Understanding Legacy Data Structures

This appendix contains information about data structures supported by eStreamer at previous versions of Firepower System products.

If your client uses event stream requests with bits set to request data in older version formats, you can use the information in this appendix to identify the data structures of the data messages you receive.

Note that prior to version 5.0, separate detection engines were assigned IDs. For version 5.0, devices are assigned IDs. Based on the version, data structures reflect this.

note.gif

Noteblank.gif This appendix describes only data structures from version 4.9 or later of the Firepower System. If you require documentation for structures from earlier data structure versions, contact Cisco Customer Support.


See the following sections for more information:

Legacy Intrusion Data Structures

Intrusion Event (IPv4) Record 5.0.x - 5.1

The fields in the intrusion event (IPv4) record are shaded in the following graphic. The record type is 207.

You request intrusion event records by setting the intrusion event flag or the extended requests flag in the request message. See Request Flags and Submitting Extended Requests.

For version 5.0.x - 5.1 intrusion events, the event ID, the managed device ID, and the event second form a unique identifier.

 

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

 

Header Version (1)

Message Type (4)

 

Message Length

 

Netmap ID

Record Type (207)

 

Record Length

 

eStreamer Server Timestamp (in events, only if bit 23 is set)

 

Reserved for Future Use (in events, only if bit 23 is set)

 

Device ID

 

Event ID

 

Event Second

 

Event Microsecond

 

Rule ID (Signature ID)

 

Generator ID

 

Rule Revision

 

Classification ID

 

Priority ID

 

Source IPv4 Address

 

Destination IPv4 Address

 

Source Port

Destination Port

 

IP Protocol ID

Impact Flags

Impact

Blocked

 

MPLS Label

 

VLAN ID

Pad

 

Policy UUID

 

Policy UUID, continued

 

Policy UUID, continued

 

Policy UUID, continued

 

User ID

 

Web Application ID

 

Client Application ID

 

Application Protocol ID

 

Access Control Rule ID

 

Access Control Policy UUID

 

Access Control Policy UUID, continued

 

Access Control Policy UUID, continued

 

Access Control Policy UUID, continued

 

Interface Ingress UUID

 

Interface Ingress UUID, continued

 

Interface Ingress UUID, continued

 

Interface Ingress UUID, continued

 

Interface Egress UUID

 

Interface Egress UUID, continued

 

Interface Egress UUID, continued

 

Interface Egress UUID, continued

 

Security Zone Ingress UUID

 

Security Zone Ingress UUID, continued

 

Security Zone Ingress UUID, continued

 

Security Zone Ingress UUID, continued

 

Security Zone Egress UUID

 

Security Zone Egress UUID, continued

 

Security Zone Egress UUID, continued

 

Security Zone Egress UUID, continued

The following table describes each intrusion event record data field.

 

Table B-1 Intrusion Event (IPv4) Record Fields

Field
Data Type
Description

Device ID

unit32

Contains the identification number of the detecting managed device. You can obtain the managed device name by requesting Version 3 or 4 metadata. See Managed Device Record Metadata for more information.

Event ID

uint32

Event identification number.

Event Second

uint32

UNIX timestamp (seconds since 01/01/1970) of the event’s detection.

Event Microsecond

uint32

Microsecond (one millionth of a second) increment of the timestamp of the event’s detection.

Rule ID (Signature ID)

uint32

Rule identification number that corresponds with the event.

Generator ID

uint32

Identification number of the Firepower System preprocessor that generated the event.

Rule Revision

uint32

Rule revision number.

Classification ID

uint32

Identification number of the event classification message.

Priority ID

uint32

Identification number of the priority associated with the event.

Source IPv4 Address

uint8[4]

Source IPv4 address used in the event, in address octets.

Destination IPv4 Address

uint8[4]

Destination IPv4 address used in the event, in address octets.

Source Port

uint16

The source port number if the event protocol type is TCP or UDP.

Destination Port

uint16

The destination port number if the event protocol type is TCP or UDP.

IP Protocol Number

uint8

IANA-specified protocol number. For example:

  • 0 — IP
  • 1 — ICMP
  • 6 — TCP
  • 17 — UDP

Impact Flags

bits[8]

Impact flag value of the event. The low-order eight bits indicate the impact level. Values are:

  • 0x01 (bit 0) — Source or destination host is in a network monitored by the system.
  • 0x02 (bit 1) — Source or destination host exists in the network map.
  • 0x04 (bit 2) — Source or destination host is running a server on the port in the event (if TCP or UDP) or uses the IP protocol.
  • 0x08 (bit 3) — There is a vulnerability mapped to the operating system of the source or destination host in the event.
  • 0x10 (bit 4) — There is a vulnerability mapped to the server detected in the event.
  • 0x20 (bit 5) — The event caused the managed device to drop the session (used only when the device is running in inline, switched, or routed deployment). Corresponds to blocked status in the Firepower System web interface.
  • 0x40 (bit 6) — The rule that generated this event contains rule metadata setting the impact flag to red. The source or destination host is potentially compromised by a virus, trojan, or other piece of malicious software.
  • 0x80 (bit 7) — There is a vulnerability mapped to the client detected in the event.

The following impact level values map to specific priorities on the Defense Center. An X indicates the value can be 0 or 1 :

  • (0, unknown): 00X00000
  • red (1, vulnerable): XXXX1XXX, XXX1XXXX, X1XXXXXX, 1XXXXXXX
  • orange (2, potentially vulnerable): 00X00111
  • yellow (3, currently not vulnerable): 00X00011
  • blue (4, unknown target): 00X00001

Impact

uint8

Impact flag value of the event. Values are:

  • 1 — Red (vulnerable)
  • 2 — Orange (potentially vulnerable)
  • 3 — Yellow (currently not vulnerable)
  • 4 — Blue (unknown target)
  • 5 — (unknown impact)

Blocked

uint8

Value indicating whether the event was blocked.

  • 0 — Not blocked
  • 1 — Blocked
  • 2 — Would be blocked (but not permitted by configuration)

MPLS Label

uint32

MPLS label.

VLAN ID

uint16

Indicates the ID of the VLAN where the packet originated.

Pad

uint16

Reserved for future use.

Policy UUID

uint8[16]

A policy ID number that acts as a unique identifier for the intrusion policy.

User ID

uint32

The internal identification number for the user, if applicable.

Web Application ID

uint32

The internal identification number for the web application, if applicable.

Client Application ID

uint32

The internal identification number for the client application, if applicable.

Application Protocol ID

uint32

The internal identification number for the application protocol, if applicable.

Access Control Rule ID

uint32

A rule ID number that acts as a unique identifier for the access control rule.

Access Control Policy UUID

uint8[16]

A policy ID number that acts as a unique identifier for the access control policy.

Ingress Interface UUID

uint8[16]

An interface ID number that acts as a unique identifier for the ingress interface.

Egress Interface UUID

uint8[16]

An interface ID number that acts as a unique identifier for the egress interface.

Ingress Security Zone UUID

uint8[16]

A zone ID number that acts as a unique identifier for the ingress security zone.

Egress Security Zone UUID

uint8[16]

A zone ID number that acts as a unique identifier for the egress security zone.

Intrusion Event (IPv6) Record 5.0.x - 5.1

The fields in the intrusion event (IPv6) record are shaded in the following graphic. The record type is 208.

You request intrusion event records by setting the intrusion event flag or the extended requests flag in the request message. See Request Flags and Submitting Extended Requests.

For version 5.0.x - 5.1 intrusion events, the event ID, the managed device ID, and the event second form a unique identifier.

 

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

 

Header Version (1)

Message Type (4)

 

Message Length

 

Netmap ID

Record Type (208)

 

Record Length

 

eStreamer Server Timestamp (in events, only if bit 23 is set)

 

Reserved for Future Use (in events, only if bit 23 is set)

 

Device ID

 

Event ID

 

Event Second

 

Event Microsecond

 

Rule ID (Signature ID)

 

Generator ID

 

Rule Revision

 

Classification ID

 

Priority ID

 

Source IPv6 Address

 

Source IPv6 Address, continued

 

Source IPv6 Address, continued

 

Source IPv6 Address, continued

 

Destination IPv6 Address

 

Destination IPv6 Address, continued

 

Destination IPv6 Address, continued

 

Destination IPv6 Address, continued

 

Source Port/ICMP Type

Destination Port/ICMP Code

 

IP Protocol ID

Impact Flags

Impact

Blocked

 

MPLS Label

 

VLAN ID

Pad

 

Policy UUID

 

Policy UUID, continued

 

Policy UUID, continued

 

Policy UUID, continued

 

User ID

 

Web Application ID

 

Client Application ID

 

Application Protocol ID

 

Access Control Rule ID

 

Access Control Policy UUID

 

Access Control Policy UUID, continued

 

Access Control Policy UUID, continued

 

Access Control Policy UUID, continued

 

Interface Ingress UUID

 

Interface Ingress UUID, continued

 

Interface Ingress UUID, continued

 

Interface Ingress UUID, continued

 

Interface Egress UUID

 

Interface Egress UUID, continued

 

Interface Egress UUID, continued

 

Interface Egress UUID, continued

 

Security Zone Ingress UUID

 

Security Zone Ingress UUID, continued

 

Security Zone Ingress UUID, continued

 

Security Zone Ingress UUID, continued

 

Security Zone Egress UUID

 

Security Zone Egress UUID, continued

 

Security Zone Egress UUID, continued

 

Security Zone Egress UUID, continued

The following table describes each intrusion event record data field.

 

Table B-2 Intrusion Event (IPv6) Record Fields

Field
Data Type
Description

Device ID

unit32

Contains the identification number of the detecting device. You can obtain the managed device name by requesting Version 3 or 4 metadata. See Managed Device Record Metadata for more information.

Event ID

uint32

Event identification number.

Event Second

uint32

UNIX timestamp (seconds since 01/01/1970) of the event’s detection.

Event Microsecond

uint32

Microsecond (one millionth of a second) increment of the timestamp of the event’s detection.

Rule ID (Signature ID)

uint32

Rule identification number that corresponds with the event.

Generator ID

uint32

Identification number of the Firepower System preprocessor that generated the event.

Rule Revision

uint32

Rule revision number.

Classification ID

uint32

Identification number of the event classification message.

Priority ID

uint32

Identification number of the priority associated with the event.

Source IPv6 Address

uint8[16]

Source IPv6 address used in the event, in address octets.

Destination IPv6 Address

uint8[16]

Destination IPv6 address used in the event, in address octets.

Source Port/ICMP Type

uint16

The source port number if the event protocol type is TCP or UDP. If the protocol type is ICMP, this indicates the ICMP type.

Destination Port/ICMP Code

uint16

The destination port number if the event protocol type is TCP or UDP. If the protocol type is ICMP, this indicates the ICMP code.

IP Protocol Number

uint8

IANA-specified protocol number. For example:

  • 0 — IP
  • 1 — ICMP
  • 6 — TCP
  • 17 — UDP

Impact Flags

bits[8]

Impact flag value of the event. The low-order eight bits indicate the impact level. Values are:

  • 0x01 (bit 0) — Source or destination host is in a network monitored by the system.
  • 0x02 (bit 1) — Source or destination host exists in the network map.
  • 0x04 (bit 2) — Source or destination host is running a server on the port in the event (if TCP or UDP) or uses the IP protocol.
  • 0x08 (bit 3) — There is a vulnerability mapped to the operating system of the source or destination host in the event.
  • 0x10 (bit 4) — There is a vulnerability mapped to the server detected in the event.
  • 0x20 (bit 5) — The event caused the managed device to drop the session (used only when the device is running in inline, switched, or routed deployment). Corresponds to blocked status in the Firepower System web interface.
  • 0x40 (bit 6) — The rule that generated this event contains rule metadata setting the impact flag to red. The source or destination host is potentially compromised by a virus, trojan, or other piece of malicious software.
  • 0x80 (bit 7) — There is a vulnerability mapped to the client detected in the event.

The following impact level values map to specific priorities on the Defense Center. An X indicates the value can be 0 or 1 :

  • (0, unknown): 00X00000
  • red (1, vulnerable): XXXX1XXX, XXX1XXXX, X1XXXXXX, 1XXXXXXX
  • orange (2, potentially vulnerable): 00X00111
  • yellow (3, currently not vulnerable): 00X00011
  • blue (4, unknown target): 00X00001

Impact

uint8

Impact flag value of the event. Values are:

  • 1 — Red (vulnerable)
  • 2 — Orange (potentially vulnerable)
  • 3 — Yellow (currently not vulnerable)
  • 4 — Blue (unknown target)
  • 5 — (unknown impact)

Blocked

uint8

Value indicating whether the event was blocked.

  • 0 — Not blocked
  • 1 — Blocked
  • 2 — Would be blocked (but not permitted by configuration)

MPLS Label

uint32

MPLS label. (Applies to 4.9+ events only.)

VLAN ID

uint16

Indicates the ID of the VLAN where the packet originated. (Applies to 4.9+ events only.)

Pad

uint16

Reserved for future use.

Policy UUID

uint8[16]

A policy ID number that acts as a unique identifier for the intrusion policy.

User ID

uint32

The internal identification number for the user, if applicable.

Web Application ID

uint32

The internal identification number for the web application, if applicable.

Client Application ID

uint32

The internal identification number for the client application, if applicable.

Application Protocol ID

uint32

The internal identification number for the application protocol, if applicable.

Access Control Rule ID

uint32

A rule ID number that acts as a unique identifier for the access control rule.

Access Control Policy UUID

uint8[16]

A policy ID number that acts as a unique identifier for the access control policy.

Ingress Interface UUID

uint8[16]

An interface ID number that acts as a unique identifier for the ingress interface.

Egress Interface UUID

uint8[16]

An interface ID number that acts as a unique identifier for the egress interface.

Ingress Security Zone UUID

uint8[16]

A zone ID number that acts as a unique identifier for the ingress security zone.

Egress Security Zone UUID

uint8[16]

A zone ID number that acts as a unique identifier for the egress security zone.

Intrusion Event Record 5.2.x

The fields in the intrusion event record are shaded in the following graphic. The record type is 400 and the block type is 34 in the series 2 set of data blocks.

You can request 5.2.x intrusion events from eStreamer only by extended request, for which you request event type code 12 and version code 5 in the Stream Request message (see Submitting Extended Requests for information about submitting extended requests).

For version 5.2.x intrusion events, the event ID, the managed device ID, and the event second form a unique identifier. The connection second, connection instance, and connection counter together form a unique identifier for the connection event associated with the intrusion event.

 

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

 

Header Version (1)

Message Type (4)

 

Message Length

 

Netmap ID

Record Type (400)

 

Record Length

 

eStreamer Server Timestamp (in events, only if bit 23 is set)

 

Reserved for Future Use (in events, only if bit 23 is set)

 

Block Type (34)

 

Block Length

 

Device ID

 

Event ID

 

Event Second

 

Event Microsecond

 

Rule ID (Signature ID)

 

Generator ID

 

Rule Revision

 

Classification ID

 

Priority ID

 

Source IP Address

Source IP Address, continued

Source IP Address, continued

Source IP Address, continued

 

 

 

 

Destination IP Address

Destination IP Address, continued


Destination IP Address, continued

Destination IP Address, continued

 

 

 

 

Source Port or ICMP Type

Destination Port or ICMP Code

 

IP Protocol ID

Impact Flags

Impact

Blocked

 

MPLS Label

 

VLAN ID

Pad

 

Policy UUID

 

Policy UUID, continued

 

Policy UUID, continued

 

Policy UUID, continued

 

User ID

 

Web Application ID

 

Client Application ID

 

Application Protocol ID

 

Access Control Rule ID

 

Access Control Policy UUID

 

Access Control Policy UUID, continued

 

Access Control Policy UUID, continued

 

Access Control Policy UUID, continued

 

Interface Ingress UUID

 

Interface Ingress UUID, continued

 

Interface Ingress UUID, continued

 

Interface Ingress UUID, continued

 

Interface Egress UUID

 

Interface Egress UUID, continued

 

Interface Egress UUID, continued

 

Interface Egress UUID, continued

 

Security Zone Ingress UUID

 

Security Zone Ingress UUID, continued

 

Security Zone Ingress UUID, continued

 

Security Zone Ingress UUID, continued

 

Security Zone Egress UUID

 

Security Zone Egress UUID, continued

 

Security Zone Egress UUID, continued

 

Security Zone Egress UUID, continued

 

Connection Timestamp

 

Connection Instance ID

Connection Counter

 

Source Country

Destination Country

The following table describes each intrusion event record data field.

 

Table B-3 Intrusion Event Record 5.2.x Fields

Field
Data Type
Description

Block Type

unint32

Initiates an Intrusion Event data block. This value is always 34.

Block Length

unint32

Total number of bytes in the Intrusion Event data block, including eight bytes for the Intrusion Event block type and length fields, plus the number of bytes of data that follows.

Device ID

unit32

Contains the identification number of the detecting managed device. You can obtain the managed device name by requesting Version 3 or 4 metadata. See Managed Device Record Metadata for more information.

Event ID

uint32

Event identification number.

Event Second

uint32

UNIX timestamp (seconds since 01/01/1970) of the event’s detection.

Event Microsecond

uint32

Microsecond (one millionth of a second) increment of the timestamp of the event’s detection.

Rule ID (Signature ID)

uint32

Rule identification number that corresponds with the event.

Generator ID

uint32

Identification number of the Firepower System preprocessor that generated the event.

Rule Revision

uint32

Rule revision number.

Classification ID

uint32

Identification number of the event classification message.

Priority ID

uint32

Identification number of the priority associated with the event.

Source IP Address

uint8[16]

Source IPv4 or IPv6 address used in the event.

Destination IP Address

uint8[16]

Destination IPv4 or IPv6 address used in the event.

Source Port or ICMP Type

uint16

The source port number if the event protocol type is TCP or UDP, or the ICMP type if the event is caused by ICMP traffic.

Destination Port or ICMP Code

uint16

The destination port number if the event protocol type is TCP or UDP, or the ICMP code if the event is caused by ICMP traffic.

IP Protocol Number

uint8

IANA-specified protocol number. For example:

  • 0 — IP
  • 1 — ICMP
  • 6 — TCP
  • 17 — UDP

Impact Flags

bits[8]

Impact flag value of the event. The low-order eight bits indicate the impact level. Values are:

  • 0x01 (bit 0) — Source or destination host is in a network monitored by the system.
  • 0x02 (bit 1) — Source or destination host exists in the network map.
  • 0x04 (bit 2) — Source or destination host is running a server on the port in the event (if TCP or UDP) or uses the IP protocol.
  • 0x08 (bit 3) — There is a vulnerability mapped to the operating system of the source or destination host in the event.
  • 0x10 (bit 4) — There is a vulnerability mapped to the server detected in the event.
  • 0x20 (bit 5) — The event caused the managed device to drop the session (used only when the device is running in inline, switched, or routed deployment). Corresponds to blocked status in the Firepower System web interface.
  • 0x40 (bit 6) — The rule that generated this event contains rule metadata setting the impact flag to red. The source or destination host is potentially compromised by a virus, trojan, or other piece of malicious software.
  • 0x80 (bit 7) — There is a vulnerability mapped to the client detected in the event. (version 5.0+ only)

The following impact level values map to specific priorities on the Defense Center. An X indicates the value can be 0 or 1:

  • (0, unknown): 00X00000
  • red (1, vulnerable): XXXX1XXX, XXX1XXXX, X1XXXXXX, 1XXXXXXX (version 5.0+ only)
  • orange (2, potentially vulnerable): 00X0011X
  • yellow (3, currently not vulnerable): 00X0001X
  • blue (4, unknown target): 00X00001

Impact

uint8

Impact flag value of the event. Values are:

  • 1 — Red (vulnerable)
  • 2 — Orange (potentially vulnerable)
  • 3 — Yellow (currently not vulnerable)
  • 4 — Blue (unknown target)
  • 5 — (unknown impact)

Blocked

uint8

Value indicating whether the event was blocked.

  • 0 — Not blocked
  • 1 — Blocked
  • 2 — Would be blocked (but not permitted by configuration)

MPLS Label

uint32

MPLS label.

VLAN ID

uint16

Indicates the ID of the VLAN where the packet originated.

Pad

uint16

Reserved for future use.

Policy UUID

uint8[16]

A policy ID number that acts as a unique identifier for the intrusion policy.

User ID

uint32

The internal identification number for the user, if applicable.

Web Application ID

uint32

The internal identification number for the web application, if applicable.

Client Application ID

uint32

The internal identification number for the client application, if applicable.

Application Protocol ID

uint32

The internal identification number for the application protocol, if applicable.

Access Control Rule ID

uint32

A rule ID number that acts as a unique identifier for the access control rule.

Access Control Policy UUID

uint8[16]

A policy ID number that acts as a unique identifier for the access control policy.

Ingress Interface UUID

uint8[16]

An interface ID number that acts as a unique identifier for the ingress interface.

Egress Interface UUID

uint8[16]

An interface ID number that acts as a unique identifier for the egress interface.

Ingress Security Zone UUID

uint8[16]

A zone ID number that acts as a unique identifier for the ingress security zone.

Egress Security Zone UUID

uint8[16]

A zone ID number that acts as a unique identifier for the egress security zone.

Connection Timestamp

uint32

UNIX timestamp (seconds since 01/01/1970) of the connection event associated with the intrusion event.

Connection Instance ID

uint16

Numerical ID of the Snort instance on the managed device that generated the connection event.

Connection Counter

uint16

Value used to distinguish between connection events that happen during the same second.

Source Country

uint16

Code for the country of the source host.

Destination Country

uint 16

Code for the country of the destination host.

Intrusion Event Record 5.3

The fields in the intrusion event record are shaded in the following graphic. The record type is 400 and the block type is 41 in the series 2 set of data blocks.

You can request 5.3 intrusion events from eStreamer only by extended request, for which you request event type code 12 and version code 6 in the Stream Request message (see Submitting Extended Requests for information about submitting extended requests).

For version 5.3 intrusion events, the event ID, the managed device ID, and the event second form a unique identifier. The connection second, connection instance, and connection counter together form a unique identifier for the connection event associated with the intrusion event.

 

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

 

Header Version (1)

Message Type (4)

 

Message Length

 

Netmap ID

Record Type (400)

 

Record Length

 

eStreamer Server Timestamp (in events, only if bit 23 is set)

 

Reserved for Future Use (in events, only if bit 23 is set)

 

Block Type (41)

 

Block Length

 

Device ID

 

Event ID

 

Event Second

 

Event Microsecond

 

Rule ID (Signature ID)

 

Generator ID

 

Rule Revision

 

Classification ID

 

Priority ID

 

Source IP Address

Source IP Address, continued

Source IP Address, continued

Source IP Address, continued

 

 

 

 

Destination IP Address

Destination IP Address, continued


Destination IP Address, continued

Destination IP Address, continued

 

 

 

 

Source Port or ICMP Type

Destination Port or ICMP Code

 

IP Protocol ID

Impact Flags

Impact

Blocked

 

MPLS Label

 

VLAN ID

Pad

 

Policy UUID

 

Policy UUID, continued

 

Policy UUID, continued

 

Policy UUID, continued

 

User ID

 

Web Application ID

 

Client Application ID

 

Application Protocol ID

 

Access Control Rule ID

 

Access Control Policy UUID

 

Access Control Policy UUID, continued

 

Access Control Policy UUID, continued

 

Access Control Policy UUID, continued

 

Interface Ingress UUID

 

Interface Ingress UUID, continued

 

Interface Ingress UUID, continued

 

Interface Ingress UUID, continued

 

Interface Egress UUID

 

Interface Egress UUID, continued

 

Interface Egress UUID, continued

 

Interface Egress UUID, continued

 

Security Zone Ingress UUID

 

Security Zone Ingress UUID, continued

 

Security Zone Ingress UUID, continued

 

Security Zone Ingress UUID, continued

 

Security Zone Egress UUID

 

Security Zone Egress UUID, continued

 

Security Zone Egress UUID, continued

 

Security Zone Egress UUID, continued

 

Connection Timestamp

 

Connection Instance ID

Connection Counter

 

Source Country

Destination Country

 

IOC Number

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

The following table describes each intrusion event record data field.

 

Table B-4 Intrusion Event Record 5.3 Fields

Field
Data Type
Description

Block Type

unint32

Initiates an Intrusion Event data block. This value is always 34.

Block Length

unint32

Total number of bytes in the Intrusion Event data block, including eight bytes for the Intrusion Event block type and length fields, plus the number of bytes of data that follows.

Device ID

unit32

Contains the identification number of the detecting managed device. You can obtain the managed device name by requesting Version 3 or 4 metadata. See Managed Device Record Metadata for more information.

Event ID

uint32

Event identification number.

Event Second

uint32

UNIX timestamp (seconds since 01/01/1970) of the event’s detection.

Event Microsecond

uint32

Microsecond (one millionth of a second) increment of the timestamp of the event’s detection.

Rule ID (Signature ID)

uint32

Rule identification number that corresponds with the event.

Generator ID

uint32

Identification number of the Firepower System preprocessor that generated the event.

Rule Revision

uint32

Rule revision number.

Classification ID

uint32

Identification number of the event classification message.

Priority ID

uint32

Identification number of the priority associated with the event.

Source IP Address

uint8[16]

Source IPv4 or IPv6 address used in the event.

Destination IP Address

uint8[16]

Destination IPv4 or IPv6 address used in the event.

Source Port or ICMP Type

uint16

The source port number if the event protocol type is TCP or UDP, or the ICMP type if the event is caused by ICMP traffic.

Destination Port or ICMP Code

uint16

The destination port number if the event protocol type is TCP or UDP, or the ICMP code if the event is caused by ICMP traffic.

IP Protocol Number

uint8

IANA-specified protocol number. For example:

  • 0 — IP
  • 1 — ICMP
  • 6 — TCP
  • 17 — UDP

Impact Flags

bits[8]

Impact flag value of the event. The low-order eight bits indicate the impact level. Values are:

  • 0x01 (bit 0) — Source or destination host is in a network monitored by the system.
  • 0x02 (bit 1) — Source or destination host exists in the network map.
  • 0x04 (bit 2) — Source or destination host is running a server on the port in the event (if TCP or UDP) or uses the IP protocol.
  • 0x08 (bit 3) — There is a vulnerability mapped to the operating system of the source or destination host in the event.
  • 0x10 (bit 4) — There is a vulnerability mapped to the server detected in the event.
  • 0x20 (bit 5) — The event caused the managed device to drop the session (used only when the device is running in inline, switched, or routed deployment). Corresponds to blocked status in the Firepower System web interface.
  • 0x40 (bit 6) — The rule that generated this event contains rule metadata setting the impact flag to red. The source or destination host is potentially compromised by a virus, trojan, or other piece of malicious software.
  • 0x80 (bit 7) — There is a vulnerability mapped to the client detected in the event. (version 5.0+ only)

The following impact level values map to specific priorities on the Defense Center. An X indicates the value can be 0 or 1 :

  • (0, unknown): 00X00000
  • red (1, vulnerable): XXXX1XXX, XXX1XXXX, X1XXXXXX, 1XXXXXXX (version 5.0+ only)
  • orange (2, potentially vulnerable): 00X0011X
  • yellow (3, currently not vulnerable): 00X0001X
  • blue (4, unknown target): 00X00001

Impact

uint8

Impact flag value of the event. Values are:

  • 1 — Red (vulnerable)
  • 2 — Orange (potentially vulnerable)
  • 3 — Yellow (currently not vulnerable)
  • 4 — Blue (unknown target)
  • 5 — (unknown impact)

Blocked

uint8

Value indicating whether the event was blocked.

  • 0 — Not blocked
  • 1 — Blocked
  • 2 — Would be blocked (but not permitted by configuration)

MPLS Label

uint32

MPLS label.

VLAN ID

uint16

Indicates the ID of the VLAN where the packet originated.

Pad

uint16

Reserved for future use.

Policy UUID

uint8[16]

A policy ID number that acts as a unique identifier for the intrusion policy.

User ID

uint32

The internal identification number for the user, if applicable.

Web Application ID

uint32

The internal identification number for the web application, if applicable.

Client Application ID

uint32

The internal identification number for the client application, if applicable.

Application Protocol ID

uint32

The internal identification number for the application protocol, if applicable.

Access Control Rule ID

uint32

A rule ID number that acts as a unique identifier for the access control rule.

Access Control Policy UUID

uint8[16]

A policy ID number that acts as a unique identifier for the access control policy.

Ingress Interface UUID

uint8[16]

An interface ID number that acts as a unique identifier for the ingress interface.

Egress Interface UUID

uint8[16]

An interface ID number that acts as a unique identifier for the egress interface.

Ingress Security Zone UUID

uint8[16]

A zone ID number that acts as a unique identifier for the ingress security zone.

Egress Security Zone UUID

uint8[16]

A zone ID number that acts as a unique identifier for the egress security zone.

Connection Timestamp

uint32

UNIX timestamp (seconds since 01/01/1970) of the connection event associated with the intrusion event.

Connection Instance ID

uint16

Numerical ID of the Snort instance on the managed device that generated the connection event.

Connection Counter

uint16

Value used to distinguish between connection events that happen during the same second.

Source Country

uint16

Code for the country of the source host.

Destination Country

uint 16

Code for the country of the destination host.

IOC Number

uint16

ID Number of the compromise associated with this event.

Intrusion Event Record 5.1.1.x

The fields in the intrusion event record are shaded in the following graphic. The record type is 400 and the block type is 25.

You can request 5.1.1.x intrusion events from eStreamer only by extended request, for which you request event type code 12 and version code 4 in the Stream Request message (see Submitting Extended Requests for information about submitting extended requests).

For version 5.1.1.x intrusion events, the event ID, the managed device ID, and the event second form a unique identifier. The connection second, connection instance, and connection counter together form a unique identifier for the connection event associated with the intrusion event.

 

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

 

Header Version (1)

Message Type (4)

 

Message Length

 

Netmap ID

Record Type (400)

 

Record Length

 

eStreamer Server Timestamp (in events, only if bit 23 is set)

 

Reserved for Future Use (in events, only if bit 23 is set)

 

Block Type (25)

 

Block Length

 

Device ID

 

Event ID

 

Event Second

 

Event Microsecond

 

Rule ID (Signature ID)

 

Generator ID

 

Rule Revision

 

Classification ID

 

Priority ID

 

Source IP Address

Source IP Address, continued

Source IP Address, continued

Source IP Address, continued

 

 

 

 

Destination IP Address

Destination IP Address, continued


Destination IP Address, continued

Destination IP Address, continued

 

 

 

 

Source Port/ICMP Type

Destination Port/ICMP Code

 

IP Protocol ID

Impact Flags

Impact

Blocked

 

MPLS Label

 

VLAN ID

Pad

 

Policy UUID

 

Policy UUID, continued

 

Policy UUID, continued

 

Policy UUID, continued

 

User ID

 

Web Application ID

 

Client Application ID

 

Application Protocol ID

 

Access Control Rule ID

 

Access Control Policy UUID

 

Access Control Policy UUID, continued

 

Access Control Policy UUID, continued

 

Access Control Policy UUID, continued

 

Interface Ingress UUID

 

Interface Ingress UUID, continued

 

Interface Ingress UUID, continued

 

Interface Ingress UUID, continued

 

Interface Egress UUID

 

Interface Egress UUID, continued

 

Interface Egress UUID, continued

 

Interface Egress UUID, continued

 

Security Zone Ingress UUID

 

Security Zone Ingress UUID, continued

 

Security Zone Ingress UUID, continued

 

Security Zone Ingress UUID, continued

 

Security Zone Egress UUID

 

Security Zone Egress UUID, continued

 

Security Zone Egress UUID, continued

 

Security Zone Egress UUID, continued

 

Connection Timestamp

 

Connection Instance ID

Connection Counter

The following table describes each intrusion event record data field.

 

Table B-5 Intrusion Event Record 5.1.1 Fields

Field
Data Type
Description

Block Type

unint32

Initiates an Intrusion Event data block. This value is always 25.

Block Length

unint32

Total number of bytes in the Intrusion Event data block, including eight bytes for the Intrusion Event block type and length fields, plus the number of bytes of data that follows.

Device ID

unit32

Contains the identification number of the detecting managed device. You can obtain the managed device name by requesting Version 3 or 4 metadata. See Managed Device Record Metadata for more information.

Event ID

uint32

Event identification number.

Event Second

uint32

UNIX timestamp (seconds since 01/01/1970) of the event’s detection.

Event Microsecond

uint32

Microsecond (one millionth of a second) increment of the timestamp of the event’s detection.

Rule ID (Signature ID)

uint32

Rule identification number that corresponds with the event.

Generator ID

uint32

Identification number of the Firepower System preprocessor that generated the event.

Rule Revision

uint32

Rule revision number.

Classification ID

uint32

Identification number of the event classification message.

Priority ID

uint32

Identification number of the priority associated with the event.

Source IP Address

uint8[16]

Source IPv4 or IPv6 address used in the event.

Destination IP Address

uint8[16]

Destination IPv4 or IPv6 address used in the event.

Source Port/ICMP Type

uint16

The source port number if the event protocol type is TCP or UDP, or the ICMP type if the event is caused by ICMP traffic.

Destination Port/ICMP Code

uint16

The destination port number if the event protocol type is TCP or UDP, or the ICMP code if the event is caused by ICMP traffic.

IP Protocol Number

uint8

IANA-specified protocol number. For example:

  • 0 — IP
  • 1 — ICMP
  • 6 — TCP
  • 17 — UDP

Impact Flags

bits[8]

Impact flag value of the event. The low-order eight bits indicate the impact level. Values are:

  • 0x01 (bit 0) — Source or destination host is in a network monitored by the system.
  • 0x02 (bit 1) — Source or destination host exists in the network map.
  • 0x04 (bit 2) — Source or destination host is running a server on the port in the event (if TCP or UDP) or uses the IP protocol.
  • 0x08 (bit 3) — There is a vulnerability mapped to the operating system of the source or destination host in the event.
  • 0x10 (bit 4) — There is a vulnerability mapped to the server detected in the event.
  • 0x20 (bit 5) — The event caused the managed device to drop the session (used only when the device is running in inline, switched, or routed deployment). Corresponds to blocked status in the Firepower System web interface.
  • 0x40 (bit 6) — The rule that generated this event contains rule metadata setting the impact flag to red. The source or destination host is potentially compromised by a virus, trojan, or other piece of malicious software.
  • 0x80 (bit 7) — There is a vulnerability mapped to the client detected in the event.

The following impact level values map to specific priorities on the Defense Center. An X indicates the value can be 0 or 1 :

  • (0, unknown): 00X00000
  • red (1, vulnerable): XXXX1XXX, XXX1XXXX, X1XXXXXX, 1XXXXXXX
  • orange (2, potentially vulnerable): 00X00111
  • yellow (3, currently not vulnerable): 00X00011
  • blue (4, unknown target): 00X00001

Impact

uint8

Impact flag value of the event. Values are:

  • 1 — Red (vulnerable)
  • 2 — Orange (potentially vulnerable)
  • 3 — Yellow (currently not vulnerable)
  • 4 — Blue (unknown target)
  • 5 — (unknown impact)

Blocked

uint8

Value indicating whether the event was blocked.

  • 0 — Not blocked
  • 1 — Blocked
  • 2 — Would be blocked (but not permitted by configuration)

MPLS Label

uint32

MPLS label.

VLAN ID

uint16

Indicates the ID of the VLAN where the packet originated.

Pad

uint16

Reserved for future use.

Policy UUID

uint8[16]

A policy ID number that acts as a unique identifier for the intrusion policy.

User ID

uint32

The internal identification number for the user, if applicable.

Web Application ID

uint32

The internal identification number for the web application, if applicable.

Client Application ID

uint32

The internal identification number for the client application, if applicable.

Application Protocol ID

uint32

The internal identification number for the application protocol, if applicable.

Access Control Rule ID

uint32

A rule ID number that acts as a unique identifier for the access control rule.

Access Control Policy UUID

uint8[16]

A policy ID number that acts as a unique identifier for the access control policy.

Ingress Interface UUID

uint8[16]

An interface ID number that acts as a unique identifier for the ingress interface.

Egress Interface UUID

uint8[16]

An interface ID number that acts as a unique identifier for the egress interface.

Ingress Security Zone UUID

uint8[16]

A zone ID number that acts as a unique identifier for the ingress security zone.

Egress Security Zone UUID

uint8[16]

A zone ID number that acts as a unique identifier for the egress security zone.

Connection Timestamp

uint32

UNIX timestamp (seconds since 01/01/1970) of the connection event associated with the intrusion event.

Connection Instance ID

uint16

Numerical ID of the Snort instance on the managed device that generated the connection event.

Connection Counter

uint16

Value used to distinguish between connection events that happen during the same second.

Intrusion Event Record 5.3.1

The fields in the intrusion event record are shaded in the following graphic. The record type is 400 and the block type is 42 in the series 2 set of data blocks.

You can request 5.3.1 intrusion events from eStreamer only by extended request, for which you request event type code 12 and version code 7 in the Stream Request message (see Submitting Extended Requests for information about submitting extended requests).

For version 5.3.1 intrusion events, the event ID, the managed device ID, and the event second form a unique identifier. The connection second, connection instance, and connection counter together form a unique identifier for the connection event associated with the intrusion event.

 

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

 

Header Version (1)

Message Type (4)

 

Message Length

 

Netmap ID

Record Type (400)

 

Record Length

 

eStreamer Server Timestamp (in events, only if bit 23 is set)

 

Reserved for Future Use (in events, only if bit 23 is set)

 

Block Type (42)

 

Block Length

 

Device ID

 

Event ID

 

Event Second

 

Event Microsecond

 

Rule ID (Signature ID)

 

Generator ID

 

Rule Revision

 

Classification ID

 

Priority ID

 

Source IP Address

Source IP Address, continued

Source IP Address, continued

Source IP Address, continued

 

 

 

 

Destination IP Address

Destination IP Address, continued


Destination IP Address, continued

Destination IP Address, continued

 

 

 

 

Source Port or ICMP Type

Destination Port or ICMP Code

 

IP Protocol ID

Impact Flags

Impact

Blocked

 

MPLS Label

 

VLAN ID

Pad

 

Policy UUID

 

Policy UUID, continued

 

Policy UUID, continued

 

Policy UUID, continued

 

User ID

 

Web Application ID

 

Client Application ID

 

Application Protocol ID

 

Access Control Rule ID

 

Access Control Policy UUID

 

Access Control Policy UUID, continued

 

Access Control Policy UUID, continued

 

Access Control Policy UUID, continued

 

Interface Ingress UUID

 

Interface Ingress UUID, continued

 

Interface Ingress UUID, continued

 

Interface Ingress UUID, continued

 

Interface Egress UUID

 

Interface Egress UUID, continued

 

Interface Egress UUID, continued

 

Interface Egress UUID, continued

 

Security Zone Ingress UUID

 

Security Zone Ingress UUID, continued

 

Security Zone Ingress UUID, continued

 

Security Zone Ingress UUID, continued

 

Security Zone Egress UUID

 

Security Zone Egress UUID, continued

 

Security Zone Egress UUID, continued

 

Security Zone Egress UUID, continued

 

Connection Timestamp

 

Connection Instance ID

Connection Counter

 

Source Country

Destination Country

 

IOC Number

Security Context

 

Security Context, continued

 

Security Context, continued

 

Security Context, continued

 

Security Context, continued

 

The following table describes each intrusion event record data field.

 

Table B-6 Intrusion Event Record 5.3.1 Fields

Field
Data Type
Description

Block Type

unint32

Initiates an Intrusion Event data block. This value is always 42.

Block Length

unint32

Total number of bytes in the Intrusion Event data block, including eight bytes for the Intrusion Event block type and length fields, plus the number of bytes of data that follows.

Device ID

unit32

Contains the identification number of the detecting managed device. You can obtain the managed device name by requesting Version 3 or 4 metadata. See Managed Device Record Metadata for more information.

Event ID

uint32

Event identification number.

Event Second

uint32

UNIX timestamp (seconds since 01/01/1970) of the event’s detection.

Event Microsecond

uint32

Microsecond (one millionth of a second) increment of the timestamp of the event’s detection.

Rule ID (Signature ID)

uint32

Rule identification number that corresponds with the event.

Generator ID

uint32

Identification number of the Firepower System preprocessor that generated the event.

Rule Revision

uint32

Rule revision number.

Classification ID

uint32

Identification number of the event classification message.

Priority ID

uint32

Identification number of the priority associated with the event.

Source IP Address

uint8[16]

Source IPv4 or IPv6 address used in the event.

Destination IP Address

uint8[16]

Destination IPv4 or IPv6 address used in the event.

Source Port or ICMP Type

uint16

The source port number if the event protocol type is TCP or UDP, or the ICMP type if the event is caused by ICMP traffic.

Destination Port or ICMP Code

uint16

The destination port number if the event protocol type is TCP or UDP, or the ICMP code if the event is caused by ICMP traffic.

IP Protocol Number

uint8

IANA-specified protocol number. For example:

  • 0 — IP
  • 1 — ICMP
  • 6 — TCP
  • 17 — UDP

Impact Flags

bits[8]

Impact flag value of the event. The low-order eight bits indicate the impact level. Values are:

  • 0x01 (bit 0) — Source or destination host is in a network monitored by the system.
  • 0x02 (bit 1) — Source or destination host exists in the network map.
  • 0x04 (bit 2) — Source or destination host is running a server on the port in the event (if TCP or UDP) or uses the IP protocol.
  • 0x08 (bit 3) — There is a vulnerability mapped to the operating system of the source or destination host in the event.
  • 0x10 (bit 4) — There is a vulnerability mapped to the server detected in the event.
  • 0x20 (bit 5) — The event caused the managed device to drop the session (used only when the device is running in inline, switched, or routed deployment). Corresponds to blocked status in the Firepower System web interface.
  • 0x40 (bit 6) — The rule that generated this event contains rule metadata setting the impact flag to red. The source or destination host is potentially compromised by a virus, trojan, or other piece of malicious software.
  • 0x80 (bit 7) — There is a vulnerability mapped to the client detected in the event. (version 5.0+ only)

The following impact level values map to specific priorities on the Defense Center. An X indicates the value can be 0 or 1:

  • (0, unknown): 00X00000
  • red (1, vulnerable): XXXX1XXX, XXX1XXXX, X1XXXXXX, 1XXXXXXX (version 5.0+ only)
  • orange (2, potentially vulnerable): 00X0011X
  • yellow (3, currently not vulnerable): 00X0001X
  • blue (4, unknown target): 00X00001

Impact

uint8

Impact flag value of the event. Values are:

  • 1 — Red (vulnerable)
  • 2 — Orange (potentially vulnerable)
  • 3 — Yellow (currently not vulnerable)
  • 4 — Blue (unknown target)
  • 5 — (unknown impact)

Blocked

uint8

Value indicating whether the event was blocked.

  • 0 — Not blocked
  • 1 — Blocked
  • 2 — Would be blocked (but not permitted by configuration)

MPLS Label

uint32

MPLS label.

VLAN ID

uint16

Indicates the ID of the VLAN where the packet originated.

Pad

uint16

Reserved for future use.

Policy UUID

uint8[16]

A policy ID number that acts as a unique identifier for the intrusion policy.

User ID

uint32

The internal identification number for the user, if applicable.

Web Application ID

uint32

The internal identification number for the web application, if applicable.

Client Application ID

uint32

The internal identification number for the client application, if applicable.

Application Protocol ID

uint32

The internal identification number for the application protocol, if applicable.

Access Control Rule ID

uint32

A rule ID number that acts as a unique identifier for the access control rule.

Access Control Policy UUID

uint8[16]

A policy ID number that acts as a unique identifier for the access control policy.

Ingress Interface UUID

uint8[16]

An interface ID number that acts as a unique identifier for the ingress interface.

Egress Interface UUID

uint8[16]

An interface ID number that acts as a unique identifier for the egress interface.

Ingress Security Zone UUID

uint8[16]

A zone ID number that acts as a unique identifier for the ingress security zone.

Egress Security Zone UUID

uint8[16]

A zone ID number that acts as a unique identifier for the egress security zone.

Connection Timestamp

uint32

UNIX timestamp (seconds since 01/01/1970) of the connection event associated with the intrusion event.

Connection Instance ID

uint16

Numerical ID of the Snort instance on the managed device that generated the connection event.

Connection Counter

uint16

Value used to distinguish between connection events that happen during the same second.

Source Country

uint16

Code for the country of the source host.

Destination Country

uint 16

Code for the country of the destination host.

IOC Number

uint16

ID number of the compromise associated with this event.

Security Context

uint8(16)

ID number for the security context (virtual firewall) that the traffic passed through. Note that the system only populates this field for ASA FirePOWER devices in multi-context mode.

Intrusion Event Record 5.4.x

The fields in the intrusion event record are shaded in the following graphic. The record type is 400 and the block type is 45 in the series 2 set of data blocks. It supersedes block type 42, and is superseded by block type 60. Fields for SSL support and Network Analysis Policy have been added.

You can request 5.4.x intrusion events from eStreamer only by extended request, for which you request event type code 12 and version code 8 in the Stream Request message (see Submitting Extended Requests for information about submitting extended requests).

 

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

 

Header Version (1)

Message Type (4)

 

Message Length

 

Netmap ID

Record Type (400)

 

Record Length

 

eStreamer Server Timestamp (in events, only if bit 23 is set)

 

Reserved for Future Use (in events, only if bit 23 is set)

 

Block Type (45)

 

Block Length

 

Device ID

 

Event ID

 

Event Second

 

Event Microsecond

 

Rule ID (Signature ID)

 

Generator ID

 

Rule Revision

 

Classification ID

 

Priority ID

 

Source IP Address

Source IP Address, continued

Source IP Address, continued

Source IP Address, continued

 

 

 

 

Destination IP Address

Destination IP Address, continued


Destination IP Address, continued

Destination IP Address, continued

 

 

 

 

Source Port or ICMP Type

Destination Port or ICMP Code

 

IP Protocol ID

Impact Flags

Impact

Blocked

 

MPLS Label

 

VLAN ID

Pad

 

Policy UUID

 

Policy UUID, continued

 

Policy UUID, continued

 

Policy UUID, continued

 

User ID

 

Web Application ID

 

Client Application ID

 

Application Protocol ID

 

Access Control Rule ID

 

Access Control Policy UUID

 

Access Control Policy UUID, continued

 

Access Control Policy UUID, continued

 

Access Control Policy UUID, continued

 

Interface Ingress UUID

 

Interface Ingress UUID, continued

 

Interface Ingress UUID, continued

 

Interface Ingress UUID, continued

 

Interface Egress UUID

 

Interface Egress UUID, continued

 

Interface Egress UUID, continued

 

Interface Egress UUID, continued

 

Security Zone Ingress UUID

 

Security Zone Ingress UUID, continued

 

Security Zone Ingress UUID, continued

 

Security Zone Ingress UUID, continued

 

Security Zone Egress UUID

 

Security Zone Egress UUID, continued

 

Security Zone Egress UUID, continued

 

Security Zone Egress UUID, continued

 

Connection Timestamp

 

Connection Instance ID

Connection Counter

 

Source Country

Destination Country

 

IOC Number

Security Context

 

Security Context, continued

 

Security Context, continued

 

Security Context, continued

 

Security Context, continued

SSL Certificate Fingerprint

 

SSL Certificate Fingerprint, continued

 

SSL Certificate Fingerprint, continued

 

SSL Certificate Fingerprint, continued

 

SSL Certificate Fingerprint, continued

 

SSL Certificate Fingerprint, continued

SSL Actual Action

 

SSL Flow Status

Network Analysis Policy UUID

 

Network Analysis Policy UUID, continued

 

Network Analysis Policy UUID, continued

 

Network Analysis Policy UUID, continued

 

Network Analysis Policy UUID, continued

 

The following table describes each intrusion event record data field.

 

Table B-7 Intrusion Event Record 5.4.x Fields

Field
Data Type
Description

Block Type

unint32

Initiates an Intrusion Event data block. This value is always 45.

Block Length

unint32

Total number of bytes in the Intrusion Event data block, including eight bytes for the Intrusion Event block type and length fields, plus the number of bytes of data that follows.

Device ID

unit32

Contains the identification number of the detecting managed device. You can obtain the managed device name by requesting Version 3 or 4 metadata. See Managed Device Record Metadata for more information.

Event ID

uint32

Event identification number.

Event Second

uint32

UNIX timestamp (seconds since 01/01/1970) of the event’s detection.

Event Microsecond

uint32

Microsecond (one millionth of a second) increment of the timestamp of the event’s detection.

Rule ID (Signature ID)

uint32

Rule identification number that corresponds with the event.

Generator ID

uint32

Identification number of the Firepower System preprocessor that generated the event.

Rule Revision

uint32

Rule revision number.

Classification ID

uint32

Identification number of the event classification message.

Priority ID

uint32

Identification number of the priority associated with the event.

Source IP Address

uint8[16]

Source IPv4 or IPv6 address used in the event.

Destination IP Address

uint8[16]

Destination IPv4 or IPv6 address used in the event.

Source Port or ICMP Type

uint16

The source port number if the event protocol type is TCP or UDP, or the ICMP type if the event is caused by ICMP traffic.

Destination Port or ICMP Code

uint16

The destination port number if the event protocol type is TCP or UDP, or the ICMP code if the event is caused by ICMP traffic.

IP Protocol Number

uint8

IANA-specified protocol number. For example:

  • 0 — IP
  • 1 — ICMP
  • 6 — TCP
  • 17 — UDP

Impact Flags

bits[8]

Impact flag value of the event. The low-order eight bits indicate the impact level. Values are:

  • 0x01 (bit 0) — Source or destination host is in a network monitored by the system.
  • 0x02 (bit 1) — Source or destination host exists in the network map.
  • 0x04 (bit 2) — Source or destination host is running a server on the port in the event (if TCP or UDP) or uses the IP protocol.
  • 0x08 (bit 3) — There is a vulnerability mapped to the operating system of the source or destination host in the event.
  • 0x10 (bit 4) — There is a vulnerability mapped to the server detected in the event.
  • 0x20 (bit 5) — The event caused the managed device to drop the session (used only when the device is running in inline, switched, or routed deployment). Corresponds to blocked status in the Firepower System web interface.
  • 0x40 (bit 6) — The rule that generated this event contains rule metadata setting the impact flag to red. The source or destination host is potentially compromised by a virus, trojan, or other piece of malicious software.
  • 0x80 (bit 7) — There is a vulnerability mapped to the client detected in the event. (version 5.0+ only)

The following impact level values map to specific priorities on the Defense Center. An X indicates the value can be 0 or 1:

  • gray (0, unknown): 00X00000
  • red (1, vulnerable): XXXX1XXX, XXX1XXXX, X1XXXXXX, 1XXXXXXX (version 5.0+ only)
  • orange (2, potentially vulnerable): 00X0011X
  • yellow (3, currently not vulnerable): 00X0001X
  • blue (4, unknown target): 00X00001

Impact

uint8

Impact flag value of the event. Values are:

  • 1 — Red (vulnerable)
  • 2 — Orange (potentially vulnerable)
  • 3 — Yellow (currently not vulnerable)
  • 4 — Blue (unknown target)
  • 5 — Gray (unknown impact)

Blocked

uint8

Value indicating whether the event was blocked.

  • 0 — Not blocked
  • 1 — Blocked
  • 2 — Would be blocked (but not permitted by configuration)

MPLS Label

uint32

MPLS label.

VLAN ID

uint16

Indicates the ID of the VLAN where the packet originated.

Pad

uint16

Reserved for future use.

Policy UUID

uint8[16]

A policy ID number that acts as a unique identifier for the intrusion policy.

User ID

uint32

The internal identification number for the user, if applicable.

Web Application ID

uint32

The internal identification number for the web application, if applicable.

Client Application ID

uint32

The internal identification number for the client application, if applicable.

Application Protocol ID

uint32

The internal identification number for the application protocol, if applicable.

Access Control Rule ID

uint32

A rule ID number that acts as a unique identifier for the access control rule.

Access Control Policy UUID

uint8[16]

A policy ID number that acts as a unique identifier for the access control policy.

Ingress Interface UUID

uint8[16]

An interface ID number that acts as a unique identifier for the ingress interface.

Egress Interface UUID

uint8[16]

An interface ID number that acts as a unique identifier for the egress interface.

Ingress Security Zone UUID

uint8[16]

A zone ID number that acts as a unique identifier for the ingress security zone.

Egress Security Zone UUID

uint8[16]

A zone ID number that acts as a unique identifier for the egress security zone.

Connection Timestamp

uint32

UNIX timestamp (seconds since 01/01/1970) of the connection event associated with the intrusion event.

Connection Instance ID

uint16

Numerical ID of the Snort instance on the managed device that generated the connection event.

Connection Counter

uint16

Value used to distinguish between connection events that happen during the same second.

Source Country

uint16

Code for the country of the source host.

Destination Country

uint 16

Code for the country of the destination host.

IOC Number

uint16

ID number of the compromise associated with this event.

Security Context

uint8[16]

ID number for the security context (virtual firewall) that the traffic passed through. Note that the system only populates this field for ASA FirePOWER devices in multi-context mode.

SSL Certificate Fingerprint

uint8[20]

SHA1 hash of the SSL Server certificate.

SSL Actual Action

uint16

The action performed on the connection based on the SSL Rule. This may differ from the expected action, as the action as specified in the rule may be impossible. Possible values include:

  • 0 — 'Unknown'
  • 1 — 'Do Not Decrypt'
  • 2 — 'Block'
  • 3 — 'Block With Reset'
  • 4 — 'Decrypt (Known Key)'
  • 5 — 'Decrypt (Replace Key)'
  • 6 — 'Decrypt (Resign)'

SSL Flow Status

uint16

Status of the SSL Flow. These values describe the reason behind the action taken or the error message seen. Possible values include:

  • 0 — 'Unknown'
  • 1 — 'No Match'
  • 2 — 'Success'
  • 3 — 'Uncached Session'
  • 4 — 'Unknown Cipher Suite'
  • 5 — 'Unsupported Cipher Suite'
  • 6 — 'Unsupported SSL Version'
  • 7 — 'SSL Compression Used'
  • 8 — 'Session Undecryptable in Passive Mode'
  • 9 — 'Handshake Error'
  • 10 — 'Decryption Error'
  • 11 — 'Pending Server Name Category Lookup'
  • 12 — 'Pending Common Name Category Lookup'
  • 13 — 'Internal Error'
  • 14 — 'Network Parameters Unavailable'
  • 15 — 'Invalid Server Certificate Handle'
  • 16 — 'Server Certificate Fingerprint Unavailable'
  • 17 — 'Cannot Cache Subject DN'
  • 18 — 'Cannot Cache Issuer DN'
  • 19 — 'Unknown SSL Version'
  • 20 — 'External Certificate List Unavailable'
  • 21 — 'External Certificate Fingerprint Unavailable'
  • 22 — 'Internal Certificate List Invalid'
  • 23 — 'Internal Certificate List Unavailable'
  • 24 — 'Internal Certificate Unavailable'
  • 25 — 'Internal Certificate Fingerprint Unavailable'
  • 26 — 'Server Certificate Validation Unavailable'
  • 27 — 'Server Certificate Validation Failure'
  • 28 — 'Invalid Action'

Network Analysis Policy UUID

uint8[16]

The UUID of the Network Analysis Policy that created the intrusion event.

Intrusion Impact Alert Data

The Intrusion Impact Alert event contains information about impact events. It is transmitted when an intrusion event is compared to the system network map data and the impact is determined. It uses the standard record header with a record type of 9, followed by an Intrusion Impact Alert data block with a data block type of 20 in the series 1 group of blocks. (The Impact Alert data block is a type of series 1 data block. For more information about series 1 data blocks, see Understanding Discovery (Series 1) Blocks.)

You can request that eStreamer only transmit intrusion impact events by setting bit 5 in the Flags field of the request message. See Event Stream Request Message Format for more information about request messages. Version 1 of these alerts only handles IPv4. Version 2, introduced in 5.3, handles IPv6 events in addition to IPv4.

 

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

 

Header Version (1)

Message Type (4)

 

Message Length

 

Netmap ID

Record Type (9)

 

Record Length

 

Intrusion Impact Alert Block Type (20)

 

Intrusion Impact Alert Block Length

 

Event ID

 

Device ID

 

Event Second

 

Impact

 

Source IP Address

 

Destination IP Address

Impact
Description

String Block Type (0)

String Block Length

Description...

The following table describes each data field in an impact event.

 

Table B-8 Impact Event Data Fields

Field
Data Type
Description

Intrusion Impact Alert Block Type

uint32

Indicates that an intrusion impact alert data block follows. This field will always have a value of 20. See Intrusion Event and Metadata Record Types.

Intrusion Impact Alert Block Length

uint32

Indicates the length of the intrusion impact alert data block, including all data that follows and 8 bytes for the intrusion impact alert block type and length.

Event ID

uint32

Indicates the event identification number.

Device ID

uint32

Indicates the managed device identification number.

Event Second

uint32

Indicates the second (from 01/01/1970) that the event was detected.

Impact

bits[8]

Impact flag value of the event. The low-order eight bits indicate the impact level. Values are:

  • 0x01 (bit 0) — Source or destination host is in a network monitored by the system.
  • 0x02 (bit 1) — Source or destination host exists in the network map.
  • 0x04 (bit 2) — Source or destination host is running a server on the port in the event (if TCP or UDP) or uses the IP protocol.
  • 0x08 (bit 3) — There is a vulnerability mapped to the operating system of the source or destination host in the event.
  • 0x10 (bit 4) — There is a vulnerability mapped to the server detected in the event.
  • 0x20 (bit 5) — The event caused the managed device to drop the session (used only when the device is running in inline, switched, or routed deployment). Corresponds to blocked status in the Firepower System web interface.
  • 0x40 (bit 6) — The rule that generated this event contains rule metadata setting the impact flag to red. The source or destination host is potentially compromised by a virus, trojan, or other piece of malicious software.
  • 0x80 (bit 7) — There is a vulnerability mapped to the client detected in the event. (version 5.0+ only)

The following impact level values map to specific priorities on the Defense Center. An X indicates the value can be 0 or 1 :

  • (0, unknown): 00X00000
  • red (1, vulnerable): XXXX1XXX, XXX1XXXX, X1XXXXXX, 1XXXXXXX (version 5.0+ only)
  • orange (2, potentially vulnerable): 00X0011X
  • yellow (3, currently not vulnerable): 00X0001X
  • blue (4, unknown target): 00X00001

Source IP Address

uint8[4]

IP address of the host associated with the impact event, in IP address octets.

Destination IP Address

uint8[4]

IP address of the destination IP address associated with the impact event (if applicable), in IP address octets. This value is 0 if there is no destination IP address.

String Block Type

uint32

Initiates a string data block that contains the impact name. This value is always set to 0. For more information about string blocks, see String Data Block.

String Block Length

uint32

Number of bytes in the event description string block. This includes the four bytes for the string block type, the four bytes for the string block length, and the number of bytes in the description.

Description

string

Description of the impact event.

Legacy Malware Event Data Structures

Malware Event Data Block 5.1

The eStreamer service uses the malware event data block to store information on malware events. These events contain information on malware detected or quarantined within a cloud, the detection method, and hosts and users affected by the malware. The malware event data block has a block type of 16 in the series 2 group of blocks. You request the event as part of the malware event record by setting the malware event flag—bit 30 in the request flags field—in the request message with an event version of 1 and an event code of 101.

The following graphic shows the structure of the malware event data block:

 

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

 

Malware Event Block Type (16)

 

Malware Event Block Length

 

Agent UUID

Agent UUID, continued

Agent UUID, continued

 

Agent UUID, continued

 

Cloud UUID

 

Cloud UUID, continued

 

Cloud UUID, continued

 

Cloud UUID, continued

 

Timestamp

 

Event Type ID

 

Event Subtype ID

Host IP Address

Detection Name

Host IP Address, cont.

Detector ID

String Block Type (0)

String Block Type (0), cont.

String Block Length

String Block Length, cont.

Detection Name...

User

String Block Type (0)

String Block Length

User...

File Name

String Block Type (0)

String Block Length

File Name...

File Path

String Block Type (0)

String Block Length

File Path...

File SHA

Hash

String Block Type (0)

String Block Length

File SHA Hash...

 

File Size

 

File Type

File Timestamp

Parent File

Name

File Timestamp, cont.

String Block Type (0)

String Block Type (0), cont.

String Block Length

String Block Length, cont.

Parent File Name...

Parent File

SHA Hash

String Block Type (0)

String Block Length

Parent File SHA Hash...

Event

Description

String Block Type (0)

String Block Length

Event Description...

The following table describes the fields in the malware event data block.

 

Table B-9 Malware Event Data Block Fields

Field
Data Type
Description

Malware Event Block Type

uint32

Initiates a malware event data block. This value is always 16.

Malware Event Block Length

uint32

Total number of bytes in the malware event data block, including eight bytes for the malware event block type and length fields, plus the number of bytes of data that follows.

Agent UUID

uint8[16]

The internal unique ID of the AMP for Endpoints agent reporting the malware event.

Cloud UUID

uint8[16]

The internal unique ID of the malware awareness network from which the malware event originated.

Timestamp

uint32

The malware event generation timestamp.

Event Type ID

uint32

The internal ID of the malware event type.

Event Subtype ID

uint8

The internal ID of the action that led to malware detection.

Host IP Address

uint32

The host IP address associated with the malware event.

Detector ID

uint8

The internal ID of the detection technology that detected the malware.

String Block Type

uint32

Initiates a String data block containing the detection name. This value is always 0.

String Block Length

uint32

The number of bytes included in the Detection Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the Detection Name field.

Detection Name

string

The name of the detected or quarantined malware.

String Block Type

uint32

Initiates a String data block containing the username. This value is always 0.

String Block Length

uint32

The number of bytes included in the User String data block, including eight bytes for the block type and header fields plus the number of bytes in the User field.

User

string

The user of the computer where the Cisco Agent is installed and where the malware event occurred. Note that these users are not tied to user discovery.

String Block Type

uint32

Initiates a String data block containing the file name. This value is always 0.

String Block Length

uint32

The number of bytes included in the File Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the File Name field.

File Name

string

The name of the detected or quarantined file.

String Block Type

uint32

Initiates a String data block containing the file path. This value is always 0.

String Block Length

uint32

The number of bytes included in the File Path String data block, including eight bytes for the block type and header fields plus the number of bytes in the File Path field.

File Path

string

The file path, not including the file name, of the detected or quarantined file.

String Block Type

uint32

Initiates a String data block containing the file SHA hash. This value is always 0.

String Block Length

uint32

The number of bytes included in the File SHA Hash String data block, including eight bytes for the block type and header fields plus the number of bytes in the File SHA Hash field.

File SHA Hash

string

The SHA-256 hash value of the detected or quarantined file.

File Size

uint32

The size in bytes of the detected or quarantined file.

File Type

uint8

The file type of the detected or quarantined file.

File Timestamp

uint32

The creation timestamp of the detected or quarantined file.

String Block Type

uint32

Initiates a String data block containing the parent file name. This value is always 0.

String Block Length

uint32

The number of bytes included in the Parent File Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the Parent File Name field.

Parent File Name

string

The name of the file accessing the detected or quarantined file when detection occurred.

String Block Type

uint32

Initiates a String data block containing the parent file SHA hash. This value is always 0.

String Block Length

uint32

The number of bytes included in the Parent File SHA Hash String data block, including eight bytes for the block type and header fields plus the number of bytes in the Parent File SHA Hash field.

Parent File SHA Hash

string

The SHA-256 hash value of the parent file accessing the detected or quarantined file when detection occurred.

String Block Type

uint32

Initiates a String data block containing the event description. This value is always 0.

String Block Length

uint32

The number of bytes included in the Event Description String data block, including eight bytes for the block type and header fields plus the number of bytes in the Event Description field.

Event Description

string

The additional event information associated with the event type.

Malware Event Data Block 5.1.1.x

The eStreamer service uses the malware event data block to store information on malware events. These events contain information on malware detected or quarantined within a cloud, the detection method, and hosts and users affected by the malware. The malware event data block has a block type of 24 in the series 2 group of blocks. You request the event as part of the malware event record by setting the malware event flag—bit 30 in the request flags field—in the request message with an event version of 2 and an event code of 101.

The following graphic shows the structure of the malware event data block:

 

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

 

Malware Event Block Type (24)

 

Malware Event Block Length

 

Agent UUID

Agent UUID, continued

Agent UUID, continued

 

Agent UUID, continued

 

Cloud UUID

 

Cloud UUID, continued

 

Cloud UUID, continued

 

Cloud UUID, continued

 

Malware Event Timestamp

 

Event Type ID

 

Event Subtype ID

Host IP Address

Detection Name

Host IP Address, cont.

Detector ID

String Block Type (0)

String Block Type (0), cont.

String Block Length

String Block Length, cont.

Detection Name...

User

String Block Type (0)

String Block Length

User...

File Name

String Block Type (0)

String Block Length

File Name...

File Path

String Block Type (0)

String Block Length

File Path...

File SHA

Hash

String Block Type (0)

String Block Length

File SHA Hash...

 

File Size

 

File Type

File Timestamp

Parent File

Name

File Timestamp, cont.

String Block Type (0)

String Block Type (0), cont.

String Block Length

String Block Length, cont.

Parent File Name...

Parent File

SHA Hash

String Block Type (0)

String Block Length

Parent File SHA Hash...

Event

Description

String Block Type (0)

String Block Length

Event Description...

 

Device ID

 

Connection Instance

Connection Counter

 

Connection Event Timestamp

 

Direction

Source IP Address

 

Source IP Address, continued

Source IP Address, continued

Source IP Address, continued

 

 

 

Source IP, cont.

Destination IP Address

 

Destination IP Address, continued

Destination IP Address, continued

Destination IP Address, continued

 

 

 

Destination IP, cont

Application ID

 

App. ID, cont.

User ID

 

User ID, cont.

Access Control Policy UUID

 

Access Control Policy UUID, continued

Access Control Policy UUID, continued

Access Control Policy UUID, continued

 

 

URI

AC Pol UUID, cont.

Disposition

Retro. Disposition

Str. Block Type (0)

String Block Type (0), continued

String Block Length

String Block Length, continued

URI...

 

Source Port

Destination Port

The following table describes the fields in the malware event data block.

 

Table B-10 Malware Event Data Block for 5.1.1.x Fields

Field
Data Type
Description

Malware Event Block Type

uint32

Initiates a malware event data block. This value is always 24.

Malware Event Block Length

uint32

Total number of bytes in the malware event data block, including eight bytes for the malware event block type and length fields, plus the number of bytes of data that follows.

Agent UUID

uint8[16]

The internal unique ID of the AMP for Endpoints agent reporting the malware event.

Cloud UUID

uint8[16]

The internal unique ID of the malware awareness network from which the malware event originated.

Malware Event Timestamp

uint32

The malware event generation timestamp.

Event Type ID

uint32

The internal ID of the malware event type.

Event Subtype ID

uint8

The internal ID of the action that led to malware detection.

Host IP Address

uint32

The host IP address associated with the malware event.

Detector ID

uint8

The internal ID of the detection technology that detected the malware.

String Block Type

uint32

Initiates a String data block containing the detection name. This value is always 0.

String Block Length

uint32

The number of bytes included in the Detection Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the Detection Name field.

Detection Name

string

The name of the detected or quarantined malware.

String Block Type

uint32

Initiates a String data block containing the username. This value is always 0.

String Block Length

uint32

The number of bytes included in the User String data block, including eight bytes for the block type and header fields plus the number of bytes in the User field.

User

string

The user of the computer where the Cisco Agent is installed and where the malware event occurred. Note that these users are not tied to user discovery.

String Block Type

uint32

Initiates a String data block containing the file name. This value is always 0.

String Block Length

uint32

The number of bytes included in the File Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the File Name field.

File Name

string

The name of the detected or quarantined file.

String Block Type

uint32

Initiates a String data block containing the file path. This value is always 0.

String Block Length

uint32

The number of bytes included in the File Path String data block, including eight bytes for the block type and header fields plus the number of bytes in the File Path field.

File Path

string

The file path, not including the file name, of the detected or quarantined file.

String Block Type

uint32

Initiates a String data block containing the file SHA hash. This value is always 0.

String Block Length

uint32

The number of bytes included in the File SHA Hash String data block, including eight bytes for the block type and header fields plus the number of bytes in the File SHA Hash field.

File SHA Hash

string

The rendered string of the SHA-256 hash value of the detected or quarantined file.

File Size

uint32

The size in bytes of the detected or quarantined file.

File Type

uint8

The file type of the detected or quarantined file.

File Timestamp

uint32

UNIX timestamp (seconds since 01/01/1970) of the creation of the detected or quarantined file.

String Block Type

uint32

Initiates a String data block containing the parent file name. This value is always 0.

String Block Length

uint32

The number of bytes included in the Parent File Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the Parent File Name field.

Parent File Name

string

The name of the file accessing the detected or quarantined file when detection occurred.

String Block Type

uint32

Initiates a String data block containing the parent file SHA hash. This value is always 0.

String Block Length

uint32

The number of bytes included in the Parent File SHA Hash String data block, including eight bytes for the block type and header fields plus the number of bytes in the Parent File SHA Hash field.

Parent File SHA Hash

string

The SHA-256 hash value of the parent file accessing the detected or quarantined file when detection occurred.

String Block Type

uint32

Initiates a String data block containing the event description. This value is always 0.

String Block Length

uint32

The number of bytes included in the Event Description String data block, including eight bytes for the block type and header fields plus the number of bytes in the Event Description field.

Event Description

string

The additional event information associated with the event type.

Device ID

uint32

ID for the device that generated the event.

Connection Instance

uint16

Snort instance on the device that generated the event. Used to link the event with a connection or IDS event.

Connection Counter

uint16

Value used to distinguish between connection events that happen during the same second.

Connection Event Timestamp

uint32

Timestamp of the connection event.

Direction

uint8

Indicates whether the file was uploaded or downloaded. Can have the following values:

  • 1 — Download
  • 2 — Upload

Currently the value depends on the protocol (for example, if the connection is HTTP it is a download).

Source IP Address

uint8[16]

IPv4 or IPv6 address for the source of the connection.

Destination IP Address

uint8[16]

IPv4 or IPv6 address for the destination of the connection.

Application ID

uint32

ID number that maps to the application using the file transfer.

User ID

uint32

Identification number for the user logged into the destination host, as identified by the system.

Access Control Policy UUID

uint8[16]

Identification number that acts as a unique identifier for the access control policy that triggered the event.

Disposition

uint8

The malware status of the file. Possible values include:

  • 1 — CLEAN — The file is clean and does not contain malware.
  • 2 — UNKNOWN — It is unknown whether the file contains malware.
  • 3 — MALWARE — The file contains malware.
  • 4 — CACHE_MISS — The software was unable to send a request to the Cisco cloud for a disposition.
  • 5 — NO_CLOUD_RESP — The Cisco cloud services did not respond to the request.

Retrospective Disposition

uint8

Disposition of the file if the disposition is updated. If the disposition is not updated, this field contains the same value as the Disposition field. The possible values are the same as the Disposition field.

String Block Type

uint32

Initiates a String data block containing the URI. This value is always 0.

String Block Length

uint32

The number of bytes included in the URI data block, including eight bytes for the block type and header fields plus the number of bytes in the URI field.

URI

string

URI of the connection.

Source Port

uint16

Port number for the source of the connection.

Destination Port

uint16

Port number for the destination of the connection.

Malware Event Data Block 5.2.x

The eStreamer service uses the malware event data block to store information on malware events. These events contain information on malware detected or quarantined within a cloud, the detection method, and hosts and users affected by the malware. The malware event data block has a block type of 33 in the series 2 group of blocks. You request the event as part of the malware event record by setting the malware event flag—bit 30 in the request flags field—in the request message with an event version of 3 and an event code of 101.

The following graphic shows the structure of the malware event data block:

 

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

 

Malware Event Block Type (33)

 

Malware Event Block Length

 

Agent UUID

Agent UUID, continued

Agent UUID, continued

 

Agent UUID, continued

 

Cloud UUID

 

Cloud UUID, continued

 

Cloud UUID, continued

 

Cloud UUID, continued

 

Malware Event Timestamp

 

Event Type ID

Detection Name

Event Subtype ID

Detector ID

String Block Type (0)

String Block Type (0), cont.

String Block Length

String Block Length, cont.

Detection Name...

User

String Block Type (0)

String Block Length

User...

File Name

String Block Type (0)

String Block Length

File Name...

File Path

String Block Type (0)

String Block Length

File Path...

File SHA

Hash

String Block Type (0)

String Block Length

File SHA Hash...

 

File Size

 

File Type

 

File Timestamp

Parent File

Name

String Block Type (0)

String Block Length

Parent File Name...

Parent File

SHA Hash

String Block Type (0)

String Block Length

Parent File SHA Hash...

Event

Description

String Block Type (0)

String Block Length

Event Description...

 

Device ID

 

Connection Instance

Connection Counter

 

Connection Event Timestamp

 

Direction

Source IP Address

 

Source IP Address, continued

Source IP Address, continued

Source IP Address, continued

 

 

 

Source IP, cont.

Destination IP Address

 

Destination IP Address, continued

Destination IP Address, continued

Destination IP Address, continued

 

 

 

Destination IP, cont

Application ID

 

App. ID, cont.

User ID

 

User ID, cont.

Access Control Policy UUID

 

Access Control Policy UUID, continued

Access Control Policy UUID, continued

Access Control Policy UUID, continued

 

 

URI

AC Pol UUID, cont.

Disposition

Retro. Disposition

Str. Block Type (0)

String Block Type (0), continued

String Block Length

String Block Length, continued

URI...

 

Source Port

Destination Port

 

Source Country

Destination Country

 

Web Application ID

 

Client Application ID

 

Action

Protocol

 

The following table describes the fields in the malware event data block.

 

Table B-11 Malware Event Data Block for 5.2.x Fields

Field
Data Type
Description

Malware Event Block Type

uint32

Initiates a malware event data block. This value is always 33.

Malware Event Block Length

uint32

Total number of bytes in the malware event data block, including eight bytes for the malware event block type and length fields, plus the number of bytes of data that follows.

Agent UUID

uint8[16]

The internal unique ID of the AMP for Endpoints agent reporting the malware event.

Cloud UUID

uint8[16]

The internal unique ID of the malware awareness network from which the malware event originated.

Malware Event Timestamp

uint32

The malware event generation timestamp.

Event Type ID

uint32

The internal ID of the malware event type.

Event Subtype ID

uint8

The internal ID of the action that led to malware detection.

Detector ID

uint8

The internal ID of the detection technology that detected the malware.

String Block Type

uint32

Initiates a String data block containing the detection name. This value is always 0.

String Block Length

uint32

The number of bytes included in the Detection Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the Detection Name field.

Detection Name

string

The name of the detected or quarantined malware.

String Block Type

uint32

Initiates a String data block containing the username. This value is always 0.

String Block Length

uint32

The number of bytes included in the User String data block, including eight bytes for the block type and header fields plus the number of bytes in the User field.

User

string

The user of the computer where the Cisco Agent is installed and where the malware event occurred. Note that these users are not tied to user discovery.

String Block Type

uint32

Initiates a String data block containing the file name. This value is always 0.

String Block Length

uint32

The number of bytes included in the File Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the File Name field.

File Name

string

The name of the detected or quarantined file.

String Block Type

uint32

Initiates a String data block containing the file path. This value is always 0.

String Block Length

uint32

The number of bytes included in the File Path String data block, including eight bytes for the block type and header fields plus the number of bytes in the File Path field.

File Path

string

The file path, not including the file name, of the detected or quarantined file.

String Block Type

uint32

Initiates a String data block containing the file SHA hash. This value is always 0.

String Block Length

uint32

The number of bytes included in the File SHA Hash String data block, including eight bytes for the block type and header fields plus the number of bytes in the File SHA Hash field.

File SHA Hash

string

The rendered string of the SHA-256 hash value of the detected or quarantined file.

File Size

uint32

The size in bytes of the detected or quarantined file.

File Type

uint8

The file type of the detected or quarantined file.

File Timestamp

uint32

UNIX timestamp (seconds since 01/01/1970) of the creation of the detected or quarantined file.

String Block Type

uint32

Initiates a String data block containing the parent file name. This value is always 0.

String Block Length

uint32

The number of bytes included in the Parent File Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the Parent File Name field.

Parent File Name

string

The name of the file accessing the detected or quarantined file when detection occurred.

String Block Type

uint32

Initiates a String data block containing the parent file SHA hash. This value is always 0.

String Block Length

uint32

The number of bytes included in the Parent File SHA Hash String data block, including eight bytes for the block type and header fields plus the number of bytes in the Parent File SHA Hash field.

Parent File SHA Hash

string

The SHA-256 hash value of the parent file accessing the detected or quarantined file when detection occurred.

String Block Type

uint32

Initiates a String data block containing the event description. This value is always 0.

String Block Length

uint32

The number of bytes included in the Event Description String data block, including eight bytes for the block type and header fields plus the number of bytes in the Event Description field.

Event Description

string

The additional event information associated with the event type.

Device ID

uint32

ID for the device that generated the event.

Connection Instance

uint16

Snort instance on the device that generated the event. Used to link the event with a connection or IDS event.

Connection Counter

uint16

Value used to distinguish between connection events that happen during the same second.

Connection Event Timestamp

uint32

Timestamp of the connection event.

Direction

uint8

Indicates whether the file was uploaded or downloaded. Can have the following values:

  • 1 — Download
  • 2 — Upload

Currently the value depends on the protocol (for example, if the connection is HTTP it is a download).

Source IP Address

uint8[16]

IPv4 or IPv6 address for the source of the connection.

Destination IP Address

uint8[16]

IPv4 or IPv6 address for the destination of the connection.

Application ID

uint32

ID number that maps to the application using the file transfer.

User ID

uint32

Identification number for the user logged into the destination host, as identified by the system.

Access Control Policy UUID

uint8[16]

Identification number that acts as a unique identifier for the access control policy that triggered the event.

Disposition

uint8

The malware status of the file. Possible values include:

  • 1 — CLEAN — The file is clean and does not contain malware.
  • 2 — NEUTRAL — It is unknown whether the file contains malware.
  • 3 — MALWARE — The file contains malware.
  • 4 — CACHE_MISS — The software was unable to send a request to the Cisco cloud for a disposition, or the Cisco cloud services did not respond to the request.

Retrospective Disposition

uint8

Disposition of the file if the disposition is updated. If the disposition is not updated, this field contains the same value as the Disposition field. The possible values are the same as the Disposition field.

String Block Type

uint32

Initiates a String data block containing the URI. This value is always 0.

String Block Length

uint32

The number of bytes included in the URI data block, including eight bytes for the block type and header fields plus the number of bytes in the URI field.

URI

string

URI of the connection.

Source Port

uint16

Port number for the source of the connection.

Destination Port

uint16

Port number for the destination of the connection.

Source Country

uint16

Code for the country of the source host.

Destination Country

uint 16

Code for the country of the destination host.

Web Application ID

uint32

The internal identification number of the detected web application, if applicable.

Client Application ID

uint32

The internal identification number of the detected client application, if applicable.

Action

uint8

The action taken on the file based on the file type. Can have the following values:

  • 1 — Detect
  • 2 — Block
  • 3 — Malware Cloud Lookup
  • 4 — Malware Block
  • 5 — Malware Allow List

Protocol

uint8

IANA protocol number specified by the user. For example:

  • 1 — ICMP
  • 4 — IP
  • 6 — TCP
  • 17 — UDP

This is currently only TCP.

Malware Event Data Block 5.3

The eStreamer service uses the malware event data block to store information on malware events. These events contain information on malware detected or quarantined within a cloud, the detection method, and hosts and users affected by the malware. The malware event data block has a block type of 35 in the series 2 group of blocks. You request the event as part of the malware event record by setting the malware event flag—bit 30 in the request flags field—in the request message with an event version of 4 and an event code of 101.

The following graphic shows the structure of the malware event data block:

 

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

 

Malware Event Block Type (35)

 

Malware Event Block Length

 

Agent UUID

Agent UUID, continued

Agent UUID, continued

 

Agent UUID, continued

 

Cloud UUID

 

Cloud UUID, continued

 

Cloud UUID, continued

 

Cloud UUID, continued

 

Malware Event Timestamp

 

Event Type ID

 

Event Subtype ID

Detection Name

Detector ID

String Block Type (0)

String Block Type (0), cont.

String Block Length

String Block Length, cont.

Detection Name...

User

String Block Type (0)

String Block Length

User...

File Name

String Block Type (0)

String Block Length

File Name...

File Path

String Block Type (0)

String Block Length

File Path...

File SHA

Hash

String Block Type (0)

String Block Length

File SHA Hash...

 

File Size

 

File Type

 

File Timestamp

Parent File

Name

String Block Type (0)

String Block Length

Parent File Name...

Parent File

SHA Hash

String Block Type (0)

String Block Length

Parent File SHA Hash...

Event

Description

String Block Type (0)

String Block Length

Event Description...

 

Device ID

 

Connection Instance

Connection Counter

 

Connection Event Timestamp

 

Direction

Source IP Address

 

Source IP Address, continued

Source IP Address, continued

Source IP Address, continued

 

 

 

Source IP, cont.

Destination IP Address

 

Destination IP Address, continued

Destination IP Address, continued

Destination IP Address, continued

 

 

 

Destination IP, cont

Application ID

 

App. ID, cont.

User ID

 

User ID, cont.

Access Control Policy UUID

 

Access Control Policy UUID, continued

Access Control Policy UUID, continued

Access Control Policy UUID, continued

 

 

URI

AC Pol UUID, cont.

Disposition

Retro. Disposition

Str. Block Type (0)

String Block Type (0), continued

String Block Length

String Block Length, continued

URI...

 

Source Port

Destination Port

 

Source Country

Destination Country

 

Web Application ID

 

Client Application ID

 

Action

Protocol

Threat Score

IOC Number

 

IOC Number, cont.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

The following table describes the fields in the malware event data block.

 

Table B-12 Malware Event Data Block for 5.3 Fields

Field
Data Type
Description

Malware Event Block Type

uint32

Initiates a malware event data block. This value is always 35.

Malware Event Block Length

uint32

Total number of bytes in the malware event data block, including eight bytes for the malware event block type and length fields, plus the number of bytes of data that follows.

Agent UUID

uint8[16]

The internal unique ID of the AMP for Endpoints agent reporting the malware event.

Cloud UUID

uint8[16]

The internal unique ID of the malware awareness network from which the malware event originated.

Malware Event Timestamp

uint32

The malware event generation timestamp.

Event Type ID

uint32

The internal ID of the malware event type.

Event Subtype ID

uint32

The internal ID of the action that led to malware detection.

Detector ID

uint8

The internal ID of the detection technology that detected the malware.

String Block Type

uint32

Initiates a String data block containing the detection name. This value is always 0.

String Block Length

uint32

The number of bytes included in the Detection Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the Detection Name field.

Detection Name

string

The name of the detected or quarantined malware.

String Block Type

uint32

Initiates a String data block containing the username. This value is always 0.

String Block Length

uint32

The number of bytes included in the User String data block, including eight bytes for the block type and header fields plus the number of bytes in the User field.

User

string

The user of the computer where the Cisco Agent is installed and where the malware event occurred. Note that these users are not tied to user discovery.

String Block Type

uint32

Initiates a String data block containing the file name. This value is always 0.

String Block Length

uint32

The number of bytes included in the File Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the File Name field.

File Name

string

The name of the detected or quarantined file.

String Block Type

uint32

Initiates a String data block containing the file path. This value is always 0.

String Block Length

uint32

The number of bytes included in the File Path String data block, including eight bytes for the block type and header fields plus the number of bytes in the File Path field.

File Path

string

The file path, not including the file name, of the detected or quarantined file.

String Block Type

uint32

Initiates a String data block containing the file SHA hash. This value is always 0.

String Block Length

uint32

The number of bytes included in the File SHA Hash String data block, including eight bytes for the block type and header fields plus the number of bytes in the File SHA Hash field.

File SHA Hash

string

The rendered string of the SHA-256 hash value of the detected or quarantined file.

File Size

uint32

The size in bytes of the detected or quarantined file.

File Type

uint8

The file type of the detected or quarantined file. The meaning of this field is transmitted in the metadata with this event. See AMP for Endpoints File Type Metadata for more information.

File Timestamp

uint32

UNIX timestamp (seconds since 01/01/1970) of the creation of the detected or quarantined file.

String Block Type

uint32

Initiates a String data block containing the parent file name. This value is always 0.

String Block Length

uint32

The number of bytes included in the Parent File Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the Parent File Name field.

Parent File Name

string

The name of the file accessing the detected or quarantined file when detection occurred.

String Block Type

uint32

Initiates a String data block containing the parent file SHA hash. This value is always 0.

String Block Length

uint32

The number of bytes included in the Parent File SHA Hash String data block, including eight bytes for the block type and header fields plus the number of bytes in the Parent File SHA Hash field.

Parent File SHA Hash

string

The SHA-256 hash value of the parent file accessing the detected or quarantined file when detection occurred.

String Block Type

uint32

Initiates a String data block containing the event description. This value is always 0.

String Block Length

uint32

The number of bytes included in the Event Description String data block, including eight bytes for the block type and header fields plus the number of bytes in the Event Description field.

Event Description

string

The additional event information associated with the event type.

Device ID

uint32

ID for the device that generated the event.

Connection Instance

uint16

Snort instance on the device that generated the event. Used to link the event with a connection or IDS event.

Connection Counter

uint16

Value used to distinguish between connection events that happen during the same second.

Connection Event Timestamp

uint32

Timestamp of the connection event.

Direction

uint8

Indicates whether the file was uploaded or downloaded. Can have the following values:

  • 1 — Download
  • 2 — Upload

Currently the value depends on the protocol (for example, if the connection is HTTP it is a download).

Source IP Address

uint8[16]

IPv4 or IPv6 address for the source of the connection.

Destination IP Address

uint8[16]

IPv4 or IPv6 address for the destination of the connection.

Application ID

uint32

ID number that maps to the application using the file transfer.

User ID

uint32

Identification number for the user logged into the destination host, as identified by the system.

Access Control Policy UUID

uint8[16]

Identification number that acts as a unique identifier for the access control policy that triggered the event.

Disposition

uint8

The malware status of the file. Possible values include:

  • 1 — CLEAN The file is clean and does not contain malware.
  • 2 — UNKNOWN It is unknown whether the file contains malware.
  • 3 — MALWARE The file contains malware.
  • 4 — UNAVAILABLE The software was unable to send a request to the Cisco cloud for a disposition, or the Cisco cloud services did not respond to the request.
  • 5 — CUSTOM SIGNATURE The file matches a user-defined hash, and is treated in a fashion designated by the user.

Retrospective Disposition

uint8

Disposition of the file if the disposition is updated. If the disposition is not updated, this field contains the same value as the Disposition field. The possible values are the same as the Disposition field.

String Block Type

uint32

Initiates a String data block containing the URI. This value is always 0.

String Block Length

uint32

The number of bytes included in the URI data block, including eight bytes for the block type and header fields plus the number of bytes in the URI field.

URI

string

URI of the connection.

Source Port

uint16

Port number for the source of the connection.

Destination Port

uint16

Port number for the destination of the connection.

Source Country

uint16

Code for the country of the source host.

Destination Country

uint 16

Code for the country of the destination host.

Web Application ID

uint32

The internal identification number of the detected web application, if applicable.

Client Application ID

uint32

The internal identification number of the detected client application, if applicable.

Action

uint8

The action taken on the file based on the file type. Can have the following values:

  • 1 — Detect
  • 2 — Block
  • 3 — Malware Cloud Lookup
  • 4 — Malware Block
  • 5 — Malware Allow List

Protocol

uint8

IANA protocol number specified by the user. For example:

  • 1 — ICMP
  • 4 — IP
  • 6 — TCP
  • 17 — UDP

This is currently only TCP.

Threat Score

uint8

A numeric value from 0 to 100 based on the potentially malicious behaviors observed during dynamic analysis.

IOC Number

uint16

ID Number of the compromise associated with this event.

Malware Event Data Block 5.3.1

The eStreamer service uses the malware event data block to store information on malware events. These events contain information on malware detected or quarantined within a cloud, the detection method, and hosts and users affected by the malware. The malware event data block has a block type of 44 in the series 2 group of blocks. It supersedes block 35. You request the event as part of the malware event record by setting the malware event flag—bit 30 in the request flags field—in the request message with an event version of 5 and an event code of 101.

The following graphic shows the structure of the malware event data block:

 

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

 

Malware Event Block Type (44)

 

Malware Event Block Length

 

Agent UUID

Agent UUID, continued

Agent UUID, continued

 

Agent UUID, continued

 

Cloud UUID

 

Cloud UUID, continued

 

Cloud UUID, continued

 

Cloud UUID, continued

 

Malware Event Timestamp

 

Event Type ID

 

Event Subtype ID

Detection Name

Detector ID

String Block Type (0)

String Block Type (0), cont.

String Block Length

String Block Length, cont.

Detection Name...

User

String Block Type (0)

String Block Length

User...

File Name

String Block Type (0)

String Block Length

File Name...

File Path

String Block Type (0)

String Block Length

File Path...

File SHA

Hash

String Block Type (0)

String Block Length

File SHA Hash...

 

File Size

 

File Type

 

File Timestamp

Parent File

Name

String Block Type (0)

String Block Length

Parent File Name...

Parent File

SHA Hash

String Block Type (0)

String Block Length

Parent File SHA Hash...

Event

Description

String Block Type (0)

String Block Length

Event Description...

 

Device ID

 

Connection Instance

Connection Counter

 

Connection Event Timestamp

 

Direction

Source IP Address

 

Source IP Address, continued

Source IP Address, continued

Source IP Address, continued

 

 

 

Source IP, cont.

Destination IP Address

 

Destination IP Address, continued

Destination IP Address, continued

Destination IP Address, continued

 

 

 

Destination IP, cont

Application ID

 

App. ID, cont.

User ID

 

User ID, cont.

Access Control Policy UUID

 

Access Control Policy UUID, continued

Access Control Policy UUID, continued

Access Control Policy UUID, continued

 

 

URI

AC Pol UUID, cont.

Disposition

Retro. Disposition

Str. Block Type (0)

String Block Type (0), continued

String Block Length

String Block Length, continued

URI...

 

Source Port

Destination Port

 

Source Country

Destination Country

 

Web Application ID

 

Client Application ID

 

Action

Protocol

Threat Score

IOC Number

 

IOC Number, cont.

Security Context

 

Security Context, continued

 

Security Context, continued

 

Security Context, continued

 

Security Cont., cont.

 

The following table describes the fields in the malware event data block.

 

Table B-13 Malware Event Data Block for 5.3.1 Fields

Field
Data Type
Description

Malware Event Block Type

uint32

Initiates a malware event data block. This value is always 44.

Malware Event Block Length

uint32

Total number of bytes in the malware event data block, including eight bytes for the malware event block type and length fields, plus the number of bytes of data that follows.

Agent UUID

uint8[16]

The internal unique ID of the AMP for Endpoints agent reporting the malware event.

Cloud UUID

uint8[16]

The internal unique ID of the Cisco Advanced Malware Protection cloud from which the malware event originated.

Malware Event Timestamp

uint32

The malware event generation timestamp.

Event Type ID

uint32

The internal ID of the malware event type.

Event Subtype ID

uint32

The internal ID of the action that led to malware detection.

Detector ID

uint8

The internal ID of the detection technology that detected the malware.

String Block Type

uint32

Initiates a String data block containing the detection name. This value is always 0.

String Block Length

uint32

The number of bytes included in the Detection Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the Detection Name field.

Detection Name

string

The name of the detected or quarantined malware.

String Block Type

uint32

Initiates a String data block containing the username. This value is always 0.

String Block Length

uint32

The number of bytes included in the User String data block, including eight bytes for the block type and header fields plus the number of bytes in the User field.

User

string

The user of the computer where the Cisco Agent is installed and where the malware event occurred. Note that these users are not tied to user discovery.

String Block Type

uint32

Initiates a String data block containing the file name. This value is always 0.

String Block Length

uint32

The number of bytes included in the File Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the File Name field.

File Name

string

The name of the detected or quarantined file.

String Block Type

uint32

Initiates a String data block containing the file path. This value is always 0.

String Block Length

uint32

The number of bytes included in the File Path String data block, including eight bytes for the block type and header fields plus the number of bytes in the File Path field.

File Path

string

The file path, not including the file name, of the detected or quarantined file.

String Block Type

uint32

Initiates a String data block containing the file SHA hash. This value is always 0.

String Block Length

uint32

The number of bytes included in the File SHA Hash String data block, including eight bytes for the block type and header fields plus the number of bytes in the File SHA Hash field.

File SHA Hash

string

The rendered string of the SHA-256 hash value of the detected or quarantined file.

File Size

uint32

The size in bytes of the detected or quarantined file.

File Type

uint8

The file type of the detected or quarantined file. The meaning of this field is transmitted in the metadata with this event. See AMP for Endpoints File Type Metadata for more information.

File Timestamp

uint32

UNIX timestamp (seconds since 01/01/1970) of the creation of the detected or quarantined file.

String Block Type

uint32

Initiates a String data block containing the parent file name. This value is always 0.

String Block Length

uint32

The number of bytes included in the Parent File Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the Parent File Name field.

Parent File Name

string

The name of the file accessing the detected or quarantined file when detection occurred.

String Block Type

uint32

Initiates a String data block containing the parent file SHA hash. This value is always 0.

String Block Length

uint32

The number of bytes included in the Parent File SHA Hash String data block, including eight bytes for the block type and header fields plus the number of bytes in the Parent File SHA Hash field.

Parent File SHA Hash

string

The SHA-256 hash value of the parent file accessing the detected or quarantined file when detection occurred.

String Block Type

uint32

Initiates a String data block containing the event description. This value is always 0.

String Block Length

uint32

The number of bytes included in the Event Description String data block, including eight bytes for the block type and header fields plus the number of bytes in the Event Description field.

Event Description

string

The additional event information associated with the event type.

Device ID

uint32

ID for the device that generated the event.

Connection Instance

uint16

Snort instance on the device that generated the event. Used to link the event with a connection or IDS event.

Connection Counter

uint16

Value used to distinguish between connection events that happen during the same second.

Connection Event Timestamp

uint32

Timestamp of the connection event.

Direction

uint8

Indicates whether the file was uploaded or downloaded. Can have the following values:

  • 1 — Download
  • 2 — Upload

Currently the value depends on the protocol (for example, if the connection is HTTP it is a download).

Source IP Address

uint8[16]

IPv4 or IPv6 address for the source of the connection.

Destination IP Address

uint8[16]

IPv4 or IPv6 address for the destination of the connection.

Application ID

uint32

ID number that maps to the application using the file transfer.

User ID

uint32

Identification number for the user logged into the destination host, as identified by the system.

Access Control Policy UUID

uint8[16]

Identification number that acts as a unique identifier for the access control policy that triggered the event.

Disposition

uint8

The malware status of the file. Possible values include:

  • 1 — CLEAN The file is clean and does not contain malware.
  • 2 — UNKNOWN It is unknown whether the file contains malware.
  • 3 — MALWARE The file contains malware.
  • 4 — UNAVAILABLE The software was unable to send a request to the Cisco cloud for a disposition, or the Cisco cloud services did not respond to the request.
  • 5 — CUSTOM SIGNATURE The file matches a user-defined hash, and is treated in a fashion designated by the user.

Retrospective Disposition

uint8

Disposition of the file if the disposition is updated. If the disposition is not updated, this field contains the same value as the Disposition field. The possible values are the same as the Disposition field.

String Block Type

uint32

Initiates a String data block containing the URI. This value is always 0.

String Block Length

uint32

The number of bytes included in the URI data block, including eight bytes for the block type and header fields plus the number of bytes in the URI field.

URI

string

URI of the connection.

Source Port

uint16

Port number for the source of the connection.

Destination Port

uint16

Port number for the destination of the connection.

Source Country

uint16

Code for the country of the source host.

Destination Country

uint 16

Code for the country of the destination host.

Web Application ID

uint32

The internal identification number of the detected web application, if applicable.

Client Application ID

uint32

The internal identification number of the detected client application, if applicable.

Action

uint8

The action taken on the file based on the file type. Can have the following values:

  • 1 — Detect
  • 2 — Block
  • 3 — Malware Cloud Lookup
  • 4 — Malware Block
  • 5 — Malware Allow List

Protocol

uint8

IANA protocol number specified by the user. For example:

  • 1 — ICMP
  • 4 — IP
  • 6 — TCP
  • 17 — UDP

This is currently only TCP.

Threat Score

uint8

A numeric value from 0 to 100 based on the potentially malicious behaviors observed during dynamic analysis.

IOC Number

uint16

ID number of the compromise associated with this event.

Security Context

uint8(16)

ID number for the security context (virtual firewall) that the traffic passed through. Note that the system only populates this field for ASA FirePOWER devices in multi-context mode.

Malware Event Data Block 5.4.x

The eStreamer service uses the malware event data block to store information on malware events. These events contain information on malware detected or quarantined within a cloud, the detection method, and hosts and users affected by the malware. The malware event data block has a block type of 47 in the series 2 group of blocks. It supersedes block 44 and is superseded by block. Fields for SSL and file archive support have been added.

You request the event as part of the malware event record by setting the malware event flag—bit 30 in the request flags field—in the request message with an event version of 6 and an event code of 101.

The following graphic shows the structure of the malware event data block:

 

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

 

Malware Event Block Type (47)

 

Malware Event Block Length

 

Agent UUID

Agent UUID, continued

Agent UUID, continued

 

Agent UUID, continued

 

Cloud UUID

 

Cloud UUID, continued

 

Cloud UUID, continued

 

Cloud UUID, continued

 

Malware Event Timestamp

 

Event Type ID

 

Event Subtype ID

Detection Name

Detector ID

String Block Type (0)

String Block Type (0), cont.

String Block Length

String Block Length, cont.

Detection Name...

User

String Block Type (0)

String Block Length

User...

File Name

String Block Type (0)

String Block Length

File Name...

File Path

String Block Type (0)

String Block Length

File Path...

File SHA

Hash

String Block Type (0)

String Block Length

File SHA Hash...

 

File Size

 

File Type

 

File Timestamp

Parent File

Name

String Block Type (0)

String Block Length

Parent File Name...

Parent File

SHA Hash

String Block Type (0)

String Block Length

Parent File SHA Hash...

Event

Description

String Block Type (0)

String Block Length

Event Description...

 

Device ID

 

Connection Instance

Connection Counter

 

Connection Event Timestamp

 

Direction

Source IP Address

 

Source IP Address, continued

Source IP Address, continued

Source IP Address, continued

 

 

 

Source IP, cont.

Destination IP Address

 

Destination IP Address, continued

Destination IP Address, continued

Destination IP Address, continued

 

 

 

Destination IP, cont

Application ID

 

App. ID, cont.

User ID

 

User ID, cont.

Access Control Policy UUID

 

Access Control Policy UUID, continued

Access Control Policy UUID, continued

Access Control Policy UUID, continued

 

 

URI

AC Pol UUID, cont.

Disposition

Retro. Disposition

Str. Block Type (0)

String Block Type (0), continued

String Block Length

String Block Length, continued

URI...

 

Source Port

Destination Port

 

Source Country

Destination Country

 

Web Application ID

 

Client Application ID

 

Action

Protocol

Threat Score

IOC Number

 

IOC Number, cont.

Security Context

 

Security Context, continued

 

Security Context, continued

 

Security Context, continued

 

Security Cont., cont.

SSL Certificate Fingerprint

 

SSL Certificate Fingerprint, continued

 

SSL Certificate Fingerprint, continued

 

SSL Certificate Fingerprint, continued

 

SSL Certificate Fingerprint, continued

 

SSL Cert Fpt, cont.

SSL Actual Action

SSL Flow Status

Archive SHA

SSL Flow Stat., cont.

String Block Type (0)

Str. Blk Type, cont.

String Block Type (0)

Str. Length, cont.

Archive SHA...

Archive Name

String Block Type (0)

String Block Length

Archive Name...

 

Archive Depth

 

The following table describes the fields in the malware event data block.

 

Table B-14 Malware Event Data Block for 5.4.x Fields

Field
Data Type
Description

Malware Event Block Type

uint32

Initiates a malware event data block. This value is always 47.

Malware Event Block Length

uint32

Total number of bytes in the malware event data block, including eight bytes for the malware event block type and length fields, plus the number of bytes of data that follows.

Agent UUID

uint8[16]

The internal unique ID of the AMP for Endpoints agent reporting the malware event.

Cloud UUID

uint8[16]

The internal unique ID of the Cisco Advanced Malware Protection cloud from which the malware event originated.

Malware Event Timestamp

uint32

The malware event generation timestamp.

Event Type ID

uint32

The internal ID of the malware event type.

Event Subtype ID

uint32

The internal ID of the action that led to malware detection.

Detector ID

uint8

The internal ID of the detection technology that detected the malware.

String Block Type

uint32

Initiates a String data block containing the detection name. This value is always 0.

String Block Length

uint32

The number of bytes included in the Detection Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the Detection Name field.

Detection Name

string

The name of the detected or quarantined malware.

String Block Type

uint32

Initiates a String data block containing the username. This value is always 0.

String Block Length

uint32

The number of bytes included in the User String data block, including eight bytes for the block type and header fields plus the number of bytes in the User field.

User

string

The user of the computer where the Cisco Agent is installed and where the malware event occurred. Note that these users are not tied to user discovery.

String Block Type

uint32

Initiates a String data block containing the file name. This value is always 0.

String Block Length

uint32

The number of bytes included in the File Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the File Name field.

File Name

string

The name of the detected or quarantined file.

String Block Type

uint32

Initiates a String data block containing the file path. This value is always 0.

String Block Length

uint32

The number of bytes included in the File Path String data block, including eight bytes for the block type and header fields plus the number of bytes in the File Path field.

File Path

string

The file path, not including the file name, of the detected or quarantined file.

String Block Type

uint32

Initiates a String data block containing the file SHA hash. This value is always 0.

String Block Length

uint32

The number of bytes included in the File SHA Hash String data block, including eight bytes for the block type and header fields plus the number of bytes in the File SHA Hash field.

File SHA Hash

string

The rendered string of the SHA-256 hash value of the detected or quarantined file.

File Size

uint32

The size in bytes of the detected or quarantined file.

File Type

uint8

The file type of the detected or quarantined file. The meaning of this field is transmitted in the metadata with this event. See AMP for Endpoints File Type Metadata for more information.

File Timestamp

uint32

UNIX timestamp (seconds since 01/01/1970) of the creation of the detected or quarantined file.

String Block Type

uint32

Initiates a String data block containing the parent file name. This value is always 0.

String Block Length

uint32

The number of bytes included in the Parent File Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the Parent File Name field.

Parent File Name

string

The name of the file accessing the detected or quarantined file when detection occurred.

String Block Type

uint32

Initiates a String data block containing the parent file SHA hash. This value is always 0.

String Block Length

uint32

The number of bytes included in the Parent File SHA Hash String data block, including eight bytes for the block type and header fields plus the number of bytes in the Parent File SHA Hash field.

Parent File SHA Hash

string

The SHA-256 hash value of the parent file accessing the detected or quarantined file when detection occurred.

String Block Type

uint32

Initiates a String data block containing the event description. This value is always 0.

String Block Length

uint32

The number of bytes included in the Event Description String data block, including eight bytes for the block type and header fields plus the number of bytes in the Event Description field.

Event Description

string

The additional event information associated with the event type.

Device ID

uint32

ID for the device that generated the event.

Connection Instance

uint16

Snort instance on the device that generated the event. Used to link the event with a connection or IDS event.

Connection Counter

uint16

Value used to distinguish between connection events that happen during the same second.

Connection Event Timestamp

uint32

Timestamp of the connection event.

Direction

uint8

Indicates whether the file was uploaded or downloaded. Can have the following values:

  • 1 — Download
  • 2 — Upload

Currently the value depends on the protocol (for example, if the connection is HTTP it is a download).

Source IP Address

uint8[16]

IPv4 or IPv6 address for the source of the connection.

Destination IP Address

uint8[16]

IPv4 or IPv6 address for the destination of the connection.

Application ID

uint32

ID number that maps to the application using the file transfer.

User ID

uint32

Identification number for the user logged into the destination host, as identified by the system.

Access Control Policy UUID

uint8[16]

Identification number that acts as a unique identifier for the access control policy that triggered the event.

Disposition

uint8

The malware status of the file. Possible values include:

  • 1 — CLEAN The file is clean and does not contain malware.
  • 2 — UNKNOWN It is unknown whether the file contains malware.
  • 3 — MALWARE The file contains malware.
  • 4 — UNAVAILABLE The software was unable to send a request to the Cisco cloud for a disposition, or the Cisco cloud services did not respond to the request.
  • 5 — CUSTOM SIGNATURE The file matches a user-defined hash, and is treated in a fashion designated by the user.

Retrospective Disposition

uint8

Disposition of the file if the disposition is updated. If the disposition is not updated, this field contains the same value as the Disposition field. The possible values are the same as the Disposition field.

String Block Type

uint32

Initiates a String data block containing the URI. This value is always 0.

String Block Length

uint32

The number of bytes included in the URI data block, including eight bytes for the block type and header fields plus the number of bytes in the URI field.

URI

string

URI of the connection.

Source Port

uint16

Port number for the source of the connection.

Destination Port

uint16

Port number for the destination of the connection.

Source Country

uint16

Code for the country of the source host.

Destination Country

uint 16

Code for the country of the destination host.

Web Application ID

uint32

The internal identification number of the detected web application, if applicable.

Client Application ID

uint32

The internal identification number of the detected client application, if applicable.

Action

uint8

The action taken on the file based on the file type. Can have the following values:

  • 1 — Detect
  • 2 — Block
  • 3 — Malware Cloud Lookup
  • 4 — Malware Block
  • 5 — Malware Allow List
  • 6 — Cloud Lookup Timeout
  • 7 — Custom Detection
  • 8 — Custom Detection Block
  • 9 — Archive Block (Depth Exceeded)
  • 10 — Archive Block (Encrypted)
  • 11 — Archive Block (Failed to Inspect)

Protocol

uint8

IANA protocol number specified by the user. For example:

  • 1 — ICMP
  • 4 — IP
  • 6 — TCP
  • 17 — UDP

This is currently only TCP.

Threat Score

uint8

A numeric value from 0 to 100 based on the potentially malicious behaviors observed during dynamic analysis.

IOC Number

uint16

ID number of the compromise associated with this event.

Security Context

uint8(16)

ID number for the security context (virtual firewall) that the traffic passed through. Note that the system only populates this field for ASA FirePOWER devices in multi-context mode.

SSL Certificate Fingerprint

uint8[20]

SHA1 hash of the SSL Server certificate.

SSL Actual Action

uint16

The action performed on the connection based on the SSL Rule. This may differ from the expected action, as the action as specified in the rule may be impossible. Possible values include:

  • 0 — 'Unknown'
  • 1 — 'Do Not Decrypt'
  • 2 — 'Block'
  • 3 — 'Block With Reset'
  • 4 — 'Decrypt (Known Key)'
  • 5 — 'Decrypt (Replace Key)'
  • 6 — 'Decrypt (Resign)'

SSL Flow Status

uint16

Status of the SSL Flow. These values describe the reason behind the action taken or the error message seen. Possible values include:

  • 0 — 'Unknown'
  • 1 — 'No Match'
  • 2 — 'Success'
  • 3 — 'Uncached Session'
  • 4 — 'Unknown Cipher Suite'
  • 5 — 'Unsupported Cipher Suite'
  • 6 — 'Unsupported SSL Version'
  • 7 — 'SSL Compression Used'
  • 8 — 'Session Undecryptable in Passive Mode'
  • 9 — 'Handshake Error'
  • 10 — 'Decryption Error'
  • 11 — 'Pending Server Name Category Lookup'
  • 12 — 'Pending Common Name Category Lookup'
  • 13 — 'Internal Error'
  • 14 — 'Network Parameters Unavailable'
  • 15 — 'Invalid Server Certificate Handle'
  • 16 — 'Server Certificate Fingerprint Unavailable'
  • 17 — 'Cannot Cache Subject DN'
  • 18 — 'Cannot Cache Issuer DN'
  • 19 — 'Unknown SSL Version'
  • 20 — 'External Certificate List Unavailable'
  • 21 — 'External Certificate Fingerprint Unavailable'
  • 22 — 'Internal Certificate List Invalid'
  • 23 — 'Internal Certificate List Unavailable'
  • 24 — 'Internal Certificate Unavailable'
  • 25 — 'Internal Certificate Fingerprint Unavailable'
  • 26 — 'Server Certificate Validation Unavailable'
  • 27 — 'Server Certificate Validation Failure'
  • 28 — 'Invalid Action'

String Block Type

uint32

Initiates a String data block containing the Archive SHA. This value is always 0.

String Block Length

uint32

The number of bytes included in the Archive SHA String data block, including eight bytes for the block type and header fields plus the number of bytes in the intrusion policy name.

Archive SHA

string

SHA1 hash of the parent archive in which the file is contained.

String Block Type

uint32

Initiates a String data block containing the Archive Name. This value is always 0.

String Block Length

uint32

The number of bytes included in the Archive Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the intrusion policy name.

Archive Name

string

Name of the parent archive.

Archive Depth

uint8

Number of layers in which the file is nested. For example, if a text file is in a zip archive, this has a value of 1.

Legacy Discovery Data Structures

Legacy Discovery Event Header

Discovery Event Header 5.0 - 5.1.1.x

Discovery and connection event messages contain a discovery event header. It conveys the type and subtype of the event, the time the event occurred, the device on which the event occurred, and the structure of the event data in the message. This header is followed by the actual host discovery, user, or connection event data. The structures associated with the different event type/subtype values are described in Host Discovery Structures by Event Type.

The event type and event subtype fields of the discovery event header identify the structure of the transmitted event message. Once the structure of the event data block is determined, your program can parse the message appropriately.

The shaded rows in the following diagram illustrate the format of the discovery event header.

 

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

 

Header Version (1)

Message Type (4)

 

Message Length

 

Netmap ID

Record Type

 

Record Length

 

eStreamer Server Timestamp (in events, only if bit 23 is set)

 

Reserved for Future Use (in events, only if bit 23 is set)

Discovery Event Header

Device ID

IP Address

MAC Address

MAC Address, continued

Reserved for future use

Event Second

Event Microsecond

Reserved (Internal)

Event Type

Event Subtype

File Number (Internal Use Only)

File Position (Internal Use Only)

The following table describes the discovery event header.

 

Table B-15 Discovery Event Header Fields

Field
Data Types
Description

Device ID

uint32

ID number of the device that generated the discovery event. You can obtain the metadata for the device by requesting Version 3 and 4 metadata. See Managed Device Record Metadata for more information.

IP Address

uint32

IP address of the host involved in the event.

MAC Address

uint8[6]

MAC address of the host involved in the event.

Reserved for future use

byte[2]

Two bytes of padding with values set to 0.

Event Second

uint32

UNIX timestamp (seconds since 01/01/1970) that the system generated the event.

Event Microsecond

uint32

Microsecond (one millionth of a second) increment that the system generated the event.

Reserved (Internal)

byte

Internal data from Cisco and can be disregarded.

Event Type

uint32

Event type ( 1000 for new events, 1001 for change events, 1002 for user input events, 1050 for full host profile). See Host Discovery Structures by Event Type for a list of available event types.

Event Subtype

uint32

Event subtype. See Host Discovery Structures by Event Type for a list of available event subtypes.

File Number

byte[4]

Serial file number. This field is for Cisco internal use and can be disregarded.

File Position

byte[4]

Event’s position in the serial file. This field is for Cisco internal use and can be disregarded.

Legacy Server Data Blocks

For more information, see the following sections:

Attribute Address Data Block for 5.0 - 5.1.1.x

The Attribute Address data block contains an attribute list item and is used within an Attribute Definition data block. It has a block type of 38.

The following diagram shows the basic structure of an Attribute Address data block:

 

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

 

Attribute Address Block Type (38)

 

Attribute Address Block Length

 

Attribute ID

 

IP Address

 

Bits

The following table describes the fields of the Attribute Address data block.

 

Table B-16 Attribute Address Data Block Fields

Field
Data Type
Description

Attribute Address Block Type

uint32

Initiates an Attribute Address data block. This value is always 38.

Attribute Address Block Length

uint32

Number of bytes in the Attribute Address data block, including eight bytes for the attribute address block type and length, plus the number of bytes in the attribute address data that follows.

Attribute ID

uint32

Identification number of the affected attribute, if applicable.

IP Address

uint8[4]

IP address of the host, if the address was automatically assigned, in IP address octets.

Bits

uint32

Contains the significant bits used to calculate the netmask if an IP address was automatically assigned.

Legacy Client Application Data Blocks

For more information, see the following sections:

User Client Application Data Block for 5.0 - 5.1

The User Client Application data block contains information about the source of the client application data, the identification number for the user who added the data, and the lists of IP address range data blocks. The User Client Application data block has a block type of 59.

The following diagram shows the basic structure of a User Client Application data block:

 

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

 

User Client Application Block Type (59)

 

User Client Application Block Length

IP Address

Ranges

Generic List Block Type (31)

Generic List Block Length

IP Range Specification Data Blocks*

 

Application Protocol ID

 

Client Application ID

Version

String Block Type (0)

String Block Length

Version...

The following table describes the fields of the User Client Application data block.

 

Table B-17 User Client Application Data Block Fields

Field
Number of Bytes
Description

User Client Application Block Type

uint32

Initiates a User Client Application data block. This value is always.

User Client Application Block Length

uint32

Total number of bytes in the User Client Application data block, including eight bytes for the user client application block type and length fields, plus the number of bytes of user client application data that follows.

Generic List Block Type

uint32

Initiates a Generic List data block comprising IP Range Specification data blocks conveying IP address range data. This value is always 31.

Generic List Block Length

uint32

Number of bytes in the Generic List data block, including the list header and all encapsulated IP Range Specification data blocks.

IP Range Specification Data Blocks *

variable

IP Range Specification data blocks containing information about the IP address ranges for the user input. See User Server Data Block Fields for a description of this data block.

Application Protocol ID

uint32

The internal identification number for the application protocol, if applicable.

Client Application ID

uint32

The internal identification number of the detected client application, if applicable.

String Block Type

uint32

Initiates a String data block that contains the client application version. This value is always 0.

String Block Length

uint32

Number of bytes in the client application version String data block, including the string block type and length fields, plus the number of bytes in the version.

Version

string

Client application version.

Legacy Scan Result Data Blocks

For more information, see the following sections:

Scan Result Data Block 5.0 - 5.1.1.x

The Scan Result data block describes a vulnerability and is used within Add Scan Result events (event type 1002, subtype 11). The Scan Result data block has a block type of 102.

The following diagram shows the format of a Scan Result data block:

 

Byte

0

1

2

3

 

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

 

 

Scan Result Block Type (102)

 

 

Scan Result Block Length

 

 

User ID

 

 

Scan Type

 

 

IP Address

 

 

Port

Protocol

 

 

Flag

List Block Type (11)

Scan Vulnerability List

 

List Block Type (11)

List Block Length

Vulnerability

List

List Block Length

Scan Vulnerability Block Type (109)

Scan Vulnerability Block Type (109)

Scan Vulnerability Block Length

Scan Vulnerability Block Length

Vulnerability Data...

 

List Block Type (11)

Generic Scan

Results List

 

List Block Length

Scan Results

List

Generic Scan Results Block Type (108)

Generic Scan Results Block Length

Generic Scan Results...

User

Product List

Generic List Block Type (31)

 

Generic List Block Length

 

User Product Data Blocks*

 

The following table describes the fields of the Scan Result data block.

 

Table B-18 Scan Result Data Block Fields

Field
Data Type
Description

Scan Result Block Type

uint32

Initiates a Scan Result data block. This value is always 102.

Scan Result Block Length

uint32

Number of bytes in the Scan Vulnerability data block, including eight bytes for the scan vulnerability block type and length fields, plus the number of bytes of scan vulnerability data that follows.

User ID

uint32

Contains the user identification number for the user who imported the scan result or ran the scan that produced the scan result.

Scan Type

uint32

Indicates how the results were added to the system.

IP Address

uint32

IP address of the host affected by the vulnerabilities in the result, in IP address octets.

Port

uint16

Port used by the sub-server affected by the vulnerabilities in the results.

Protocol

uint16

IANA protocol number. For example:

  • 1 — ICMP
  • 4 — IP
  • 6 — TCP
  • 17 — UDP

Flag

uint16

Reserved

List Block Type

uint32

Initiates a List data block comprising Scan Vulnerability data blocks conveying transport Scan Vulnerability data. This value is always 11.

List Block Length

uint32

Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus all encapsulated Scan Vulnerability data blocks.

This field is followed by zero or more Scan Vulnerability data blocks.

Scan Vulnerability Block Type

uint32

Initiates a Scan Vulnerability data block describing a vulnerability detected during a scan. This value is always 109.

Scan Vulnerability Block Length

uint32

Number of bytes in the Scan Vulnerability data block, including eight bytes for the scan vulnerability block type and length fields, plus the number of bytes in the scan vulnerability data that follows.

Vulnerability Data

string

Information relating to each vulnerability.

List Block Type

uint32

Initiates a List data block comprising Scan Vulnerability data blocks conveying transport Scan Vulnerability data. This value is always 11.

List Block Length

uint32

Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus all encapsulated Scan Vulnerability data blocks.

This field is followed by zero or more Scan Vulnerability data blocks.

Generic Scan Results Block Type

uint32

Initiates a Generic Scan Results data block describing server and operating system data detected during a scan. This value is always 108.

Generic Scan Results Block Length

uint32

Number of bytes in the Generic Scan Results data block, including eight bytes for the generic scan results block type and length fields, plus the number of bytes in the scan result data that follows.

Generic Scan Results Data

string

Information relating to each scan result.

Generic List Block Type

uint32

Initiates a Generic List data block comprising User Product data blocks conveying host input data from a third party application. This value is always 31.

Generic List Block Length

uint32

Number of bytes in the Generic List data block, including the list header and all encapsulated User Product data blocks.

User Product Data Blocks *

variable

User Product data blocks containing host input data. See User Product Data Block 5.1+ for a description of this data block.

 

User Product Data Block for 5.0.x

The User Product data block conveys host input data imported from a third party application, including third party application string mappings. This data block is used in Connection Statistics Data Block 6.0.x and User Server and Operating System Messages. The User Product data block has a block type of 65 for 4.10.x, and a block type of 118 for 5.0 - 5.0.x. The block types have the same structure.

note.gif

Noteblank.gif An asterisk(*) next to a data block name in the following diagram indicates that multiple instances of the data block may occur.


The following diagram shows the format of the User Product data block:

 

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

 

User Product Data Block Type (65 | 118)

 

User Product Block Length

 

Source ID

 

Source Type

IP Address

Ranges

Generic List Block Type (31)

Generic List Block Length

IP Range Specification Data Blocks*

 

Port

Protocol

 

Drop User Product

Custom

Vendor String

String Block Type (0)

String Block Length

Custom Vendor String...

Custom

Product String

String Block Type (0)

String Block Length

Custom Product String...

Custom

Version String

String Block Type (0)

String Block Length

Custom Version String...

 

Software ID

 

Server ID

 

Vendor ID

 

Product ID

Major Version

String

String Block Type (0)

String Block Length

Major Version String...

Minor Version

String

String Block Type (0)

String Block Length

Minor Version String...

Revision

String

String Block Type (0)

String Block Length

Revision String...

To Major

String

String Block Type (0)

String Block Length

To Major Version String...

To Minor

String

String Block Type (0)

String Block Length

To Minor Version String...

To Revision

String

String Block Type (0)

String Block Length

To Revision String...

Build String

String Block Type (0)

String Block Length

Build String...

Patch String

String Block Type (0)

String Block Length

Patch String...

Extension

String

String Block Type (0)

String Block Length

Extension String...

OS UUID

Operating System UUID

Operating System UUID cont.

Operating System UUID cont.

Operating System UUID cont.

List of Fixes

Generic List Block Type (31)

Generic List Block Length

Fix List Data Blocks*

The following table describes the components of the User Product data block.

 

Table B-19 User Product Data Block Fields for 4.10.x, 5.0-5.0.x

Field
Data Type
Description

User Product Data Block Type

uint32

Initiates a User Product data block. This value is 65 for version 4.10.x and 118 for version 5.0 - 5.0.x.

User Product Block Length

uint32

Total number of bytes in the User Product data block, including eight bytes for the user product block type and length fields, plus the number of bytes in the user product data that follows.

Source ID

uint32

Identification number of the source that imported the data.

Source Type

uint32

The source type of the source that supplied the data.

Generic List Block Type

uint32

Initiates a Generic List data block comprising IP Range Specification data blocks conveying IP address range data. This value is always 31.

Generic List Block Length

uint32

Number of bytes in the Generic List data block, including the list header and all encapsulated IP Range Specification data blocks.

IP Range Specification Data Blocks *

variable

IP Range Specification data blocks containing information about the IP address ranges for the user input. See IP Address Range Data Block for 5.2+ for a description of this data block.

Port

uint16

Port specified by the user.

Protocol

uint16

IANA protocol number specified by the user. For example:

  • 1 — ICMP
  • 4 — IP
  • 6 — TCP
  • 17 — UDP

Drop User Product

uint32

Indicates whether the user OS definition was deleted from the host:

  • 0 — No
  • 1 — Yes

String Block Type

uint32

Initiates a String data block containing the custom vendor name specified in the user input. This value is always 0.

String Block Length

uint32

Number of bytes in the custom vendor String data block, including eight bytes for the block type and length fields, plus the number of bytes in the vendor name.

Custom Vendor Name

string

The custom vendor name specified in the user input.

String Block Type

uint32

Initiates a String data block containing the custom product name specified in the user input. This value is always 0.

String Block Length

uint32

Number of bytes in the custom product String data block, including eight bytes for the block type and length fields, plus the number of bytes in the product name.

Custom Product Name

string

The custom product name specified in the user input.

String Block Type

uint32

Initiates a String data block containing the custom version specified in the user input. This value is always 0.

String Block Length

uint32

Number of bytes in the custom version String data block, including eight bytes for the block type and length fields, plus the number of bytes in the version.

Custom Version

string

The custom version specified in the user input.

Software ID

uint32

The identifier for a specific revision of a server or operating system in the Cisco database.

Server ID

uint32

The Cisco application identifier for the application protocol on the host server specified in user input.

Vendor ID

uint32

The identifier for the vendor of a third party operating system specified when the third party operating system is mapped to a Cisco 3D operating system definition.

Product ID

uint32

The product identification string of a third party operating system string specified when the third party operating system string is mapped to a Cisco 3D operating system definition.

String Block Type

uint32

Initiates a String data block containing the major version number of the Cisco 3D operating system definition that a third party operating system string in the user input is mapped to. This value is always 0.

String Block Length

uint32

Number of bytes in the major String data block, including eight bytes for the block type and length fields, plus the number of bytes in the version.

Major Version

string

Major version of the Cisco 3D operating system definition that a third party operating system string is mapped to.

String Block Type

uint32

Initiates a String data block containing the minor version number of the Cisco 3D operating system definition that a third party operating system string is mapped to. This value is always 0.

String Block Length

uint32

Number of bytes in the minor String data block, including eight bytes for the block type and length fields, plus the number of bytes in the version.

Minor Version

string

Minor version number of the Cisco 3D operating system definition that a third party operating system string in the user input is mapped to.

String Block Type

uint32

Initiates a String data block containing the revision number of the Cisco operating system definition that a third party operating system string in the user input is mapped to. This value is always 0.

String Block Length

uint32

Number of bytes in the revision String data block, including eight bytes for the block type and length fields, plus the number of bytes in the revision number.

Revision

string

Revision number of the Cisco 3D operating system definition that a third party operating system string in the user input is mapped to.

String Block Type

uint32

Initiates a String data block containing the last major version of the Cisco 3D operating system definition that a third party operating system string is mapped to. This value is always 0.

String Block Length

uint32

Number of bytes in the To Major String data block, including eight bytes for the block type and length fields, plus the number of bytes in the version.

To Major

string

Last version number in a range of major version numbers of the Cisco 3D operating system definition that a third party operating system string in the user input is mapped to.

String Block Type

uint32

Initiates a String data block containing the last minor version of the Cisco 3D operating system definition that a third party operating system string is mapped to. This value is always 0.

String Block Length

uint32

Number of bytes in the To Minor String data block, including eight bytes for the block type and length fields, plus the number of bytes in the version.

To Minor

string

Last version number in a range of minor version numbers of the Cisco 3D operating system definition that a third party operating system string in the user input is mapped to.

String Block Type

uint32

Initiates a String data block containing the Last revision number of the Cisco 3D operating system definition that a third party operating system string is mapped to. This value is always 0.

String Block Length

uint32

Number of bytes in the To Revision String data block, including eight bytes for the block type and length fields, plus the number of bytes in the revision number.

To Revision

string

Last revision number in a range of revision numbers of the Cisco 3D operating system definitions that a third party operating system string in the user input is mapped to.

String Block Type

uint32

Initiates a String data block containing the build number of the Cisco 3D operating system that the third party operating system string is mapped. This value is always 0.

String Block Length

uint32

Number of bytes in the build String data block, including eight bytes for the block type and length fields, plus the number of bytes in the build number.

Build

string

Build number of the Cisco 3D operating system that the third party operating system string in the user input is mapped to.

String Block Type

uint32

Initiates a String data block containing the patch number of the Cisco 3D operating system that the third party operating system string is mapped to. This value is always 0.

String Block Length

uint32

Number of bytes in the patch String data block, including eight bytes for the block type and length fields, plus the number of bytes in the patch number.

Patch

string

Patch number of the Cisco 3D operating system that the third party operating system string in the user input is mapped to.

String Block Type

uint32

Initiates a String data block containing the extension number of the Cisco 3D operating system that the third party operating system string is mapped. This value is always 0.

String Block Length

uint32

Number of bytes in the extension String data block, including eight bytes for the block type and length fields, plus the number of bytes in the extension number.

Extension

string

Extension number of the Cisco 3D operating system that the third party operating system string in the user input is mapped to.

UUID

uint8 [x16]

Contains the unique identification number for the operating system.

Generic List Block Type

uint32

Initiates a Generic List data block comprising Fix List data blocks conveying user input data regarding what fixes have been applied to hosts in the specified IP address ranges. This value is always 31.

Generic List Block Length

uint32

Number of bytes in the Generic List data block, including the list header and all encapsulated Fix List data blocks.

Fix List Data Blocks *

variable

Fix List data blocks containing information about fixes applied to the hosts. See Fix List Data Block for a description of this data block.

Legacy User Login Data Blocks

See the following sections for more information:

User Login Information Data Block for 5.0 - 5.0.2

The User Login Information data block is used in User Information Update messages and conveys changes in login information for a detected user. For more information, see User Information Update Message Block.

The User Login Information data block has a block type of 121 for version 5.0 - 5.0.2.

The graphic below shows the format of the User Login Information data block:

 

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

 

User Login Information Block Type (121)

 

User Login Information Block Length

 

Timestamp

 

IP Address

User

Name

String Block Type (0)

String Block Length

User Name...

 

User ID

 

Application ID

Email

String Block Type (0)

String Block Length

Email...

The following table describes the components of the User Login Information data block.

 

Table B-20 User Login Information Data Block Fields 5.0 - 5.0.2

Field
Data Type
Description

User Login Information Block Type

uint32

Initiates a User Login Information data block. This value is 121 for version 5.0 - 5.0.2.

User Login Information Block Length

uint32

Total number of bytes in the User Login Information data block, including eight bytes for the user login information block type and length fields, plus the number of bytes in the user login information data that follows.

Timestamp

uint32

Timestamp of the event.

IP Address

uint8[4]

IP address from the host where the user was detected logging in, in IP address octets.

String Block Type

uint32

Initiates a String data block containing the username for the user. This value is always 0.

String Block Length

uint32

Number of bytes in the username String data block, including eight bytes for the block type and length fields, plus the number of bytes in the username.

Username

string

The user name for the user.

User ID

uint32

Identification number of the user.

Application ID

uint32

The application ID for the application protocol used in the connection that the login information was derived from.

String Block Type

uint32

Initiates a String data block containing the email address for the user. This value is always 0.

String Block Length

uint32

Number of bytes in the email address String data block, including eight bytes for the block type and length fields, plus the number of bytes in the email address.

Email

string

The email address for the user.

User Login Information Data Block 5.1-5.4.x

The User Login Information data block is used in User Information Update messages and conveys changes in login information for a detected user. For more information, see User Account Update Message Data Block.

The User Login Information data block has a block type of 73 for version 4.7 - 4.10.x, a block type of 121 in the series 1 group of blocks for version 5.0 - 5.0.2, and a block type of 127 in the series 1 group of blocks for version 5.1-5.4.x.

The graphic below shows the format of the User Login Information data block:

 

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

 

User Login Information Block Type (127)

 

User Login Information Block Length

 

Timestamp

 

IPv4 Address

User

Name

String Block Type (0)

String Block Length

User Name...

 

User ID

 

Application ID

Email

String Block Type (0)

String Block Length

Email...

 

IPv6 Address

 

IPv6 Address, continued

 

IPv6 Address, continued

 

IPv6 Address, continued

Reported By

Login Type

String Block Type (0)

String Block Type (0), cont.

String Block Length

String Block Length

Reported By...

The following table describes the components of the User Login Information data block.

 

Table B-21 User Login Information Data Block Fields

Field
Data Type
Description

User Login Information Block Type

uint32

Initiates a User Login Information data block. This value is 127 for version 5.1+.

User Login Information Block Length

uint32

Total number of bytes in the User Login Information data block, including eight bytes for the user login information block type and length fields, plus the number of bytes in the user login information data that follows.

Timestamp

uint32

Timestamp of the event.

IPv4 Address

uint32

This field is reserved but no longer populated. The IPv4 address is stored in the IPv6 Address field. See IP Addresses for more information.

String Block Type

uint32

Initiates a String data block containing the username for the user. This value is always 0.

String Block Length

uint32

Number of bytes in the username String data block, including eight bytes for the block type and length fields, plus the number of bytes in the username.

Username

string

The user name for the user.

User ID

uint32

Identification number of the user.

Application ID

uint32

The application ID for the application protocol used in the connection that the login information was derived from.

String Block Type

uint32

Initiates a String data block containing the email address for the user. This value is always 0.

String Block Length

uint32

Number of bytes in the email address String data block, including eight bytes for the block type and length fields, plus the number of bytes in the email address.

Email

string

The email address for the user.

IPv6 Address

uint8[16]

IPv6 address from the host where the user was detected logging in, in IP address octets.

Login Type

uint8

The type of user login detected.

String Block Type

uint32

Initiates a String data block containing the Reported By value. This value is always 0.

String Block Length

uint32

Number of bytes in the Reported By String data block, including eight bytes for the block type and length fields, plus the number of bytes in the Reported By field.

Reported By

string

The name of the Active Directory server reporting a login.

User Login Information Data Block 6.0.x

The User Login Information data block is used in User Information Update messages and conveys changes in login information for a detected user. For more information, see User Account Update Message Data Block.

he User Login Information data block has a block type of 159 for version 6.0.x. It has new ISE integration endpoint profile, Security Intelligence fields.

The User Login Information data block has a block type of 73 for version 4.7 - 4.10.x, a block type of 121 in the series 1 group of blocks for version 5.0 - 5.0.2, and a block type of 127 in the series 1 group of blocks for version 5.1+. See User Login Information Data Block 5.1-5.4.x for more information.

The graphic below shows the format of the User Login Information data block:

 

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

 

User Login Information Block Type (159)

 

User Login Information Block Length

 

Timestamp

 

IPv4 Address

User

Name

String Block Type (0)

String Block Length

User Name...

Domain

String Block Type (0)

String Block Length

Domain...

 

User ID

 

Realm ID

 

Endpoint Profile ID

 

Security Group ID

 

Protocol

Email

String Block Type (0)

String Block Length

Email...

 

IPv6 Address

 

IPv6 Address, continued

 

IPv6 Address, continued

 

IPv6 Address, continued

 

Location IPv6 Address

 

Location IPv6 Address, continued

 

Location IPv6 Address, continued

 

Location IPv6 Address, continued

Reported By

Login Type

Auth. Type

String Block Type (0)

String Block Type (0), cont.

String Block Length

String Block Length, cont.

Reported By...

The following table describes the components of the User Login Information data block.

 

Table B-22 User Login Information Data Block Fields

Field
Data Type
Description

User Login Information Block Type

uint32

Initiates a User Login Information data block. This value is 159 for version 6.0.x.

User Login Information Block Length

uint32

Total number of bytes in the User Login Information data block, including eight bytes for the user login information block type and length fields, plus the number of bytes in the user login information data that follows.

Timestamp

uint32

Timestamp of the event.

IPv4 Address

uint32

This field is reserved but no longer populated. The IPv4 address is stored in the IPv6 Address field. See IP Addresses for more information.

String Block Type

uint32

Initiates a String data block containing the username for the user. This value is always 0.

String Block Length

uint32

Number of bytes in the username String data block, including eight bytes for the block type and length fields, plus the number of bytes in the username.

Username

string

The user name for the user.

String Block Type

uint32

Initiates a String data block containing the domain. This value is always 0.

String Block Length

uint32

Number of bytes in the username String data block, including eight bytes for the block type and length fields, plus the number of bytes in the domain.

Domain

string

Domain in which the user logged in.

User ID

uint32

Identification number of the user.

Realm ID

uint32

Integer ID which corresponds to an identity realm.

Endpoint Profile ID

uint32

ID number of the type of device used by the connection endpoint. This is unique for each DC and resolved in metadata.

Security Group ID

uint32

ID number of the network traffic group.

Protocol

uint32

Protocol used to detect or report the user. Possible values are:

  • 165 - FTP
  • 426 - SIP
  • 547 - AOL Instant Messenger
  • 683 - IMAP
  • 710 - LDAP
  • 767 - NTP
  • 773 - Oracle Database
  • 788 - POP3
  • 1755 - MDNS

String Block Type

uint32

Initiates a String data block containing the email address for the user. This value is always 0.

String Block Length

uint32

Number of bytes in the email address String data block, including eight bytes for the block type and length fields, plus the number of bytes in the email address.

Email

string

The email address for the user.

IPv6 Address

uint8[16]

IPv6 address from the host where the user was detected logging in, in IP address octets.

Location IPv6 Address

uint8[16]

Most recent IP address on which the user logged in. Can be either an IPv4 or IPv6 address.

Login Type

uint8

The type of user login detected.

Authentication Type

uint8

Type of authentication used by the user. Values may be:

  • 0 - no authorization required
  • 1 - passive authentication, AD agent, or ISE session
  • 2 - captive portal successful authentication
  • 3 - captive portal guest authentication
  • 4 - captive portal failed authentication

String Block Type

uint32

Initiates a String data block containing the Reported By value. This value is always 0.

String Block Length

uint32

Number of bytes in the Reported By String data block, including eight bytes for the block type and length fields, plus the number of bytes in the Reported By field.

Reported By

string

The name of the Active Directory server reporting a login.

User Login Information Data Block 6.1.x

The User Login Information data block has a block type of 165 in the series 1 group of blocks for version 6.1+. It has new port and tunneling fields. It supersedes block type 159. See User Login Information Data Block 6.0.x for more information. It is superseded by block type 167.

The graphic below shows the format of the User Login Information data block:

 

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

 

User Login Information Block Type (165)

 

User Login Information Block Length

 

Timestamp

 

IPv4 Address

User

Name

String Block Type (0)

String Block Length

User Name...

Domain

String Block Type (0)

String Block Length

Domain...

 

User ID

 

Realm ID

 

Endpoint Profile ID

 

Security Group ID

 

Protocol

 

Port

Range Start

 

Start Port

End Port

Email

String Block Type (0)

String Block Length

Email...

 

IPv6 Address

 

IPv6 Address, continued

 

IPv6 Address, continued

 

IPv6 Address, continued

 

Location IPv6 Address

 

Location IPv6 Address, continued

 

Location IPv6 Address, continued

 

Location IPv6 Address, continued

Reported By

Login Type

Auth. Type

String Block Type (0)

String Block Type (0), cont.

String Block Length

String Block Length, cont.

Reported By...

The following table describes the components of the User Login Information data block.

 

Table B-23 User Login Information Data Block Fields

Field
Data Type
Description

User Login Information Block Type

uint32

Initiates a User Login Information data block. This value is 165 for version 6.1+.

User Login Information Block Length

uint32

Total number of bytes in the User Login Information data block, including eight bytes for the user login information block type and length fields, plus the number of bytes in the user login information data that follows.

Timestamp

uint32

Timestamp of the event.

IPv4 Address

uint32

This field is reserved but no longer populated. The IPv4 address is stored in the IPv6 Address field. See IP Addresses for more information.

String Block Type

uint32

Initiates a String data block containing the username for the user. This value is always 0.

String Block Length

uint32

Number of bytes in the username String data block, including eight bytes for the block type and length fields, plus the number of bytes in the username.

Username

string

The user name for the user.

String Block Type

uint32

Initiates a String data block containing the domain. This value is always 0.

String Block Length

uint32

Number of bytes in the username String data block, including eight bytes for the block type and length fields, plus the number of bytes in the domain.

Domain

string

Domain in which the user logged in.

User ID

uint32

Identification number of the user.

Realm ID

uint32

Integer ID which corresponds to an identity realm.

Endpoint Profile ID

uint32

ID number of the type of device used by the connection endpoint. This is unique for each DC and resolved in metadata.

Security Group ID

uint32

ID number of the network traffic group.

Protocol

uint32

Protocol used to detect or report the user. Possible values are:

  • 165 - FTP
  • 426 - SIP
  • 547 - AOL Instant Messenger
  • 683 - IMAP
  • 710 - LDAP
  • 767 - NTP
  • 773 - Oracle Database
  • 788 - POP3
  • 1755 - MDNS

Port

uint16

The port number on which the user was detected.

Range Start

uint16

The start port in the port range used by the TS Agent.

Start Port

uint16

The start port in the range the TS Agent assigned to the individual user.

End Port

uint16

The end port in the range the TS Agent assigned to the individual user.

String Block Type

uint32

Initiates a String data block containing the email address for the user. This value is always 0.

String Block Length

uint32

Number of bytes in the email address String data block, including eight bytes for the block type and length fields, plus the number of bytes in the email address.

Email

string

The email address for the user.

IPv6 Address

uint8[16]

IPv6 address from the host where the user was detected logging in, in IP address octets.

Location IPv6 Address

uint8[16]

Most recent IP address on which the user logged in. Can be either an IPv4 or IPv6 address.

Login Type

uint8

The type of user login detected.

Authentication Type

uint8

Type of authentication used by the user. Values may be:

  • 0 - no authorization required
  • 1 - passive authentication, AD agent, or ISE session
  • 2 - captive portal successful authentication
  • 3 - captive portal guest authentication
  • 4 - captive portal failed authentication

String Block Type

uint32

Initiates a String data block containing the Reported By value. This value is always 0.

String Block Length

uint32

Number of bytes in the Reported By String data block, including eight bytes for the block type and length fields, plus the number of bytes in the Reported By field.

Reported By

string

The name of the Active Directory server reporting a login.

User Login Information Data Block 6.1.x

The User Login Information data block is used in User Information Update messages and conveys changes in login information for a detected user. For more information, see User Information Update Message Block.

The User Login Information data block has a block type of 165 in the series 1 group of blocks for version 6.1x. It has new port and tunneling fields. It supersedes block type 159. It is superseded by block type 167. See User Login Information Data Block 6.0.x for more information.

The graphic below shows the format of the User Login Information data block:

 

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

 

User Login Information Block Type (165)

 

User Login Information Block Length

 

Timestamp

 

IPv4 Address

User

Name

String Block Type (0)

String Block Length

User Name...

Domain

String Block Type (0)

String Block Length

Domain...

 

User ID

 

Realm ID

 

Endpoint Profile ID

 

Security Group ID

 

Protocol

 

Port

Range Start

 

Start Port

End Port

Email

String Block Type (0)

String Block Length

Email...

 

IPv6 Address

 

IPv6 Address, continued

 

IPv6 Address, continued

 

IPv6 Address, continued

 

Location IPv6 Address

 

Location IPv6 Address, continued

 

Location IPv6 Address, continued

 

Location IPv6 Address, continued

Reported By

Login Type

Auth. Type

String Block Type (0)

String Block Type (0), cont.

String Block Length

String Block Length, cont.

Reported By...

Domain

String Block Type (0)

String Block Length

Description...

The following table describes the components of the User Login Information data block.

 

Table B-24 User Login Information Data Block Fields

Field
Data Type
Description

User Login Information Block Type

uint32

Initiates a User Login Information data block. This value is 165 for version 6.2+.

User Login Information Block Length

uint32

Total number of bytes in the User Login Information data block, including eight bytes for the user login information block type and length fields, plus the number of bytes in the user login information data that follows.

Timestamp

uint32

Timestamp of the event.

IPv4 Address

uint32

This field is reserved but no longer populated. The IPv4 address is stored in the IPv6 Address field. See IP Addresses for more information.

String Block Type

uint32

Initiates a String data block containing the username for the user. This value is always 0.

String Block Length

uint32

Number of bytes in the username String data block, including eight bytes for the block type and length fields, plus the number of bytes in the username.

Username

string

The user name for the user.

String Block Type

uint32

Initiates a String data block containing the domain. This value is always 0.

String Block Length

uint32

Number of bytes in the username String data block, including eight bytes for the block type and length fields, plus the number of bytes in the domain.

Domain

string

Domain in which the user logged in.

User ID

uint32

Identification number of the user.

Realm ID

uint32

Integer ID which corresponds to an identity realm.

Endpoint Profile ID

uint32

ID number of the type of device used by the connection endpoint. This is unique for each DC and resolved in metadata.

Security Group ID

uint32

ID number of the network traffic group.

Protocol

uint32

Protocol used to detect or report the user. Possible values are:

  • 165 - FTP
  • 426 - SIP
  • 547 - AOL Instant Messenger
  • 683 - IMAP
  • 710 - LDAP
  • 767 - NTP
  • 773 - Oracle Database
  • 788 - POP3
  • 1755 - MDNS

Port

uint16

The port number on which the user was detected.

Range Start

uint16

The start port in the port range used by the TS Agent.

Start Port

uint16

The start port in the range the TS Agent assigned to the individual user.

End Port

uint16

The end port in the range the TS Agent assigned to the individual user.

String Block Type

uint32

Initiates a String data block containing the email address for the user. This value is always 0.

String Block Length

uint32

Number of bytes in the email address String data block, including eight bytes for the block type and length fields, plus the number of bytes in the email address.

Email

string

The email address for the user.

IPv6 Address

uint8[16]

IPv6 address from the host where the user was detected logging in, in IP address octets.

Location IPv6 Address

uint8[16]

Most recent IP address on which the user logged in. Can be either an IPv4 or IPv6 address.

Login Type

uint8

The type of user login detected.

Authentication Type

uint8

Type of authentication used by the user. Values may be:

  • 0 - no authorization required
  • 1 - passive authentication, AD agent, or ISE session
  • 2 - captive portal successful authentication
  • 3 - captive portal guest authentication
  • 4 - captive portal failed authentication

String Block Type

uint32

Initiates a String data block containing the Reported By value. This value is always 0.

String Block Length

uint32

Number of bytes in the Reported By String data block, including eight bytes for the block type and length fields, plus the number of bytes in the Reported By field.

Reported By

string

The name of the Active Directory server reporting a login.

User Information Data Block for 5.x

The User Information data block is used in User Modification messages and conveys information for a user detected, removed, or dropped. For more information, see User Modification Messages

The User Information data block has a block type of 75 in the series 1 group of blocks for version 4.7 - 4.10.x and a block type of 120 in the series 1 group of blocks for 5.x. The structures are the same for block types 75 and 120.

The following diagram shows the format of the User Information data block:

 

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

 

User Information Block Type (75 | 120)

 

User Information Block Length

 

User ID

User

Name

String Block Type (0)

String Block Length

User Name...

 

Protocol

First

Name

String Block Type (0)

String Block Length

First Name...

Last

Name

String Block Type (0)

String Block Length

Last Name...

Email

String Block Type (0)

String Block Length

Email...

Department

String Block Type (0)

String Block Length

Department...

Phone

String Block Type (0)

String Block Length

Phone...

The following table describes the components of the User Information data block.

 

Table B-25 User Information Data Block Fields

Field
Data Type
Description

User Information Block Type

uint32

Initiates a User Information data block. This value is 75 for version 4.7 - 4.10.x and a value of 120 for 5.0+.

User Information Block Length

uint32

Total number of bytes in the User Information data block, including eight bytes for the user information block type and length fields plus the number of bytes in the user information data that follows.

User ID

uint32

Identification number of the user.

String Block Type

uint32

Initiates a String data block containing the username for the user. This value is always 0.

String Block Length

uint32

Number of bytes in the username String data block, including eight bytes for the block type and length fields plus the number of bytes in the username.

Username

string

The username for the user.

Protocol

uint32

The protocol for the packet containing the user information.

String Block Type

uint32

Initiates a String data block containing the first name of the user. This value is always 0.

String Block Length

uint32

Number of bytes in the first name String data block, including eight bytes for the block type and length fields plus the number of bytes in the first name.

First Name

string

The first name for the user.

String Block Type

uint32

Initiates a String data block containing the last name for the user. This value is always 0.

String Block Length

uint32

Number of bytes in the user last name String data block, including eight bytes for the block type and length fields, plus the number of bytes in the last name.

Last Name

string

The last name for the user.

String Block Type

uint32

Initiates a String data block containing the email address for the user. This value is always 0.

String Block Length

uint32

Number of bytes in the email address String data block, including eight bytes for the block type and length fields, plus the number of bytes in the email address.

Email

string

The email address for the user.

String Block Type

uint32

Initiates a String data block containing the department for the user. This value is always 0.

String Block Length

uint32

Number of bytes in the department String data block, including eight bytes for the block type and length fields, plus the number of bytes in the department.

Department

string

The department for the user.

String Block Type

uint32

Initiates a String data block containing the phone number for the user. This value is always 0.

String Block Length

uint32

Number of bytes in the phone number String data block, including eight bytes for the block type and length fields, plus the number of bytes in the phone number.

Phone

string

The phone number for the user.

Legacy Host Profile Data Blocks

See the following sections for more information:

Host Profile Data Block for 5.0 - 5.0.2

The following diagram shows the format of a Host Profile data block in versions 5.0 to 5.0.2. The Host Profile data block also does not include a host criticality value, but does include a VLAN presence indicator. In addition, a Host Profile data block can convey a NetBIOS name for the host. This Host Profile data block has a block type of 91.

note.gif

Noteblank.gif An asterisk(*) next to a block type field in the following diagram indicates the message may contain zero or more instances of the series 1 data block.


 

Byte

0

1

2

3

 

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

 

 

Host Profile Block Type (91)

 

 

Host Profile Block Length

 

 

IP Address

 

Server

Fingerprints

Hops

Primary/Secondary

Generic List Block Type (31)

 

Generic List Block Type, continued

Generic List Block Length

 

Generic List Block Length, continued

Server Fingerprint Data Blocks*

 

Client

Fingerprints

Generic List Block Type (31)

 

Generic List Block Length

 

Client Fingerprint Data Blocks*

 

SMB

Fingerprints

Generic List Block Type (31)

 

Generic List Block Length

 

SMB Fingerprint Data Blocks*

 

DHCP

Fingerprints

Generic List Block Type (31)

 

Generic List Block Length

 

DHCP Fingerprint Data Blocks*

 

 

List Block Type (11)

List of TCP Servers

 

List Block Length

TCP Server
Block*

Server Block Type (36)

Server Block Length

TCP Server Data...

 

List Block Type (11)

List of UDP Servers

 

List Block Length

UDP Server
Block*

Server Block Type (36)*

Server Block Length

UDP Server Data...

 

List Block Type (11)

List of Network Protocols

 

List Block Length

Network
Protocol Block*

Protocol Block Type (4)*

Protocol Block Length

Network Protocol Data...

 

List Block Type (11)

List of Transport Protocols

 

List Block Length

Transport
Protocol Block*

Protocol Block Type (4)*

Protocol Block Length

Transport Protocol Data...

 

List Block Type (11)

List of MAC Addresses

 

List Block Length

MAC Address
Block*

MAC Address Block Type (95)*

MAC Address Block Length

MAC Address Data...

 

Host Last Seen

 

 

Host Type

 

 

VLAN Presence

VLAN ID

VLAN Type

 

 

VLAN Priority

Generic List Block Type (31)

List of Client Applications

 

Generic List Block Type, continued

Generic List Block Length

Client App Data

Generic List Block Length, continued

Client Application Block Type (112)*

Client App Block Type (29)*, con’t

Client Application Block Length

Client Application Block Length, con’t

Client Application Data...

NetBIOS
Name

String Block Type (0)

 

String Block Length

NetBIOS String Data...

The following table describes the fields of the host profile data block returned by version 4.9 to version 5.0.2.

 

Table B-26 Host Profile Data Block for 5.0 - 5.0.2 Fields

Field
Data Type
Description

Host Profile Block Type

uint32

Initiates the Host Profile data block for 4.9 to 5.0.2. This data block has a block type of 91.

Host Profile Block Length

uint32

Number of bytes in the Host Profile data block, including eight bytes for the host profile block type and length fields, plus the number of bytes included in the host profile data that follows.

IP Address

uint8[4]

IP address of the host described in the profile, in IP address octets.

Hops

uint8

Number of hops from the host to the device.

Primary/ Secondary

uint8

Indicates whether the host is in the primary or secondary network of the device that detected it:

  • 0 — Host is in the primary network.
  • 1 — Host is in the secondary network.

Generic List Block Type

uint32

Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using a server fingerprint. This value is always 31.

Generic List Block Length

uint32

Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks.

Operating System Fingerprint (Server Fingerprint) Data Blocks *

variable

Operating System Fingerprint data blocks containing information about the operating system on a host identified using a server fingerprint. See Operating System Fingerprint Data Block for 5.0 - 5.0.2 for a description of this data block.

Generic List Block Type

uint32

Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using a client fingerprint. This value is always 31.

Generic List Block Length

uint32

Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks.

Operating System Fingerprint (Client Fingerprint) Data Blocks *

variable

Operating System Fingerprint data blocks containing information about the operating system on a host identified using a client fingerprint. See Operating System Fingerprint Data Block for 5.0 - 5.0.2 for a description of this data block.

Generic List Block Type

uint32

Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using an SMB fingerprint. This value is always 31.

Generic List Block Length

uint32

Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks.

Operating System Fingerprint (SMB Fingerprint) Data Blocks *

variable

Operating System Fingerprint data blocks containing information about the operating system on a host identified using an SMB fingerprint. See Operating System Fingerprint Data Block for 5.0 - 5.0.2 for a description of this data block.

Generic List Block Type

uint32

Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using a DHCP fingerprint. This value is always 31.

Generic List Block Length

uint32

Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks.

Operating System Fingerprint (DHCP Fingerprint) Data Blocks *

variable

Operating System Fingerprint data blocks containing information about the operating system on a host identified using a DHCP fingerprint. See Operating System Fingerprint Data Block for 5.0 - 5.0.2 for a description of this data block.

List Block Type

uint32

Initiates a List data block comprising Server data blocks conveying TCP server data. This value is always 11.

List Block Length

uint32

Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus all encapsulated Server data blocks.

This field is followed by zero or more Server data blocks.

Server Block Type

uint32

Initiates a Server data block. This value is always 89.

Server Block Length

uint32

Number of bytes in the Server data block, including eight bytes for the server block type and length fields, plus the number of bytes of TCP server data that follows.

TCP Server Data

variable

Data fields describing a TCP server (as documented for earlier versions of the product).

List Block Type

uint32

Initiates a List data block comprising Server data blocks conveying UDP server data. This value is always 11.

List Block Length

uint32

Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus all encapsulated Server data blocks.

This field is followed by zero or more Server data blocks.

Server Block Type

uint32

Initiates a Server data block describing a UDP server. This value is always 89.

Server Block Length

uint32

Number of bytes in the Server data block, including eight bytes for the server block type and length fields, plus the number of bytes of UDP server data that follows.

UDP Server Data

variable

Data fields describing a UDP server (as documented for earlier versions of the product).

List Block Type

uint32

Initiates a List data block comprising Protocol data blocks conveying network protocol data. This value is always 11.

List Block Length

uint32

Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus all encapsulated Protocol data blocks.

This field is followed by zero or more Protocol data blocks.

Protocol Block Type

uint32

Initiates a Protocol data block describing a network protocol. This value is always 4.

Protocol Block Length

uint32

Number of bytes in the Protocol data block, including eight bytes for the protocol block type and length fields, plus the number of bytes in the protocol data that follows.

Network Protocol Data

uint16

Data field containing a network protocol number, as documented in Protocol Data Block.

List Block Type

uint32

Initiates a List data block comprising Protocol data blocks conveying transport protocol data. This value is always 11.

List Block Length

uint32

Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus all encapsulated Protocol data blocks.

This field is followed by zero or more transport protocol data blocks.

Protocol Block Type

uint32

Initiates a Protocol data block describing a transport protocol. This value is always 4.

Protocol Block Length

uint32

Number of bytes in the protocol data block, including eight bytes for the protocol block type and length, plus the number of bytes in the protocol data that follows.

Transport Protocol Data

variable

Data field containing a transport protocol number, as documented in Protocol Data Block.

List Block Type

uint32

Initiates a List data block comprising MAC Address data blocks. This value is always 11.

List Block Length

uint32

Number of bytes in the list, including the list header and all encapsulated MAC Address data blocks.

Host MAC Address Block Type

uint32

Initiates a Host MAC Address data block. This value is always 95.

Host MAC Address Block Length

uint32

Number of bytes in the Host MAC Address data block, including eight bytes for the Host MAC address block type and length fields, plus the number of bytes in the Host MAC address data that follows.

Host MAC Address Data

variable

Host MAC address data fields described in Host MAC Address 4.9+.

Host Last Seen

uint32

UNIX timestamp that represents the last time the system detected host activity.

Host Type

uint32

Indicates the host type. The following values may appear:

  • 0 — Host
  • 1 — Router
  • 2 — Bridge
  • 3 — NAT device
  • 4 — LB (load balancer)

VLAN Presence

uint8

Indicates whether a VLAN is present:

  • 0 — Yes
  • 1 — No

VLAN ID

uint16

VLAN identification number that indicates which VLAN the host is a member of.

VLAN Type

uint8

Type of packet encapsulated in the VLAN tag.

VLAN Priority

uint8

Priority value included in the VLAN tag.

Generic List Block Type

uint32

Initiates a Generic List data block comprising Client Application data blocks conveying client application data. This value is always 31.

Generic List Block Length

uint32

Number of bytes in the Generic List data block, including the list header and all encapsulated client application data blocks.

Client Application Block Type

uint32

Initiates a client application block. This value is always 5.

Client Application Block Length

uint32

Number of bytes in the client application block, including eight bytes for the client application block type and length fields, plus the number of bytes in the client application data that follows.

Client Application Data

variable

Client application data fields describing a client application, as documented in Host Client Application Data Block for 5.0+.

String Block Type

uint32

Initiates a string data block for the NetBIOS name. This value is set to 0 to indicate string data.

String Block Length

uint32

Indicates the number of bytes in the NetBIOS name data block, including eight bytes for the string block type and length, plus the number of bytes in the NetBIOS name.

NetBIOS String Data

Variable

Contains the NetBIOS name of the host described in the host profile.

Legacy OS Fingerprint Data Blocks

See the following sections for more information:

Operating System Fingerprint Data Block for 5.0 - 5.0.2

The Operating System Fingerprint data block has a block type of 87. The block includes a fingerprint Universally Unique Identifier (UUID), as well as the fingerprint type, the fingerprint source type, and the fingerprint source ID. The following diagram shows the format of an Operating System Fingerprint data block for version 5.0 to version 5.0.2.

 

Byte

0

1

2

3

 

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

 

 

Operating System Fingerprint Block Type (87)

 

 

Operating System Fingerprint Block Length

 

OS Fingerprint

UUID

Fingerprint UUID

 

Fingerprint UUID, continued

 

Fingerprint UUID, continued

 

Fingerprint UUID, continued

 

 

Fingerprint Type

 

 

Fingerprint Source Type

 

 

Fingerprint Source ID

 

 

Last Seen Value for Fingerprint

 

 

TTL Difference

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

The following table describes the fields of the operating system fingerprint data block.

 

Table B-27 Operating System Fingerprint Data Block Fields

Field
Data Type
Description

Operating System Fingerprint Data Block Type

uint32

Initiates the operating system data block. This value is always 87.

Operating System Data Block Length

uint32

Number of bytes in the Operating System Fingerprint data block. This value should always be 41 : eight bytes for the data block type and length fields, sixteen bytes for the fingerprint UUID value, four bytes for the fingerprint type, four bytes for the fingerprint source type, four bytes for the fingerprint source ID, four bytes for the last seen value, and one byte for the TTL difference.

Fingerprint UUID

uint8[16]

Fingerprint identification number, in octets, that acts as a unique identifier for the operating system. The fingerprint UUID maps to the operating system name, vendor, and version in the vulnerability database (VDB).

Fingerprint Type

uint32

Indicates the type of fingerprint.

Fingerprint Source Type

uint32

Indicates the type (i.e., user or scanner) of the source that supplied the operating system fingerprint.

Fingerprint Source ID

uint32

Indicates the ID of the source that supplied the operating system fingerprint.

Last Seen

uint32

Indicates when the fingerprint was last seen in traffic.

TTL Difference

uint8

Indicates the difference between the TTL value in the fingerprint and the TTL value seen in the packet used to fingerprint the host.

Legacy Connection Data Structures

For more information, see the following sections:

Connection Statistics Data Block 5.0 - 5.0.2

The Connection Statistics data block is used in Connection Data messages. The Connection Statistics data block for version 5.0 - 5.0.2 has a block type of 115.

For more information on the Connection Statistics Data message, see Connection Statistics Data Message.

The following diagram shows the format of a Connection Statistics data block for 5.0 - 5.0.2:

::

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

 

Connection Data Block Type (115)

 

Connection Data Block Length

 

Device ID

 

Ingress Zone

 

Ingress Zone, continued

 

Ingress Zone, continued

 

Ingress Zone, continued

 

Egress Zone

 

Egress Zone, continued

 

Egress Zone, continued

 

Egress Zone, continued

 

Ingress Interface

 

Ingress Interface, continued

 

Ingress Interface, continued

 

Ingress Interface, continued

 

Egress Interface

 

Egress Interface, continued

 

Egress Interface, continued

 

Egress Interface, continued

 

Initiator IP Address

 

Initiator IP Address, continued

 

Initiator IP Address, continued

 

Initiator IP Address, continued

 

Responder IP Address

 

Responder IP Address, continued

 

Responder IP Address, continued

 

Responder IP Address, continued

 

Policy Revision

 

Policy Revision, continued

 

Policy Revision, continued

 

Policy Revision, continued

 

Rule ID

 

Rule Action

 

Initiator Port

Responder Port

 

TCP Flags

Protocol

NetFlow Source

 

NetFlow Source, continued

 

NetFlow Source, continued

 

NetFlow Source, continued

 

NetFlow Source, continued

First Pkt Time

 

First Packet Timestamp, continued

Last Pkt Time

 

Last Packet Timestamp, continued

Packets Sent

 

Packets Sent, continued

 

Packets Sent, continued

Packets Rcvd

 

Packets Received, continued

 

Packets Received, continued

Bytes Sent

 

Bytes Sent, continued

 

Packets Received, continued

Bytes Rcvd

 

Bytes Received, continued

 

Bytes Received, continued

User ID

 

User ID, continued

Application Protocol ID

 

Application Protocol ID, continued

URL Category

 

URL Category, continued

URL Reputation

 

URL Reputation, continued

Client App ID

 

Client Application ID, continued

Web App ID

 

Web Application ID, continued

String Block Type (0)

Client

App URL

String Block Type, continued

String Block Length

String Block Length, continued

Client Application URL...

NetBIOS

Name

String Block Type (0)

String Block Length

NetBIOS Name....

Client

App Version

String Block Type (0)

String Block Length

Client Application Version...

The following table describes the fields of the Connection Statistics data block for 5.0 - 5.0.2.

 

Table B-28 Connection Statistics Data Block 5.0 - 5.0.2 Fields

Field
Data Type
Description

Connection Statistics Data Block Type

uint32

Initiates a Connection Statistics data block for 5.0 to 5.0.2. The value is always 115.

Connection Statistics Data Block Length

uint32

Number of bytes in the Connection Statistics data block, including eight bytes for the connection statistics block type and length fields, plus the number of bytes in the connection data that follows.

Device ID

uint32

The device that detected the connection event.

Ingress Zone

uint8[16]

Ingress security zone in the event that triggered the policy violation.

Egress Zone

uint8[16]

Egress security zone in the event that triggered the policy violation.

Ingress Interface

uint8[16]

Interface for the inbound traffic.

Egress Interface

uint8[16]

Interface for the outbound traffic.

Initiator IP Address

uint8[16]

IP address of the host that initiated the session described in the connection event, in IP address octets.

Responder IP Address

uint8[16]

IP address of the host that responded to the initiating host, in IP address octets.

Policy Revision

uint8[16]

Revision number of the rule associated with the triggered correlation event, if applicable.

Rule ID

uint32

Internal identifier for the rule that triggered the event, if applicable.

Rule Action

uint32

The action selected in the user interface for that rule (allow, block, and so forth).

Initiator Port

uint16

Port used by the initiating host.

Responder Port

uint16

Port used by the responding host.

TCP Flags

uint16

Indicates any TCP flags for the connection event.

Protocol

uint8

The IANA-specified protocol number.

NetFlow Source

uint8[16]

IP address of the NetFlow-enabled device that exported the data for the connection

First Packet Timestamp

uint32

UNIX timestamp of the date and time the first packet was exchanged in the session.

Last Packet Timestamp

uint32

UNIX timestamp of the date and time the last packet was exchanged in the session.

Packets Sent

uint64

Number of packets transmitted by the initiating host.

Packets Received

uint64

Number of packets transmitted by the responding host.

Bytes Sent

uint64

Number of bytes transmitted by the initiating host.

Bytes Received

uint64

Number of bytes transmitted by the responding host.

User ID

uint32

Internal identification number for the user who last logged into the host that generated the traffic.

Application Protocol ID

uint32

Application ID of the application protocol.

URL Category

uint32

The internal identification number of the URL category.

URL Reputation

uint32

The internal identification number for the URL reputation.

Client Application ID

uint32

The internal identification number of the detected client application, if applicable.

Web Application ID

uint32

The internal identification number of the detected web application, if applicable.

String Block Type

uint32

Initiates a String data block for the client application URL. This value is always 0.

String Block Length

uint32

Number of bytes in the client application URL String data block, including eight bytes for the string block type and length fields, plus the number of bytes in the client application URL string.

Client Application URL

string

URL the client application accessed, if applicable
( /files/index.html, for example).

String Block Type

uint32

Initiates a String data block for the host NetBIOS name. This value is always 0.

String Block Length

uint32

Number of bytes in the String data block, including eight bytes for the string block type and length fields, plus the number of bytes in the NetBIOS name string.

NetBIOS Name

string

Host NetBIOS name string.

String Block Type

uint32

Initiates a String data block for the client application version. This value is always 0.

String Block Length

uint32

Number of bytes in the String data block for the client application version, including eight bytes for the string block type and length, plus the number of bytes in the version.

Client Application Version

string

Client application version.

Connection Statistics Data Block 5.1

The Connection Statistics data block is used in Connection Data messages. Changes to the Connection data block between 5.0.2 and 5.1 include the addition of new fields with configuration parameters introduced in 5.1 (rule action reason, monitor rules, Security Intelligence source/destination, Security Intelligence layer). The Connection Statistics data block for version 5.1 has a block type of 126.

For more information on the Connection Statistics Data message, see Connection Statistics Data Message.

The following diagram shows the format of a Connection Statistics data block for 5.1:

::

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

 

Connection Data Block Type (126)

 

Connection Data Block Length

 

Device ID

 

Ingress Zone

 

Ingress Zone, continued

 

Ingress Zone, continued

 

Ingress Zone, continued

 

Egress Zone

 

Egress Zone, continued

 

Egress Zone, continued

 

Egress Zone, continued

 

Ingress Interface

 

Ingress Interface, continued

 

Ingress Interface, continued

 

Ingress Interface, continued

 

Egress Interface

 

Egress Interface, continued

 

Egress Interface, continued

 

Egress Interface, continued

 

Initiator IP Address

 

Initiator IP Address, continued

 

Initiator IP Address, continued

 

Initiator IP Address, continued

 

Responder IP Address

 

Responder IP Address, continued

 

Responder IP Address, continued

 

Responder IP Address, continued

 

Policy Revision

 

Policy Revision, continued

 

Policy Revision, continued

 

Policy Revision, continued

 

Rule ID

 

Rule Action

Rule Reason

 

Initiator Port

Responder Port

 

TCP Flags

Protocol

NetFlow Source

 

NetFlow Source, continued

 

NetFlow Source, continued

 

NetFlow Source, continued

 

NetFlow Source, continued

First Pkt Time

 

First Packet Timestamp, continued

Last Pkt Time

 

Last Packet Timestamp, continued

Initiator Transmitted Packets

 

Initiator Transmitted Packets, continued

 

Initiator Transmitted Packets, continued

Responder Transmitted Packets

 

Responder Transmitted Packets, continued

 

Responder Transmitted Packets, continued

Initiator Transmitted Bytes

 

Initiator Transmitted Bytes, continued

 

Initiator Transmitted Bytes, continued

Responder Transmitted Bytes

 

Responder Transmitted Bytes, continued

 

Responder Transmitted Bytes, continued

User ID

 

User ID, continued

Application Protocol ID

 

Application Protocol ID, continued

URL Category

 

URL Category, continued

URL Reputation

 

URL Reputation, continued

Client App ID

 

Client Application ID, continued

Web App ID

 

Web Application ID, continued

String Block Type (0)

Client

App URL

String Block Type, continued

String Block Length

String Block Length, continued

Client Application URL...

NetBIOS

Name

String Block Type (0)

String Block Length

NetBIOS Name....

Client

App Version

String Block Type (0)

String Block Length

Client Application Version...

 

Monitor Rule 1

 

Monitor Rule 2

 

Monitor Rule 3

 

Monitor Rule 4

 

Monitor Rule 5

 

Monitor Rule 6

 

Monitor Rule 7

 

Monitor Rule 8

 

Sec. Int. Src/Dst

Sec. Int. Rep Layer

 

The following table describes the fields of the Connection Statistics data block for 5.1.

 

Table B-29 Connection Statistics Data Block 5.1 Fields

Field
Data Type
Description

Connection Statistics Data Block Type

uint32

Initiates a Connection Statistics data block for 5.1. The value is always 126.

Connection Statistics Data Block Length

uint32

Number of bytes in the Connection Statistics data block, including eight bytes for the connection statistics block type and length fields, plus the number of bytes in the connection data that follows.

Device ID

uint32

The device that detected the connection event.

Ingress Zone

uint8[16]

Ingress security zone in the event that triggered the policy violation.

Egress Zone

uint8[16]

Egress security zone in the event that triggered the policy violation.

Ingress Interface

uint8[16]

Interface for the inbound traffic.

Egress Interface

uint8[16]

Interface for the outbound traffic.

Initiator IP Address

uint8[16]

IP address of the host that initiated the session described in the connection event, in IP address octets.

Responder IP Address

uint8[16]

IP address of the host that responded to the initiating host, in IP address octets.

Policy Revision

uint8[16]

Revision number of the rule associated with the triggered correlation event, if applicable.

Rule ID

uint32

Internal identifier for the rule that triggered the event, if applicable.

Rule Action

uint16

The action selected in the user interface for that rule (allow, block, and so forth).

Rule Reason

uint16

The reason the rule triggered the event.

Initiator Port

uint16

Port used by the initiating host.

Responder Port

uint16

Port used by the responding host.

TCP Flags

uint16

Indicates any TCP flags for the connection event.

Protocol

uint8

The IANA-specified protocol number.

NetFlow Source

uint8[16]

IP address of the NetFlow-enabled device that exported the data for the connection.

First Packet Timestamp

uint32

UNIX timestamp of the date and time the first packet was exchanged in the session.

Last Packet Timestamp

uint32

UNIX timestamp of the date and time the last packet was exchanged in the session.

Initiator Transmitted Packets

uint64

Number of packets transmitted by the initiating host.

Responder Transmitted Packets

uint64

Number of packets transmitted by the responding host.

Initiator Transmitted Bytes

uint64

Number of bytes transmitted by the initiating host.

Responder Transmitted Bytes

uint64

Number of bytes transmitted by the responding host.

User ID

uint32

Internal identification number for the user who last logged into the host that generated the traffic.

Application Protocol ID

uint32

Application ID of the application protocol.

URL Category

uint32

The internal identification number of the URL category.

URL Reputation

uint32

The internal identification number for the URL reputation.

Client Application ID

uint32

The internal identification number of the detected client application, if applicable.

Web Application ID

uint32

The internal identification number of the detected web application, if applicable.

String Block Type

uint32

Initiates a String data block for the client application URL. This value is always 0.

String Block Length

uint32

Number of bytes in the client application URL String data block, including eight bytes for the string block type and length fields, plus the number of bytes in the client application URL string.

Client Application URL

string

URL the client application accessed, if applicable
( /files/index.html, for example).

String Block Type

uint32

Initiates a String data block for the host NetBIOS name. This value is always 0.

String Block Length

uint32

Number of bytes in the String data block, including eight bytes for the string block type and length fields, plus the number of bytes in the NetBIOS name string.

NetBIOS Name

string

Host NetBIOS name string.

String Block Type

uint32

Initiates a String data block for the client application version. This value is always 0.

String Block Length

uint32

Number of bytes in the String data block for the client application version, including eight bytes for the string block type and length, plus the number of bytes in the version.

Client Application Version

string

Client application version.

Monitor Rule 1

uint32

The ID of the first monitor rule associated with the connection event.

Monitor Rule 2

uint32

The ID of the second monitor rule associated with the connection event.

Monitor Rule 3

uint32

The ID of the third monitor rule associated with the connection event.

Monitor Rule 4

uint32

The ID of the fourth monitor rule associated with the connection event.

Monitor Rule 5

uint32

The ID of the fifth monitor rule associated with the connection event.

Monitor Rule 6

uint32

The ID of the sixth monitor rule associated with the connection event.

Monitor Rule 7

uint32

The ID of the seventh monitor rule associated with the connection event.

Monitor Rule 8

uint32

The ID of the eighth monitor rule associated with the connection event.

Security Intelligence Source/ Destination

uint8

Whether the source or destination IP address matched the IP block list.

Security Intelligence Layer

uint8

The IP layer that matched the IP block list.

Connection Statistics Data Block 5.2.x

The connection statistics data block is used in connection data messages. Changes to the connection data block between versions 5.1.1 and 5.2 include the addition of new fields to support geolocation. The connection statistics data block for version 5.2.x has a block type of 144 in the series 1 group of blocks. It deprecates block type 137, Connection Statistics Data Block 5.1.1.x.

For more information on the Connection Statistics Data message, see Connection Statistics Data Message.

The following diagram shows the format of a Connection Statistics data block for 5.2.x:

::

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

 

Connection Data Block Type (144)

 

Connection Data Block Length

 

Device ID

 

Ingress Zone

 

Ingress Zone, continued

 

Ingress Zone, continued

 

Ingress Zone, continued

 

Egress Zone

 

Egress Zone, continued

 

Egress Zone, continued

 

Egress Zone, continued

 

Ingress Interface

 

Ingress Interface, continued

 

Ingress Interface, continued

 

Ingress Interface, continued

 

Egress Interface

 

Egress Interface, continued

 

Egress Interface, continued

 

Egress Interface, continued

 

Initiator IP Address

 

Initiator IP Address, continued

 

Initiator IP Address, continued

 

Initiator IP Address, continued

 

Responder IP Address

 

Responder IP Address, continued

 

Responder IP Address, continued

 

Responder IP Address, continued

 

Policy Revision

 

Policy Revision, continued

 

Policy Revision, continued

 

Policy Revision, continued

 

Rule ID

 

Rule Action

Rule Reason

 

Initiator Port

Responder Port

 

TCP Flags

Protocol

NetFlow Source

 

NetFlow Source, continued

 

NetFlow Source, continued

 

NetFlow Source, continued

 

NetFlow Source, continued

Instance ID

 

Instance ID, cont.

Connection Counter

First Pkt Time

 

First Packet Timestamp, continued

Last Pkt Time

 

Last Packet Timestamp, continued

Initiator Tx Packets

 

Initiator Transmitted Packets, continued

 

Initiator Transmitted Packets, continued

Resp. Tx Packets

 

Responder Transmitted Packets, continued

 

Responder Transmitted Packets, continued

Initiator Tx Bytes

 

Initiator Transmitted Bytes, continued

 

Initiator Transmitted Bytes, continued

Resp. Tx Bytes

 

Responder Transmitted Bytes, continued

 

Responder Transmitted Bytes, continued

User ID

 

User ID, continued

Application Prot. ID

 

Application Protocol ID, continued

URL Category

 

URL Category, continued

URL Reputation

 

URL Reputation, continued

Client App ID

 

Client Application ID, continued

Web App ID

Client

URL

Web Application ID, continued

Str. Block Type (0)

String Block Type, continued

String Block Length

String Block Length, continued

Client App. URL...

NetBIOS

Name

String Block Type (0)

String Block Length

NetBIOS Name...

Client

App Version

String Block Type (0)

String Block Length

Client Application Version...

 

Monitor Rule 1

 

Mo