection data messages. Several new fields have been added to the Connection Statistics Data Block for 6.1.x. Fields have been added to support ISE Integration and Multiple Network Maps. The connection statistics data block for version 6.1+ has a block type of 163 in the series 1 group of blocks. It supersedes block type 160, Connection Statistics Data Block 6.0.x. New fields have been added to support DNS lookup and Security Intelligence. It is superseded by block type 168, Connection Statistics Data Block 7.1+,
You request connection event records by setting the extended event flag—bit 30 in the Request Flags field—in the request message with an event version of 13 and an event code of 71. See Request Flags. If you enable bit 23, an extended event header is included in the record.
For more information on the Connection Statistics Data message, see Connection Statistics Data Message.
The following diagram shows the format of a Connection Statistics data block for 6.1+:
The following table describes the fields of the Connection Statistics data block for 6.1.x.
Connection Statistics Data Block 6.2-6.7.x
The connection statistics data block is used in connection data messages. A third Security Intelligence field has been added to Connection Statistics Data Block for 6.2-6.7.x. The connection statistics data block for version 6.2-6.7.x has a block type of 168 in the series 1 group of blocks. It supersedes block type 163, Connection Statistics Data Block 6.1.x. It is superseded by block type 173.
You request connection event records by setting the extended event flag—bit 30 in the Request Flags field—in the request message with an event version of 15 and an event code of 71. See Request Flags. If you enable bit 23, an extended event header is included in the record.
For more information on the Connection Statistics Data message, see Connection Statistics Data Message.
The following diagram shows the format of a Connection Statistics data block for 6.2-6.7.x:
The following table describes the fields of the Connection Statistics data block for 6.2-6.7.x.
Connection Statistics Data Block 7.0
The connection statistics data block is used in connection data messages. Security Group Tag, virtual routing and forwarding, and dynamic attribute fields have been added to Connection Statistics Data Block for 7.0+. The connection statistics data block for version 7.0+ has a block type of 173 in the series 1 group of blocks. It supersedes block type 168, Connection Statistics Data Block 6.2-6.7.x. It is superseded by block type 174
You request connection event records by setting the extended event flag—bit 30 in the Request Flags field—in the request message with an event version of 16 and an event code of 71. See Request Flags. If you enable bit 23, an extended event header is included in the record.
For more information on the Connection Statistics Data message, see Connection Statistics Data Message.
The following diagram shows the format of a Connection Statistics data block for 7.0:
The following table describes the fields of the Connection Statistics data block for 7.0.
Legacy File Event Data Structures
The following topics describe other legacy file event data structures:
- File Event for 5.1.1.x
- File Event for 5.2.x
- File Event for 5.3
- File Event for 5.3.1
- File Event for 5.4.x
- File Event SHA Hash for 5.1.1-5.2.x
File Event for 5.1.1.x
The file event contains information on files that are sent over the network. This includes the connection information, whether the file is malware, and specific information to identify the file. The file event has a block type of 23 in the series 2 group of blocks.
The following graphic shows the structure of the File Event data block:
Destination IP Address, continued |
||||||||||||||||||||||||||||||||
The following table describes the fields in the file event data block:
File Event for 5.2.x
The file event contains information on files that are sent over the network. This includes the connection information, whether the file is malware, and specific information to identify the file. The file event has a block type of 32 in the series 2 group of blocks. It supersedes block type 23. New fields have been added to track source and destination country, as well as the client and web application instances.
The following graphic shows the structure of the File Event data block:
Destination IP Address, continued |
||||||||||||||||||||||||||||||||
The following table describes the fields in the file event data block:
File Event for 5.3
The file event contains information on files that are sent over the network. This includes the connection information, whether the file is malware, and specific information to identify the file. The file event has a block type of 38 in the series 2 group of blocks. It supersedes block type 32. New fields have been added to track dynamic file analysis and file storage.
You request file event records by setting the file event flag—bit 30 in the Request Flags field—in the request message with an event version of 3 and an event code of 111. See Request Flags. If you enable bit 23, an extended event header is included in the record.
The following graphic shows the structure of the File Event data block.
Destination IP Address, continued |
||||||||||||||||||||||||||||||||
The following table describes the fields in the file event data block.
|
|
|
---|---|---|
Initiates whether file event data block. This value is always |
||
Total number of bytes in the file event block, including eight bytes for the file event block type and length fields, plus the number of bytes of data that follows. |
||
Snort instance on the device that generated the event. Used to link the event with a connection or intrusion event. |
||
Value used to distinguish between connection events that happen during the same second. |
||
UNIX timestamp (seconds since 01/01/1970) of the associated connection event. |
||
UNIX timestamp (seconds since 01/01/1970) of when the file type is identified and the file event generated. |
||
The malware status of the file. Possible values include:
|
||
Indicates whether the SPERO signature was used in file analysis. If the value is |
||
Indicates whether the file was sent for dynamic analysis. Possible values are:
|
||
A numeric value from |
||
The action taken on the file based on the file type. Can have the following values: |
||
ID number that maps to the file type. The meaning of this field is transmitted in the metadata with this event. See AMP for Endpoints File Type Metadata for more information. |
||
Value that indicates whether the file was uploaded or downloaded. Can have the following values: Currently the value depends on the protocol (for example, if the connection is HTTP it is a download). |
||
ID number that maps to the application using the file transfer. |
||
ID number for the user logged into the destination host, as identified by the system. |
||
Unique identifier for the access control policy that triggered the event. |
||
The internal identification number for the web application, if applicable. |
||
The internal identification number for the client application, if applicable. |
File Event for 5.3.1
The file event contains information on files that are sent over the network. This includes the connection information, whether the file is malware, and specific information to identify the file. The file event has a block type of 43 in the series 2 group of blocks. It supersedes block type 38. A security context field has been added.
You request file event records by setting the file event flag—bit 30 in the Request Flags field—in the request message with an event version of 4 and an event code of 111. See Request Flags. If you enable bit 23, an extended event header is included in the record.
The following graphic shows the structure of the File Event data block.
Destination IP Address, continued |
||||||||||||||||||||||||||||||||
The following table describes the fields in the file event data block.
|
|
|
---|---|---|
Initiates whether file event data block. This value is always |
||
Total number of bytes in the file event block, including eight bytes for the file event block type and length fields, plus the number of bytes of data that follows. |
||
Snort instance on the device that generated the event. Used to link the event with a connection or intrusion event. |
||
Value used to distinguish between connection events that happen during the same second. |
||
UNIX timestamp (seconds since 01/01/1970) of the associated connection event. |
||
UNIX timestamp (seconds since 01/01/1970) of when the file type is identified and the file event generated. |
||
The malware status of the file. Possible values include:
|
||
Indicates whether the SPERO signature was used in file analysis. If the value is |
||
Indicates whether the file was sent for dynamic analysis. Possible values are:
|
||
A numeric value from 0 to 100 based on the potentially malicious behaviors observed during dynamic analysis. |
||
The action taken on the file based on the file type. Can have the following values: |
||
ID number that maps to the file type. The meaning of this field is transmitted in the metadata with this event. See AMP for Endpoints File Type Metadata for more information. |
||
Value that indicates whether the file was uploaded or downloaded. Can have the following values: Currently the value depends on the protocol (for example, if the connection is HTTP it is a download). |
||
ID number that maps to the application using the file transfer. |
||
ID number for the user logged into the destination host, as identified by the system. |
||
Unique identifier for the access control policy that triggered the event. |
||
The internal identification number for the web application, if applicable. |
||
The internal identification number for the client application, if applicable. |
||
ID number for the security context (virtual firewall) that the traffic passed through. Note that the system only populates this field for ASA FirePOWER devices in multi-context mode. |
File Event for 5.4.x
The file event contains information on files that are sent over the network. This includes the connection information, whether the file is malware, and specific information to identify the file. The file event has a block type of 46 in the series 2 group of blocks. It supersedes block type 43. Fields for SSL and file archive support have been added.
You request file event records by setting the file event flag—bit 30 in the Request Flags field—in the request message with an event version of 5 and an event code of 111. See Request Flags. If you enable bit 23, an extended event header is included in the record.
The following graphic shows the structure of the File Event data block.
Destination IP Address, continued |
||||||||||||||||||||||||||||||||
The following table describes the fields in the file event data block.
|
|
|
---|---|---|
Initiates whether file event data block. This value is always 46. |
||
Total number of bytes in the file event block, including eight bytes for the file event block type and length fields, plus the number of bytes of data that follows. |
||
Snort instance on the device that generated the event. Used to link the event with a connection or intrusion event. |
||
Value used to distinguish between connection events that happen during the same second. |
||
UNIX timestamp (seconds since 01/01/1970) of the associated connection event. |
||
UNIX timestamp (seconds since 01/01/1970) of when the file type is identified and the file event generated. |
||
The malware status of the file. Possible values include:
|
||
Indicates whether the SPERO signature was used in file analysis. If the value is |
||
Indicates whether the file was sent for dynamic analysis. Possible values are:
|
||
The status of an archive being inspected. Can have the following values:
|
||
A numeric value from 0 to 100 based on the potentially malicious behaviors observed during dynamic analysis. |
||
The action taken on the file based on the file type. Can have the following values: |
||
ID number that maps to the file type. The meaning of this field is transmitted in the metadata with this event. See AMP for Endpoints File Type Metadata for more information. |
||
Value that indicates whether the file was uploaded or downloaded. Can have the following values: Currently the value depends on the protocol (for example, if the connection is HTTP it is a download). |
||
ID number that maps to the application using the file transfer. |
||
ID number for the user logged into the destination host, as identified by the system. |
||
Unique identifier for the access control policy that triggered the event. |
||
The internal identification number for the web application, if applicable. |
||
The internal identification number for the client application, if applicable. |
||
ID number for the security context (virtual firewall) that the traffic passed through. Note that the system only populates this field for ASA FirePOWER devices in multi-context mode. |
||
The action performed on the connection based on the SSL Rule. This may differ from the expected action, as the action as specified in the rule may be impossible. Possible values include: |
||
Status of the SSL Flow. These values describe the reason behind the action taken or the error message seen. Possible values include:
|
||
Initiates a String data block containing the Archive SHA. This value is always |
||
The number of bytes included in the Archive SHA String data block, including eight bytes for the block type and header fields plus the number of bytes in the intrusion policy name. |
||
SHA1 hash of the parent archive in which the file is contained. |
||
Initiates a String data block containing the Archive Name. This value is always |
||
The number of bytes included in the Archive Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the intrusion policy name. |
||
Number of layers in which the file is nested. For example, if a text file is in a zip archive, this has a value of |
File Event for 6.x
The File Event data block contains information on files that are sent over the network. This includes the connection information, whether the file is malware, and specific information to identify the file. The file event has a block type of 56 in the series 2 group of blocks. It supersedes block type 46 and is superseded by block type 79. Fields for ISE integration, file analysis, local malware analysis, and capacity handling statuses have been added.
You request file event records by setting the file event flag—bit 30 in the Request Flags field—in the request message with an event version of 5 and an event code of 111. See Request Flags. If you enable bit 23, an extended event header is included in the record.
The following graphic shows the structure of the File Event data block.
Destination IP Address, continued |
||||||||||||||||||||||||||||||||
The following table describes the fields in the file event data block.
|
|
|
---|---|---|
Initiates whether file event data block. This value is always 56. |
||
Total number of bytes in the file event block, including eight bytes for the file event block type and length fields, plus the number of bytes of data that follows. |
||
Snort instance on the device that generated the event. Used to link the event with a connection or intrusion event. |
||
Value used to distinguish between connection events that happen during the same second. |
||
UNIX timestamp (seconds since 01/01/1970) of the associated connection event. |
||
UNIX timestamp (seconds since 01/01/1970) of when the file type is identified and the file event generated. |
||
The malware status of the file. Possible values include:
|
||
Indicates whether the SPERO signature was used in file analysis. If the value is |
||
Indicates whether the file was sent for dynamic analysis. Possible values are:
|
||
The malware analysis status of the file. Possible values are: |
||
The status of an archive being inspected. Can have the following values:
|
||
A numeric value from 0 to 100 based on the potentially malicious behaviors observed during dynamic analysis. |
||
The action taken on the file based on the file type. Can have the following values: |
||
ID number that maps to the file type. The meaning of this field is transmitted in the metadata with this event. See AMP for Endpoints File Type Metadata for more information. |
||
Value that indicates whether the file was uploaded or downloaded. Can have the following values: Currently the value depends on the protocol (for example, if the connection is HTTP it is a download). |
||
ID number that maps to the application using the file transfer. |
||
ID number for the user logged into the destination host, as identified by the system. |
||
Unique identifier for the access control policy that triggered the event. |
||
The internal identification number for the web application, if applicable. |
||
The internal identification number for the client application, if applicable. |
||
ID number for the security context (virtual firewall) that the traffic passed through. Note that the system only populates this field for ASA FirePOWER devices in multi-context mode. |
||
The action performed on the connection based on the SSL Rule. This may differ from the expected action, as the action as specified in the rule may be impossible. Possible values include: |
||
Status of the SSL Flow. These values describe the reason behind the action taken or the error message seen. Possible values include:
|
||
Initiates a String data block containing the Archive SHA. This value is always |
||
The number of bytes included in the Archive SHA String data block, including eight bytes for the block type and header fields plus the number of bytes in the intrusion policy name. |
||
SHA1 hash of the parent archive in which the file is contained. |
||
Initiates a String data block containing the Archive Name. This value is always |
||
The number of bytes included in the Archive Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the intrusion policy name. |
||
Number of layers in which the file is nested. For example, if a text file is in a zip archive, this has a value of |
||
File Event SHA Hash for 5.1.1-5.2.x
The eStreamer service uses the File Event SHA Hash data block to contain metadata of the mapping of the SHA hash of a file to its filename. The block type is 26 in the series 2 list of data blocks. It can be requested if file log events have been requested in the extended requests—event code 111—and either bit 20 is set or metadata is requested with an event version of 4 and an event code of 21.
The following diagram shows the structure of a file event hash data block:
The following table describes the fields in the file event SHA hash data block.
Legacy Correlation Event Data Structures
The following topics describe other legacy correlation (compliance) data structures:
Correlation Event for 5.0 - 5.0.2
Correlation events (called compliance events in pre-5.0 versions) contain information about correlation policy violations. This message uses the standard eStreamer message header and specifies a record type of 112, followed by a correlation data block of type 116. Data block type 116 differs from its predecessor (block type 107) in including additional information about the associated security zone and interface.
You can request 5.0 correlation events from eStreamer only by extended request, for which you request event type code 31 and version code 7 in the Stream Request message (see Submitting Extended Requests for information about submitting extended requests). You can optionally enable bit 23 in the flags field of the initial event stream request message, to include the extended event header. You can also enable bit 20 in the flags field to include user metadata.
Note that the record structure includes a String block type, which is a block in series 1. For information about series 1 blocks, see Understanding Discovery (Series 1) Blocks.
eStreamer Server Timestamp (in events, only if bit 23 is set) |
|||||||||||||||||||||||||||||||||
|
|
|
---|---|---|
Indicates a correlation event data block follows. This field always has a value of |
||
Length of the correlation data block, which includes 8 bytes for the correlation block type and length plus the correlation data that follows. |
||
Internal identification number of the managed device or Defense Center that generated the correlation event. A value of zero indicates the Defense Center. You can obtain managed device names by requesting Version 3 metadata. See Managed Device Record Metadata for more information. |
||
UNIX timestamp indicating the time that the correlation event was generated (in seconds from 01/01/1970). |
||
Identification number of the correlation policy that was violated. See Service Record for information about how to obtain policy identification numbers from the database. |
||
Identification number of the correlation rule that triggered to violate the policy. See Service Record for information about how to obtain policy identification numbers from the database. |
||
Priority assigned to the event. This is an integer value from |
||
Initiates a string data block that contains the correlation violation event description. This value is always set to |
||
Number of bytes in the event description string block, which includes four bytes for the string block type and four bytes for the string block length, plus the number of bytes in the description. |
||
Indicates whether the correlation event was triggered by an intrusion, host discovery, or user event: |
||
Identification number of the device that generated the event that triggered the correlation event. You can obtain device name by requesting Version 3 metadata. See Managed Device Record Metadata for more information. |
||
If the event was an intrusion event, indicates the rule identification number that corresponds with the event. Otherwise, the value is |
||
If the event was an intrusion event, indicates the ID number of the Firepower System preprocessor or rules engine that generated the event. |
||
UNIX timestamp indicating the time of the event that triggered the correlation policy rule (in seconds from 01/01/1970). |
||
Microsecond (one millionth of a second) increment that the event was detected. |
||
Set bits in this field indicate which of the fields that follow in the message are valid. See Table B-55 for a list of each bit value. |
||
Impact flag value of the event. The low-order eight bits indicate the impact level. Values are:
The following impact level values map to specific priorities on the Defense Center. An |
||
Identifier of the IP protocol associated with the event, if applicable. |
||
IP address of the source host in the event, in IP address octets. |
||
A fingerprint ID number that acts a unique identifier for the source host’s operating system. See Service Record for information about obtaining the values that map to the fingerprint IDs. |
||
Identification number for the user logged into the source host, as identified by the system. |
||
Identification number for the server running on the source host. |
||
IP address of the destination host associated with the policy violation (if applicable). This value will be 0 if there is no destination IP address. |
||
Destination host’s VLAN identification number, if applicable. |
||
A fingerprint ID number that acts as a unique identifier for the destination host’s operating system. See Service Record for information about obtaining the values that map to the fingerprint IDs. |
||
Identification number for the user logged into the destination host, as identified by the system. |
||
Identification number for the server running on the source host. |
||
Value indicating what happened to the packet that triggered the intrusion event. |
||
An interface ID that acts as the unique identifier for the ingress interface associated with correlation event. |
||
An interface ID that acts as the unique identifier for the egress interface associated with correlation event. |
||
A zone ID that acts as the unique identifier for the ingress security zone associated with correlation event. |
||
A zone ID that acts as the unique identifier for the egress security zone associated with correlation event. |
The following table describes each Event Defined Mask value.
|
|
---|---|
Correlation Event for 5.1-5.3.x
Correlation events (called compliance events in pre-5.0 versions) contain information about correlation policy violations. This message uses the standard eStreamer message header and specifies a record type of 112, followed by a correlation data block of type 128 in the series 1 set of data blocks. Data block type 128 differs from its predecessor (block type 116) in including IPv6 support.
You can request 5.1-5.3.x correlation events from eStreamer only by extended request, for which you request event type code 31 and version code 8 in the Stream Request message (see Submitting Extended Requests for information about submitting extended requests). You can optionally enable bit 23 in the flags field of the initial event stream request message, to include the extended event header. You can also enable bit 20 in the flags field to include user metadata.
eStreamer Server Timestamp (in events, only if bit 23 is set) |
|||||||||||||||||||||||||||||||||
Note that the record structure includes a String block type, which is a block in series 1. For information about series 1 blocks, see Understanding Discovery (Series 1) Blocks.
|
|
|
---|---|---|
Indicates a correlation event data block follows. This field always has a value of 128. See Understanding Discovery (Series 1) Blocks. |
||
Length of the correlation data block, which includes 8 bytes for the correlation block type and length plus the correlation data that follows. |
||
Internal identification number of the managed device or Defense Center that generated the correlation event. A value of zero indicates the Defense Center. You can obtain managed device names by requesting Version 3 metadata. See Managed Device Record Metadata for more information. |
||
UNIX timestamp indicating the time that the correlation event was generated (in seconds from 01/01/1970). |
||
Identification number of the correlation policy that was violated. See Service Record for information about how to obtain policy identification numbers from the database. |
||
Identification number of the correlation rule that triggered to violate the policy. See Service Record for information about how to obtain policy identification numbers from the database. |
||
Priority assigned to the event. This is an integer value from 0 to 5. |
||
Initiates a string data block that contains the correlation violation event description. This value is always set to 0. For more information about string blocks, see String Data Block. |
||
Number of bytes in the event description string block, which includes four bytes for the string block type and four bytes for the string block length, plus the number of bytes in the description. |
||
Indicates whether the correlation event was triggered by an intrusion, host discovery, or user event: |
||
Identification number of the device that generated the event that triggered the correlation event. You can obtain device name by requesting Version 3 metadata. See Managed Device Record Metadata for more information. |
||
If the event was an intrusion event, indicates the rule identification number that corresponds with the event. Otherwise, the value is 0. |
||
If the event was an intrusion event, indicates the ID number of the Firepower System preprocessor or rules engine that generated the event. |
||
UNIX timestamp indicating the time of the event that triggered the correlation policy rule (in seconds from 01/01/1970). |
||
Microsecond (one millionth of a second) increment that the event was detected. |
||
Identification number of the event generated by the Cisco device. |
||
Set bits in this field indicate which of the fields that follow in the message are valid. See Table B-55 for a list of each bit value. |
||
Impact flag value of the event. The low-order eight bits indicate the impact level. Values are:
The following impact level values map to specific priorities on the Defense Center. An |
||
Identifier of the IP protocol associated with the event, if applicable. |
||
This field is reserved but no longer populated. The Source IPv4 address is stored in the Source IPv6 Address field. See IP Addresses for more information. |
||
A fingerprint ID number that acts a unique identifier for the source host’s operating system. See Service Record for information about obtaining the values that map to the fingerprint IDs. |
||
Identification number for the user logged into the source host, as identified by the system. |
||
Identification number for the server running on the source host. |
||
This field is reserved but no longer populated. The Destination IPv4 address is stored in the Destination IPv6 Address field. See IP Addresses for more information. |
||
Destination host’s VLAN identification number, if applicable. |
||
A fingerprint ID number that acts as a unique identifier for the destination host’s operating system. See Service Record for information about obtaining the values that map to the fingerprint IDs. |
||
Identification number for the user logged into the destination host, as identified by the system. |
||
Identification number for the server running on the source host. |
||
Value indicating what happened to the packet that triggered the intrusion event. |
||
An interface ID that acts as the unique identifier for the ingress interface associated with correlation event. |
||
An interface ID that acts as the unique identifier for the egress interface associated with correlation event. |
||
A zone ID that acts as the unique identifier for the ingress security zone associated with correlation event. |
||
A zone ID that acts as the unique identifier for the egress security zone associated with correlation event. |
||
IP address of the source host in the event, in IPv6 address octets. |
||
IP address of the destination host in the event, in IPv6 address octets. |
Legacy Host Data Structures
To request these structures, you must use a Host Request Message. To request a legacy structure, the Host Request Message must use an older format. See Host Request Message Format for more information.
The following topics describe legacy host data structures, including both host profile and full host profile structures:
- Full Host Profile Data Block 5.0 - 5.0.2
- Full Host Profile Data Block 5.1.1
- Full Host Profile Data Block 5.2.x
- Host Profile Data Block for 5.1.x
- IP Range Specification Data Block for 5.0 - 5.1.1.x
- Access Control Policy Rule Reason Data Block
Full Host Profile Data Block 5.0 - 5.0.2
The Full Host Profile data block for version 5.0 - 5.0.2 contains a full set of data describing one host. It has the format shown in the graphic below and explained in the following table. Note that, except for List data blocks, the graphic does not show the fields of the encapsulated data blocks. These encapsulated data blocks are described separately in Understanding Discovery & Connection Data Structures. The Full Host Profile data block a block type value of 111.
Note An asterisk(*) next to a block name in the following diagram indicates that multiple instances of the data block may occur.
(Third Party Scan) Host Vulnerability Data Blocks with Original Vuln IDs (85)* |
||||||||||||||||||||||||||||||||
The following table describes the components of the Full Host Profile for 5.0 - 5.0.2 record.
|
|
|
---|---|---|
Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data derived from the existing fingerprints for the host. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks. |
||
Operating System Fingerprint data blocks containing information about the operating system on a host derived from the existing fingerprints for the host. See Operating System Fingerprint Data Block 5.1+ for a description of this data block. |
||
Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using a server fingerprint. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks. |
||
Operating System Fingerprint (Server Fingerprint) Data Blocks * |
Operating System Fingerprint data blocks containing information about the operating system on a host identified using a server fingerprint. See Operating System Fingerprint Data Block 5.1+ for a description of this data block. |
|
Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using a client fingerprint. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks. |
||
Operating System Fingerprint (Client Fingerprint) Data Blocks * |
Operating System Fingerprint data blocks containing information about the operating system on a host identified using a client fingerprint. See Operating System Fingerprint Data Block 5.1+ for a description of this data block. |
|
Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using a Cisco VDB fingerprint. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks. |
||
Operating System Fingerprint (VDB) Native Fingerprint 1) Data Blocks * |
Operating System Fingerprint data blocks containing information about the operating system on a host identified using the fingerprints in the Cisco vulnerability database (VDB). See Operating System Fingerprint Data Block 5.1+ for a description of this data block. |
|
Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using a Cisco VDB fingerprint. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks. |
||
Operating System Fingerprint (VDB) Native Fingerprint 2) Data Blocks * |
Operating System Fingerprint data blocks containing information about the operating system on a host identified using the fingerprints in the Cisco vulnerability database (VDB). See Operating System Fingerprint Data Block 5.1+ for a description of this data block. |
|
Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data added by a user. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks. |
||
Operating System Fingerprint (User Fingerprint) Data Blocks * |
Operating System Fingerprint data blocks containing information about the operating system on a host added by a user. See Operating System Fingerprint Data Block 5.1+ for a description of this data block. |
|
Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data added by a vulnerability scanner. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks. |
||
Operating System Fingerprint (Scan Fingerprint) Data Blocks * |
Operating System Fingerprint data blocks containing information about the operating system on a host added by a vulnerability scanner. See Operating System Fingerprint Data Block 5.1+ for a description of this data block. |
|
Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data added by an application. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks. |
||
Operating System Fingerprint (Application Fingerprint) Data Blocks * |
Operating System Fingerprint data blocks containing information about the operating system on a host added by an application. See Operating System Fingerprint Data Block 5.1+ for a description of this data block. |
|
Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data selected through fingerprint conflict resolution. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks. |
||
Operating System Fingerprint (Conflict Fingerprint) Data Blocks * |
Operating System Fingerprint data blocks containing information about the operating system on a host selected through fingerprint conflict resolution. See Operating System Fingerprint Data Block 5.1+ for a description of this data block. |
|
Initiates a List data block comprising Full Server data blocks conveying TCP service data. This value is always |
||
Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus the length of all encapsulated Full Server data blocks. |
||
List of Full Server data blocks conveying data about the TCP services on the host. See Full Host Server Data Block 4.10.0+ for a description of this data block. |
||
Initiates a List data block comprising Full Server data blocks conveying UDP service data. This value is always |
||
Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus the length of all encapsulated Full Server data blocks. |
||
List of Full Server data blocks conveying data about the UDP sub-servers on the host. See Full Host Server Data Block 4.10.0+ for a description of this data block. |
||
Initiates a List data block comprising Protocol data blocks conveying network protocol data. This value is always |
||
Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus the length of all encapsulated Protocol data blocks. |
||
List of Protocol data blocks conveying data about the network protocols on the host. See Protocol Data Block for a description of this data block. |
||
Initiates a List data block comprising Protocol data blocks conveying transport protocol data. This value is always |
||
Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus the length of all encapsulated Protocol data blocks. |
||
List of Protocol data blocks conveying data about the transport protocols on the host. See Protocol Data Block for a description of this data block. |
||
Initiates a List data block containing Host MAC Address data blocks. This value is always |
||
Number of bytes in the list, including the list header and all encapsulated Host MAC Address data blocks. |
||
List of Host MAC Address data blocks. See Host MAC Address 4.9+ for a description of this data block. |
||
UNIX timestamp that represents the last time the system detected host activity. |
||
VLAN identification number that indicates which VLAN the host is a member of. |
||
Initiates a Generic List data block comprising Host Vulnerability data blocks conveying Client Application data. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Client Application data blocks. |
||
List of Client Application data blocks. See Full Host Client Application Data Block 5.0+ for a description of this data block. |
||
Initiates a String data block for the host NetBIOS name. This value is always |
||
Number of bytes in the String data block, including eight bytes for the string block type and length fields, plus the number of bytes in the NetBIOS name string. |
||
Initiates a String data block for host notes. This value is always |
||
Number of bytes in the notes String data block, including eight bytes for the string block type and length fields, plus the number of bytes in the notes string. |
||
Contains the contents of the Notes host attribute for the host. |
||
Initiates a Generic List data block comprising Host Vulnerability data blocks conveying VDB vulnerability data. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated data blocks. |
||
List of Host Vulnerability data blocks for vulnerabilities identified in the Cisco vulnerability database (VDB). See Host Vulnerability Data Block 4.9.0+ for a description of this data block. |
||
Initiates a Generic List data block comprising Host Vulnerability data blocks conveying third-party scan vulnerability data. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated data blocks. |
||
Host Vulnerability data blocks sourced from a third party scanner and containing information about host vulnerabilities cataloged in the Cisco vulnerability database (VDB). See Host Vulnerability Data Block 4.9.0+ for a description of this data block. |
||
Initiates a Generic List data block comprising Host Vulnerability data blocks conveying third party scan vulnerability data. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated data blocks. |
||
Host Vulnerability data blocks sourced from a third party scanner. Note that the host vulnerability IDs for these data blocks are the third party scanner IDs, not Cisco-detected IDs. See Host Vulnerability Data Block 4.9.0+ for a description of this data block. |
||
Initiates a List data block comprising Attribute Value data blocks conveying attribute data. This value is always |
||
Number of bytes in the List data block, including the list header and all encapsulated data blocks. |
||
List of Attribute Value data blocks. See Attribute Value Data Block for a description of the data blocks in this list. |
Full Host Profile Data Block 5.1.1
The Full Host Profile data block for version 5.1.1 contains a full set of data describing one host. It has the format shown in the graphic below and explained in the following table. Note that, except for List data blocks, the graphic does not show the fields of the encapsulated data blocks. These encapsulated data blocks are described separately in Understanding Discovery & Connection Data Structures. The Full Host Profile data block a block type value of 135. It deprecates data block 111.
Note An asterisk(*) next to a block name in the following diagram indicates that multiple instances of the data block may occur.
(Third Party Scan) Host Vulnerability Data Blocks with Original Vuln IDs (85)* |
||||||||||||||||||||||||||||||||
The following table describes the components of the Full Host Profile for 5.1.1 record.
|
|
|
---|---|---|
Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data derived from the existing fingerprints for the host. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks. |
||
Operating System Fingerprint data blocks containing information about the operating system on a host derived from the existing fingerprints for the host. See Operating System Fingerprint Data Block 5.1+ for a description of this data block. |
||
Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using a server fingerprint. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks. |
||
Operating System Fingerprint (Server Fingerprint) Data Blocks * |
Operating System Fingerprint data blocks containing information about the operating system on a host identified using a server fingerprint. See Operating System Fingerprint Data Block 5.1+ for a description of this data block. |
|
Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using a client fingerprint. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks. |
||
Operating System Fingerprint (Client Fingerprint) Data Blocks * |
Operating System Fingerprint data blocks containing information about the operating system on a host identified using a client fingerprint. See Operating System Fingerprint Data Block 5.1+ for a description of this data block. |
|
Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using a Cisco VDB fingerprint. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks. |
||
Operating System Fingerprint (VDB) Native Fingerprint 1) Data Blocks * |
Operating System Fingerprint data blocks containing information about the operating system on a host identified using the fingerprints in the Cisco vulnerability database (VDB). See Operating System Fingerprint Data Block 5.1+ for a description of this data block. |
|
Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using a Cisco VDB fingerprint. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks. |
||
Operating System Fingerprint (VDB) Native Fingerprint 2) Data Blocks * |
Operating System Fingerprint data blocks containing information about the operating system on a host identified using the fingerprints in the Cisco vulnerability database (VDB). See Operating System Fingerprint Data Block 5.1+ for a description of this data block. |
|
Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data added by a user. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks. |
||
Operating System Fingerprint (User Fingerprint) Data Blocks * |
Operating System Fingerprint data blocks containing information about the operating system on a host added by a user. See Operating System Fingerprint Data Block 5.1+ for a description of this data block. |
|
Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data added by a vulnerability scanner. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks. |
||
Operating System Fingerprint (Scan Fingerprint) Data Blocks * |
Operating System Fingerprint data blocks containing information about the operating system on a host added by a vulnerability scanner. See Operating System Fingerprint Data Block 5.1+ for a description of this data block. |
|
Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data added by an application. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks. |
||
Operating System Fingerprint (Application Fingerprint) Data Blocks * |
Operating System Fingerprint data blocks containing information about the operating system on a host added by an application. See Operating System Fingerprint Data Block 5.1+ for a description of this data block. |
|
Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data selected through fingerprint conflict resolution. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks. |
||
Operating System Fingerprint (Conflict Fingerprint) Data Blocks * |
Operating System Fingerprint data blocks containing information about the operating system on a host selected through fingerprint conflict resolution. See Operating System Fingerprint Data Block 5.1+ for a description of this data block. |
|
Initiates a List data block comprising Full Server data blocks conveying TCP service data. This value is always |
||
Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus the length of all encapsulated Full Server data blocks. |
||
List of Full Server data blocks conveying data about the TCP services on the host. See Full Host Server Data Block 4.10.0+ for a description of this data block. |
||
Initiates a List data block comprising Full Server data blocks conveying UDP service data. This value is always |
||
Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus the length of all encapsulated Full Server data blocks. |
||
List of Full Server data blocks conveying data about the UDP sub-servers on the host. See Full Host Server Data Block 4.10.0+ for a description of this data block. |
||
Initiates a List data block comprising Protocol data blocks conveying network protocol data. This value is always |
||
Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus the length of all encapsulated Protocol data blocks. |
||
List of Protocol data blocks conveying data about the network protocols on the host. See Protocol Data Block for a description of this data block. |
||
Initiates a List data block comprising Protocol data blocks conveying transport protocol data. This value is always |
||
Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus the length of all encapsulated Protocol data blocks. |
||
List of Protocol data blocks conveying data about the transport protocols on the host. See Protocol Data Block for a description of this data block. |
||
Initiates a List data block containing Host MAC Address data blocks. This value is always |
||
Number of bytes in the list, including the list header and all encapsulated Host MAC Address data blocks. |
||
List of Host MAC Address data blocks. See Host MAC Address 4.9+ for a description of this data block. |
||
UNIX timestamp that represents the last time the system detected host activity. |
||
VLAN identification number that indicates which VLAN the host is a member of. |
||
Initiates a Generic List data block comprising Host Vulnerability data blocks conveying Client Application data. This value is always 31. |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Client Application data blocks. |
||
List of Client Application data blocks. See Full Host Client Application Data Block 5.0+ for a description of this data block. |
||
Initiates a String data block for the host NetBIOS name. This value is always 0. |
||
Number of bytes in the String data block, including eight bytes for the string block type and length fields, plus the number of bytes in the NetBIOS name string. |
||
Initiates a String data block for host notes. This value is always |
||
Number of bytes in the notes String data block, including eight bytes for the string block type and length fields, plus the number of bytes in the notes string. |
||
Contains the contents of the Notes host attribute for the host. |
||
Initiates a Generic List data block comprising Host Vulnerability data blocks conveying VDB vulnerability data. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated data blocks. |
||
List of Host Vulnerability data blocks for vulnerabilities identified in the Cisco vulnerability database (VDB). See Host Vulnerability Data Block 4.9.0+ for a description of this data block. |
||
Initiates a Generic List data block comprising Host Vulnerability data blocks conveying third-party scan vulnerability data. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated data blocks. |
||
Host Vulnerability data blocks sourced from a third party scanner and containing information about host vulnerabilities cataloged in the Cisco vulnerability database (VDB). See Host Vulnerability Data Block 4.9.0+ for a description of this data block. |
||
Initiates a Generic List data block comprising Host Vulnerability data blocks conveying third party scan vulnerability data. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated data blocks. |
||
Host Vulnerability data blocks sourced from a third party scanner. Note that the host vulnerability IDs for these data blocks are the third party scanner IDs, not Cisco-detected IDs. See Host Vulnerability Data Block 4.9.0+ for a description of this data block. |
||
Initiates a List data block comprising Attribute Value data blocks conveying attribute data. This value is always |
||
Number of bytes in the List data block, including the list header and all encapsulated data blocks. |
||
List of Attribute Value data blocks. See Attribute Value Data Block for a description of the data blocks in this list. |
||
A true-false flag indicating whether the operating system is running on a mobile device. |
||
A true-false flag indicating whether the mobile device operating system is jailbroken. |
||
Full Host Profile Data Block 5.2.x
The Full Host Profile data block for version 5.2.x contains a full set of data describing one host. It has the format shown in the graphic below and explained in the following table. Note that, except for List data blocks, the graphic does not show the fields of the encapsulated data blocks. These encapsulated data blocks are described separately in Understanding Discovery & Connection Data Structures. The Full Host Profile data block a block type value of 140. It supersedes the prior version, which has a block type of 135.
Note An asterisk (*) next to a block name in the following diagram indicates that multiple instances of the data block may occur.
(Third Party Scan) Host Vulnerability Data Blocks with Original Vuln IDs (85)* |
||||||||||||||||||||||||||||||||
The following table describes the components of the Full Host Profile for 5.2.x record.
|
|
|
---|---|---|
Initiates a List data block comprising IP address data blocks conveying TCP service data. This value is always |
||
Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus the length of all encapsulated IP address data blocks. |
||
IP addresses of the host and when each IP address was last seen. See Host IP Address Data Block for a description of this data block. |
||
Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data derived from the existing fingerprints for the host. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks. |
||
Operating System Fingerprint data blocks containing information about the operating system on a host derived from the existing fingerprints for the host. See Operating System Fingerprint Data Block 5.1+ for a description of this data block. |
||
Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using a server fingerprint. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks. |
||
Operating System Fingerprint (Server Fingerprint) Data Blocks * |
Operating System Fingerprint data blocks containing information about the operating system on a host identified using a server fingerprint. See Operating System Fingerprint Data Block 5.1+ for a description of this data block. |
|
Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using a client fingerprint. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks. |
||
Operating System Fingerprint (Client Fingerprint) Data Blocks * |
Operating System Fingerprint data blocks containing information about the operating system on a host identified using a client fingerprint. See Operating System Fingerprint Data Block 5.1+ for a description of this data block. |
|
Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using a Cisco VDB fingerprint. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks. |
||
Operating System Fingerprint (VDB) Native Fingerprint 1) Data Blocks * |
Operating System Fingerprint data blocks containing information about the operating system on a host identified using the fingerprints in the Cisco vulnerability database (VDB). See Operating System Fingerprint Data Block 5.1+ for a description of this data block. |
|
Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using a Cisco VDB fingerprint. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks. |
||
Operating System Fingerprint (VDB) Native Fingerprint 2) Data Blocks * |
Operating System Fingerprint data blocks containing information about the operating system on a host identified using the fingerprints in the Cisco vulnerability database (VDB). See Operating System Fingerprint Data Block 5.1+ for a description of this data block. |
|
Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data added by a user. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks. |
||
Operating System Fingerprint (User Fingerprint) Data Blocks * |
Operating System Fingerprint data blocks containing information about the operating system on a host added by a user. See Operating System Fingerprint Data Block 5.1+ for a description of this data block. |
|
Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data added by a vulnerability scanner. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks. |
||
Operating System Fingerprint (Scan Fingerprint) Data Blocks * |
Operating System Fingerprint data blocks containing information about the operating system on a host added by a vulnerability scanner. See Operating System Fingerprint Data Block 5.1+ for a description of this data block. |
|
Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data added by an application. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks. |
||
Operating System Fingerprint (Application Fingerprint) Data Blocks * |
Operating System Fingerprint data blocks containing information about the operating system on a host added by an application. See Operating System Fingerprint Data Block 5.1+ for a description of this data block. |
|
Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data selected through fingerprint conflict resolution. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks. |
||
Operating System Fingerprint (Conflict Fingerprint) Data Blocks * |
Operating System Fingerprint data blocks containing information about the operating system on a host selected through fingerprint conflict resolution. See Operating System Fingerprint Data Block 5.1+ for a description of this data block. |
|
Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying mobile device fingerprint data. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks. |
||
Operating System Fingerprint data blocks containing information about the operating system on a mobile device host. See Operating System Fingerprint Data Block 5.1+ for a description of this data block. |
||
Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using an IPv6 server fingerprint. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks. |
||
Operating System Fingerprint (IPv6 Server Fingerprint) Data Blocks * |
Operating System Fingerprint data blocks containing information about the operating system on a host identified using an IPv6 server fingerprint. See Operating System Fingerprint Data Block 5.1+ for a description of this data block. |
|
Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using an IPv6 client fingerprint. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks. |
||
Operating System Fingerprint (IPv6 Client Fingerprint) Data Blocks * |
Operating System Fingerprint data blocks containing information about the operating system on a host identified using an IPv6 client fingerprint. See Operating System Fingerprint Data Block 5.1+ for a description of this data block. |
|
Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using an IPv6 DHCP fingerprint. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks. |
||
Operating System Fingerprint data blocks containing information about the operating system on a host identified using an IPv6 DHCP fingerprint. See Operating System Fingerprint Data Block 5.1+ for a description of this data block. |
||
Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using a user agent fingerprint. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks. |
||
Operating System Fingerprint data blocks containing information about the operating system on a host identified using a user agent fingerprint. See Operating System Fingerprint Data Block 5.1+ for a description of this data block. |
||
Initiates a List data block comprising Full Server data blocks conveying TCP service data. This value is always |
||
Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus the length of all encapsulated Full Server data blocks. |
||
List of Full Server data blocks conveying data about the TCP services on the host. See Full Host Server Data Block 4.10.0+ for a description of this data block. |
||
Initiates a List data block comprising Full Server data blocks conveying UDP service data. This value is always |
||
Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus the length of all encapsulated Full Server data blocks. |
||
List of Full Server data blocks conveying data about the UDP sub-servers on the host. See Full Host Server Data Block 4.10.0+ for a description of this data block. |
||
Initiates a List data block comprising Protocol data blocks conveying network protocol data. This value is always |
||
Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus the length of all encapsulated Protocol data blocks. |
||
List of Protocol data blocks conveying data about the network protocols on the host. See Protocol Data Block for a description of this data block. |
||
Initiates a List data block comprising Protocol data blocks conveying transport protocol data. This value is always |
||
Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus the length of all encapsulated Protocol data blocks. |
||
List of Protocol data blocks conveying data about the transport protocols on the host. See Protocol Data Block for a description of this data block. |
||
Initiates a List data block containing Host MAC Address data blocks. This value is always |
||
Number of bytes in the list, including the list header and all encapsulated Host MAC Address data blocks. |
||
List of Host MAC Address data blocks. See Host MAC Address 4.9+ for a description of this data block. |
||
UNIX timestamp that represents the last time the system detected host activity. |
||
VLAN identification number that indicates which VLAN the host is a member of. |
||
Initiates a Generic List data block comprising Host Vulnerability data blocks conveying Client Application data. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Client Application data blocks. |
||
List of Client Application data blocks. See Full Host Client Application Data Block 5.0+ for a description of this data block. |
||
Initiates a String data block for the host NetBIOS name. This value is always |
||
Number of bytes in the String data block, including eight bytes for the string block type and length fields, plus the number of bytes in the NetBIOS name string. |
||
Initiates a String data block for host notes. This value is always |
||
Number of bytes in the notes String data block, including eight bytes for the string block type and length fields, plus the number of bytes in the notes string. |
||
Contains the contents of the Notes host attribute for the host. |
||
Initiates a Generic List data block comprising Host Vulnerability data blocks conveying VDB vulnerability data. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated data blocks. |
||
List of Host Vulnerability data blocks for vulnerabilities identified in the Cisco vulnerability database (VDB). See Host Vulnerability Data Block 4.9.0+ for a description of this data block. |
||
Initiates a Generic List data block comprising Host Vulnerability data blocks conveying third-party scan vulnerability data. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated data blocks. |
||
Host Vulnerability data blocks sourced from a third party scanner and containing information about host vulnerabilities cataloged in the Cisco vulnerability database (VDB). See Host Vulnerability Data Block 4.9.0+ for a description of this data block. |
||
Initiates a Generic List data block comprising Host Vulnerability data blocks conveying third party scan vulnerability data. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated data blocks. |
||
Host Vulnerability data blocks sourced from a third party scanner. Note that the host vulnerability IDs for these data blocks are the third party scanner IDs, not Cisco-detected IDs. See Host Vulnerability Data Block 4.9.0+ for a description of this data block. |
||
Initiates a List data block comprising Attribute Value data blocks conveying attribute data. This value is always |
||
Number of bytes in the List data block, including the list header and all encapsulated data blocks. |
||
List of Attribute Value data blocks. See Attribute Value Data Block for a description of the data blocks in this list. |
||
A true-false flag indicating whether the operating system is running on a mobile device. |
||
A true-false flag indicating whether the mobile device operating system is jailbroken. |
Host Profile Data Block for 5.1.x
The following diagram shows the format of a Host Profile data block. The data block also does not include a host criticality value, but does include a VLAN presence indicator. In addition, a data block can convey a NetBIOS name for the host. The Host Profile data block has a block type of 132.
Note An asterisk(*) next to a block type field in the following diagram indicates the message may contain zero or more instances of the series 1 data block.
The following table describes the fields of the host profile data block returned by version 5.1.x
|
|
|
---|---|---|
Initiates the Host Profile data block for 5.1.x. This value is always |
||
Number of bytes in the Host Profile data block, including eight bytes for the host profile block type and length fields, plus the number of bytes included in the host profile data that follows. |
||
IP address of the host described in the profile, in IP address octets. |
||
Indicates whether the host is in the primary or secondary network of the device that detected it: |
||
Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using a server fingerprint. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks. |
||
Operating System Fingerprint (Server Fingerprint) Data Blocks * |
Operating System Fingerprint data blocks containing information about the operating system on a host identified using a server fingerprint. See Operating System Fingerprint Data Block 5.1+ for a description of this data block. |
|
Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using a client fingerprint. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks. |
||
Operating System Fingerprint (Client Fingerprint) Data Blocks * |
Operating System Fingerprint data blocks containing information about the operating system on a host identified using a client fingerprint. See Operating System Fingerprint Data Block 5.1+ for a description of this data block. |
|
Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using an SMB fingerprint. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks. |
||
Operating System Fingerprint (SMB Fingerprint) Data Blocks * |
Operating System Fingerprint data blocks containing information about the operating system on a host identified using an SMB fingerprint. See Operating System Fingerprint Data Block 5.1+ for a description of this data block. |
|
Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using a DHCP fingerprint. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks. |
||
Operating System Fingerprint (DHCP Fingerprint) Data Blocks * |
Operating System Fingerprint data blocks containing information about the operating system on a host identified using a DHCP fingerprint. See Operating System Fingerprint Data Block 5.1+ for a description of this data block. |
|
Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using a DHCP fingerprint. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks. |
||
Operating System Fingerprint (Mobile Device Fingerprint) Data Blocks * |
Operating System Fingerprint data blocks containing information about the operating system on a host identified using a mobile device fingerprint. See Operating System Fingerprint Data Block 5.1+ for a description of this data block. |
|
Initiates a List data block comprising Server data blocks conveying TCP server data. This value is always |
||
Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus all encapsulated Server data blocks. |
||
Host server data blocks describing a TCP server (as documented for earlier versions of the product). |
||
Initiates a List data block comprising Server data blocks conveying UDP server data. This value is always |
||
Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus all encapsulated Server data blocks. |
||
Host server data blocks describing a UDP server (as documented for earlier versions of the product). |
||
Initiates a List data block comprising Protocol data blocks conveying network protocol data. This value is always |
||
Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus all encapsulated Protocol data blocks. This field is followed by zero or more Protocol data blocks. |
||
Protocol data blocks describing a network protocol. See Protocol Data Block for a description of this data block. |
||
Initiates a List data block comprising Protocol data blocks conveying transport protocol data. This value is always |
||
Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus all encapsulated Protocol data blocks. This field is followed by zero or more transport protocol data blocks. |
||
Protocol data blocks describing a transport protocol. See Protocol Data Block for a description of this data block. |
||
Initiates a List data block comprising MAC Address data blocks. This value is always |
||
Number of bytes in the list, including the list header and all encapsulated MAC Address data blocks. |
||
Host MAC Address data blocks describing a host MAC address. See Host MAC Address 4.9+ for a description of this data block. |
||
UNIX timestamp that represents the last time the system detected host activity. |
||
True-false flag indicating whether the host is a mobile device. |
||
True-false flag indicating whether the host is a mobile device that is also jailbroken. |
||
VLAN identification number that indicates which VLAN the host is a member of. |
||
Initiates a Generic List data block comprising Client Application data blocks conveying client application data. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated client application data blocks. |
||
Client application data blocks describing a client application. See Full Host Client Application Data Block 5.0+ for a description of this data block. |
||
Initiates a string data block for the NetBIOS name. This value is set to |
||
Indicates the number of bytes in the NetBIOS name data block, including eight bytes for the string block type and length, plus the number of bytes in the NetBIOS name. |
||
Contains the NetBIOS name of the host described in the host profile. |
IP Range Specification Data Block for 5.0 - 5.1.1.x
The IP Range Specification data block conveys a range of IP addresses. IP Range Specification data blocks are used in User Protocol, User Client Application, Address Specification, User Product, User Server, User Hosts, User Vulnerability, User Criticality, and User Attribute Value data blocks. The IP Range Specification data block has a block type of 61.
The following diagram shows the format of the IP Range Specification data block:
The following table describes the components of the IP Range Specification data block.
Access Control Policy Rule Reason Data Block
The eStreamer service uses the Access Control Rule Policy Rule Reason Data block to contain information about access control policy rule IDs. This data block has a block type of 21 in series 2.
The following diagram shows the structure of the Access Control Policy Rule ID metadata block.
The following table describes the fields in the Access Control Policy Rule ID metadata block.