- Firepower System Event Streamer Integration Guide, Version 6.7.0
- Introduction to Event Streamer
- Understanding the eStreamer Application Protocol
- Understanding Intrusion and Correlation Data Structures
- Understanding Discovery & Connection Data Structures
- Understanding Host Data Structures
- Configuring eStreamer
- Data Structure Examples
- Understanding Legacy Data Structures
- Discovery and Connection Event Data Messages
- Metadata for Discovery Events
- Fingerprint Record
- Client Application Record
- Vulnerability Record
- Criticality Record
- Network Protocol Record
- Attribute Record
- Scan Type Record
- Service Record
- Source Type Record
- Source Application Record
- Source Detector Record
- Third Party Scanner Vulnerability Record
- User Record
- Web Application Record
- Intrusion Policy Name Record
- Access Control Rule Action Record Metadata
- URL Category Record Metadata
- URL Reputation Record Metadata
- Access Control Rule Reason Metadata
- Access Control Policy Metadata
- Prefilter Policy Metadata
- Tunnel or Prefilter Rule Metadata
- Security Intelligence Category Metadata
- Security Intelligence Source/Destination Record
- IOC State Data Block for 5.3+
- IOC Name Data Block for 5.3+
- Discovery Event Header 5.2+
- Discovery and Connection Event Types and Subtypes
- Host Discovery Structures by Event Type
- New Host and Host Last Seen Messages
- Server Messages
- New Network Protocol Message
- New Transport Protocol Message
- Client Application Messages
- IP Address Change Message
- Operating System Update Messages
- IP Address Reused and Host Timeout/Deleted Messages
- Hops Change Message
- TCP and UDP Port Closed/Timeout Messages
- MAC Address Messages
- Host Identified as a Bridge/Router Message
- VLAN Tag Information Update Messages
- Change NetBIOS Name Message
- Update Banner Message
- Policy Control Message
- Connection Statistics Data Message
- Connection Chunk Message
- User Set Vulnerabilities Messages for Version 4.6.1+
- User Add and Delete Host Messages
- User Delete Server Message
- User Set Host Criticality Messages
- Attribute Messages
- Attribute Value Messages
- User Server and Operating System Messages
- User Protocol Messages
- User Client Application Messages
- Add Scan Result Messages
- New Operating System Messages
- Identity Conflict and Identity Timeout System Messages
- Host IOC Set Messages
- User Data Structures by Event Type
- String Data Block
- BLOB Data Block
- List Data Block
- Generic List Block
- Sub-Server Data Block
- Protocol Data Block
- Integer (INT32) Data Block
- VLAN Data Block
- Server Banner Data Block
- String Information Data Block
- Attribute Address Data Block 5.2+
- User IOC Change Data Block 5.3+
- Attribute List Item Data Block
- Attribute Value Data Block
- Full Sub-Server Data Block
- Operating System Data Block 3.5+
- Policy Engine Control Message Data Block
- Attribute Definition Data Block for 4.7+
- User Protocol Data Block
- User Client Application Data Block for 5.1.1+
- User Client Application List Data Block
- IP Address Range Data Block for 5.2+
- Attribute Specification Data Block
- Host IP Address Data Block
- MAC Address Specification Data Block
- Address Specification Data Block
- Connection Chunk Data Block for 6.1+
- Fix List Data Block
- User Server Data Block
- User Server List Data Block
- User Hosts Data Block 4.7+
- User Vulnerability Change Data Block 4.7+
- User Criticality Change Data Block 4.7+
- User Attribute Value Data Block 4.7+
- User Protocol List Data Block 4.7+
- Host Vulnerability Data Block 4.9.0+
- Identity Data Block
- Host MAC Address 4.9+
- Secondary Host Update
- Web Application Data Block for 5.0+
- Connection Statistics Data Block 6.2+
- Scan Result Data Block 5.2+
- Host Server Data Block 4.10.0+
- Full Host Server Data Block 4.10.0+
- Server Information Data Block for 4.10.x, 5.0 - 5.0.2
- Full Server Information Data Block
- Generic Scan Results Data Block for 4.10.0+
- Scan Vulnerability Data Block for 4.10.0+
- Full Host Client Application Data Block 5.0+
- Host Client Application Data Block for 5.0+
- User Vulnerability Data Block 5.0+
- Operating System Fingerprint Data Block 5.1+
- Mobile Device Information Data Block for 5.1+
- Host Profile Data Block for 5.2+
- User Product Data Block 5.1+
Understanding Discovery &
Connection Data Structures
This chapter provides details about the data structures used in eStreamer messages for discovery and connection events, as well as the metadata for those events. Discovery and connection event messages use the same general message format and series of data blocks; the differences are in the contents of data blocks themselves.
Discovery events include two sub-categories of events:
- Host discovery events, which identify new and changed hosts on your managed network, including the applications running on the hosts detected from the contents of the packets, and the host vulnerabilities.
- User events, which report the detection of new users and user activity, such as logins.
Connection events report information about the session traffic between your monitored hosts and all other hosts. Connection information includes the first and last packet of the transaction, source and destination IP address, source and destination port, and the number of packets and bytes sent and received. If applicable, connection events also report the client application and URL involved in the session.
For information about requesting discovery or connection events from the eStreamer server, see Request Flags.
For information about the general structure of eStreamer event data messages, see Understanding the Organization of Event Data Messages.
See the following sections in this chapter for more information about discovery and connection event data structures:
- Discovery and Connection Event Data Messages provides a high-level view of the structure that eStreamer uses for host discovery, user, and connection messages.
- Discovery and Connection Event Record Types describes the record types for discovery and connection events.
- Metadata for Discovery Events describes the metadata records that you can request for context information to convert numeric and coded data to text; for example, convert the user ID in an event to a user name.
- Discovery Event Header 5.2+ describes the structure of the standard event header used in all discovery and connection messages, and the values that can occur in the event type and event subtype fields. The event type and subtype fields further define the structure of the data record carried in the message.
- Host Discovery Structures by Event Type describes the structure of the data record that eStreamer uses for the various host discovery event types.
- User Data Structures by Event Type describes the structure of the data record that eStreamer uses for the various user event types.
- Understanding Discovery (Series 1) Blocks describes the series of data block structures that are used to convey complex records in discovery and connection event messages. Series 1 data blocks also appear in correlation events.
- User Vulnerability Data Block 5.0+ describes other series 1 block structures that are used to convey complex user event records.
Tip See “Data Structure Examples” section for examples that illustrate sample discovery events.
Discovery and Connection Event Data Messages
eStreamer packages the data for discovery and connection events in the same message structure, which contains:
- An option netmap ID
- a record header that defines the record type
- a discovery event header that identifies and characterizes the event, and specifically identifies the event type and subtype. For information, see Discovery Event Header 5.2+.
- a data record consisting of a block header and a data block. Discovery and connection event data messages use series 1 data blocks. For information, see Host Discovery and Connection Data Blocks or User Vulnerability Data Block 5.0+.
Discovery and Connection Event Record Types
The following table lists the event record types for host discovery and connection events, and provides links to the event message structure for each record type. The list includes metadata record types as well. Some records contain a single data block which stores a specific piece of data. These data blocks are broken up into series 1 blocks that contain most types of data, and series 2 blocks that specifically contain discovery data. The table also indicates the status of each version (current or legacy). A current record is the latest version. A legacy record has been superseded by a later version but can still be requested from eStreamer.
|
|
|
|
|
|
---|---|---|---|---|---|
Metadata for Discovery Events
You request metadata by metadata version number. For the metadata version that corresponds to your version of the Firepower System, see Understanding Metadata. For important information on how eStreamer streams metadata records, see Metadata Transmission.
For information on the structures of the various metadata records types for host discovery and user event records, see:
- Fingerprint Record
- Client Application Record
- Vulnerability Record
- Criticality Record
- Network Protocol Record
- Attribute Record
- Scan Type Record
- Service Record
- Source Type Record
- Source Application Record
- Source Detector Record
- Third Party Scanner Vulnerability Record
- User Record
- Web Application Record
- Intrusion Policy Name Record
- Access Control Rule Action Record Metadata
- URL Category Record Metadata
- URL Reputation Record Metadata
- Access Control Rule Reason Metadata
- Security Intelligence Category Metadata
- Security Intelligence Source/Destination Record
For metadata records for intrusion and correlation events, see Intrusion Event and Metadata Record Types.
Fingerprint Record
The eStreamer service transmits the fingerprint metadata for an event within a Fingerprint record, the format of which is shown below. (Fingerprint metadata is sent when one of the metadata flags—bits 1, 14, 15, or 20 in the Request Flags field of a request message—is set. See Request Flags.) Note that the Record Type field, which appears after the Message Length field, has a value of 54
, indicating a Fingerprint record.
The following table describes the fields in the Fingerprint record.
Client Application Record
The eStreamer service transmits the client application metadata for an event within a Client Application record, the format of which is shown below. (Client application metadata is sent when one of the metadata flags—bits 1, 14, 15, or 20 in the Request Flags field of a request message—is set. See Request Flags.) Note that the Record Type field, which appears after the Message Length field, has a value of 55
, indicating a Client Application record.
The following table describes the fields in the Client Application record.
|
|
|
---|---|---|
The application ID number for the client application. This field is the unique key for this record. |
||
Vulnerability Record
The eStreamer service transmits metadata containing vulnerability information for an event within a Vulnerability record, the format of which is shown below. (Vulnerability information is sent when one of the metadata flags—bits 1, 14, 15, or 20 in the Request Flags field of a request message—is set. See Request Flags.) Note that the Record Type field, which appears after the Message Length field, has a value of 57
, indicating a Vulnerability record.
The following table describes the fields in the Vulnerability record.
Criticality Record
The eStreamer service transmits metadata containing host criticality information for an event within a Criticality record, the format of which is shown below. (Criticality information is sent when one of the metadata flags—bits 1, 14, 15, or 20 in the Request Flags field of a request message—is set. See Request Flags.) Note that the Record Type field, which appears after the Message Length field, has a value of 58
, indicating a Criticality record.
The following table describes the fields in the Criticality record.
|
|
|
---|---|---|
The criticality ID number. This field is the unique key for this record. |
||
Network Protocol Record
The eStreamer service transmits metadata containing network protocol information for an event within a Network Protocol record, the format of which is shown below. (Network protocol information is sent when one of the metadata flags—bits 1, 14, 15, or 20 in the Request Flags field of a request message—is set. See Request Flags.) Note that the Record Type field, which appears after the Message Length field, has a value of 59, indicating a Network Protocol record.
The following table describes the fields in the Network Protocol record.
|
|
|
---|---|---|
The network protocol ID number. This field is the unique key for this record. |
||
Attribute Record
The eStreamer service transmits metadata containing attribute information for an event within an Attribute record, the format of which is shown below. (Attribute information is sent when one of the metadata flags—bits 1, 14, 15, or 20 in the Request Flags field of a request message—is set. See Request Flags.) Note that the Record Type field, which appears after the Message Length field, has a value of 60
, indicating an Attribute record.
The following table describes the fields in the Attribute record.
|
|
|
---|---|---|
The attribute ID number. This field is the unique key for this record. |
||
Scan Type Record
The eStreamer service transmits metadata containing scan type information for an event within a Scan Type record, the format of which is shown below. (Scan type information is sent when one of the metadata flags—bits 1, 14, 15, or 20 in the Request Flags field of a request message—is set. See Request Flags.) Note that the Record Type field, which appears after the Message Length field, has a value of 61
, indicating a Scan Type record.
The following table describes the fields in the Scan Type record.
|
|
|
---|---|---|
The scan type ID number. This field is the unique key for this record. |
||
Service Record
The eStreamer service transmits metadata containing service information for an event within a Service record, the format of which is shown below. The application ID of the service’s application protocol provides the cross-reference to the metadata. (Service information is sent when one of the metadata flags—bits 1, 14, 15, or 20 in the Request Flags field of a request message—is set. See Request Flags.) Note that the Record Type field, which appears after the Message Length field, has a value of 63
, indicating a Service record.
The following table describes the fields in the Service record.
Source Type Record
The eStreamer service transmits metadata containing information about the source application for an event within a Source Type record, the format of which is shown below. (Source type information is sent when one of the metadata flags—bits 1, 14, 15, or 20 in the Request Flags field of a request message—is set. See Request Flags.) Note that the Record Type field, which appears after the Message Length field, has a value of 90
, indicating a Source Type record.
The following table describes the fields in the Source Type record.
|
|
|
---|---|---|
The identification number for the source type. This field is the unique key for this record. |
||
Source Application Record
The eStreamer service transmits metadata containing information about the source application for a host discovery event within a Source Application record, the format of which is shown below. (Source application information is sent when one of the metadata flags—bits 1, 14, 15, or 20 in the Request Flags field of a request message—is set. See Request Flags.) Note that the Record Type field, which appears after the Message Length field, has a value of 91
, indicating a Source Application record.
The following table describes the fields in the Source Application record.
|
|
|
---|---|---|
The ID number for the source application. This field is the unique key for this record. |
||
The number of bytes included in the source application name. |
||
Source Detector Record
The eStreamer service transmits metadata containing information about the source application for a host discovery event within a Source Type record, the format of which is shown below. (Source type information is sent when one of the metadata flags—bits 1, 14, 15, or 20 in the Request Flags field of a request message—is set. See Request Flags.) Note that the Record Type field, which appears after the Message Length field, has a value of 96
, indicating a Source Detector record.
The following table describes the fields in the Source Detector record.
|
|
|
---|---|---|
The ID string for the source detector. This field is the unique key for this record. |
||
Third Party Scanner Vulnerability Record
The eStreamer service transmits metadata containing third-party vulnerability information for an event within a Third Party Scanner Vulnerability record, the format of which is shown below. (Vulnerability information is sent when one of the metadata flags—bits 1, 14, 15, or 20 in the Request Flags field of a request message—is set. See Request Flags.) Note that the Record Type field, which appears after the Message Length field, has a value of 106
, indicating a Third Party Scanner Vulnerability record.
The following table describes the fields in the Vulnerability record.
User Record
The eStreamer service transmits metadata containing information about users detected by the system within a User record, the format of which is shown below. (User information is sent when the Version 4 metadata and the policy event request flag—bits 20 and 22, respectively, in the Request Flags field of a request message—is set. See Request Flags.) Note that the Record Type field, which appears after the Message Length field, has a value of 98
, indicating a User record.
The following table describes the fields in the User record.
Web Application Record
The system detects the content of HTTP traffic from websites, if available. Web application metadata for a host discovery event may include the specific type of content (for example, WMV or QuickTime).
The eStreamer service transmits the web application metadata for an event within a Web Application record, the format of which is shown below. (Web application metadata is sent when one of the metadata flags—bits 1, 14, 15, or 20 in the Request Flags field of a request message—is set. See Request Flags.) Note that the Record Type field, which appears after the Message Length field, has a value of 109
, indicating a Web Application record.
The following table describes the fields in the Web Application record.
|
|
|
---|---|---|
Application ID number of the web application. This field is the unique key for this record. |
||
Intrusion Policy Name Record
The eStreamer service transmits metadata containing intrusion policy name information for a connection event within an Intrusion Policy Name record, the format of which is shown below. (Intrusion policy name information is sent when one of the metadata flags—version 4 metadata bit 20 in the Request Flags field of a request message—is set. See Request Flags.) Note that the Intrusion Policy Name record field, which appears after the Message Length field, has a value of 118
, indicating an Intrusion Policy Name record. It contains a UUID String data block, block type 14 in the series 2 set of data blocks.
The following table describes the fields in the Intrusion Policy Name data block.
Access Control Rule Action Record Metadata
The eStreamer service transmits metadata containing the action associated with a triggered access control rule within an Access Control Rule Action record, the format of which is shown below. (Access Control Rule Action information is sent when the version 4 metadata flag—bit 20 in the Request Flags field of a request message—is set. See Request Flags.) Note that the Access Control Rule Action record field, which appears after the Message Length field, has a value of 120
, indicating an Access Control Rule Action record.
The following table describes the fields in the Access Control Rule Action record.
|
|
|
---|---|---|
ID number of the access control rule action. This field is the unique key for this record. |
||
URL Category Record Metadata
The eStreamer service transmits metadata containing the category name associated with a URL in a connection log within a URL Category record, the format of which is shown below. (URL category information is sent when the version 4 metadata flag—bit 20 in the Request Flags field of a request message—is set. See Request Flags.) Note that the record field, which appears after the Message Length field, has a value of 121
, indicating a URL Category record.
The following table describes the fields in the URL Category record.
|
|
|
---|---|---|
ID number of the URL category. This field is the unique key for this record. |
||
URL Reputation Record Metadata
The eStreamer service transmits metadata containing the reputation (that is, risk level) associated with a URL in a connection log within a URL Reputation record, the format of which is shown below. (URL reputation information is sent when the version 4 metadata flag—bit 20 in the Request Flags field of a request message—is set. See Request Flags.) Note that the URL Reputation metadata record field, which appears after the Message Length field, has a value of 122
, indicating a URL Reputation metadata record.
The following table describes the fields in the URL Reputation record.
|
|
|
---|---|---|
ID number of the URL reputation. This field is the unique key for this record. |
||
Access Control Rule Reason Metadata
The eStreamer service transmits metadata containing information about the reason an access control rule triggered an intrusion event or connection event within an Access Control Rule Reason record, the format of which is shown below. Access control rule reason metadata is sent when the Version 4 metadata flag—bit 20 in the Request Flags field of a request message—is set. See Request Flags. Note that the Record Type field, which appears after the Message Length field, has a value of 124
, indicating an Access Control Rule Reason record. It contains an Access Control Rule Reason Block (as documented in Access Control Rule Reason Data Block 6.0+). The Access Control Rule Reason data block is block type 59 in series 2.
The following table describes the fields in the Access Control Rule ID data block.
Access Control Policy Metadata
The eStreamer service transmits metadata containing information about the access control policy that triggered an intrusion event or connection event within an Access Control Policy Metadata record, the format of which is shown below. Access control rule policy metadata is sent when the Version 4 metadata flag—bit 20 in the Request Flags field of a request message—is set. See Request Flags. Note that the Record Type field, which appears after the Message Length field, has a value of 145
, indicating an Access Control Policy Metadata record. It contains an Access Control Policy Metadata Block (as documented in Access Control Policy Metadata Block 6.0+). The Access Control Policy Metadata block is block type 64 in series 2.
The following table describes the fields in the Access Control Policy data block.
Prefilter Policy Metadata
The eStreamer service transmits metadata containing information about the prefilter policy that triggered an intrusion event or connection event within a Prefilter Policy record, the format of which is shown below. Prefilter Policy metadata is sent when the Version 4 metadata flag—bit 20 in the Request Flags field of a request message—is set. See Request Flags. Note that the Record Type field, which appears after the Message Length field, has a value of 146
, indicating an Prefilter Policy Metadata record. It contains an Access Control Policy Metadata Block (as documented in Access Control Policy Metadata Block 6.0+). The Access Control Policy Metadata block is block type 64 in series 2.
The following table describes the fields in the Prefilter Policy Metadata block.
Tunnel or Prefilter Rule Metadata
The eStreamer service transmits metadata containing information about the reason a tunnel or prefilter rule triggered an intrusion event or connection event within a Tunnel or Prefilter Rule Reason record, the format of which is shown below. Tunnel or Prefilter rule reason metadata is sent when the Version 4 metadata flag—bit 20 in the Request Flags field of a request message—is set. See Request Flags. Note that the Record Type field, which appears after the Message Length field, has a value of 147
, indicating a Tunnel or Prefilter Rule Reason record.
As they are identical in content, it contains an Access Control Rule Reason Block (as documented in Access Control Rule Data Block). The Access Control Rule Reason data block is block type 59 in series 2.
The following table describes the fields in the Tunnel or Prefilter Rule metadata block.
Security Intelligence Category Metadata
The eStreamer service transmits metadata containing information about the Security Intelligence category within a Security Intelligence Category record, the format of which is shown below. Security Intelligence Category metadata is sent when the Version 4 metadata flag—bit 20 in the Request Flags field of a request message—is set. See Request Flags. Note that the Record Type field, which appears after the Message Length field, has a value of 280
, indicating a Security Intelligence Category record. It contains a Security Intelligence Category data block (as documented in Security Intelligence Category Data Block 5.1+). The Security Intelligence data block is block type 22 in series 2.
The following table describes the fields in the Security Intelligence Category record.
Security Intelligence Source/Destination Record
The eStreamer service transmits metadata containing whether a Security Intelligence-detected IP address is a source IP address or destination IP address within a Security Intelligence Source/Destination record, the format of which is shown below. (The source/destination IP information is sent when one of the metadata flags—bits 1, 14, 15, or 20 in the Request Flags field of a request message—is set. See Request Flags.) Note that the Record Type field, which appears after the Message Length field, has a value of 281
, indicating a Security Intelligence Source/Destination record.
The following table describes the fields in the Security Intelligence Source/Destination record.
IOC State Data Block for 5.3+
The IOC State data block provides information about an Indication of Compromise (IOC). It is block type of 150 in series 1. It is used by the host tracker to store information about a compromise on a host. The following diagram shows the structure of an IOC State data block:
The following table describes the components of the IOC State data block.
IOC Name Data Block for 5.3+
This is a data block that provides the category and event type for an Indication of Compromise (IOC). The record type is 161, with a block type of 39 in series 2. It is exposed as metadata for any event that has IOC information. These include malware events, file events, and intrusion events.
The following diagram shows the structure of an IOC Name data block:
The following table describes the fields in the IOC Name data block.
Discovery Event Header 5.2+
Discovery and connection event messages contain a discovery event header. It conveys the type and subtype of the event, the time the event occurred, the device on which the event occurred, and the structure of the event data in the message. This header is followed by the actual host discovery, user, or connection event data. The structures associated with the different event type/subtype values are described in Host Discovery Structures by Event Type. This header has IPv6 support, and deprecates Discovery Event Header 5.0 - 5.1.1.x.
The event type and event subtype fields of the discovery event header identify the structure of the transmitted event message. Once the structure of the event data block is determined, your program can parse the message appropriately.
The shaded rows in the following diagram illustrate the format of the discovery event header.
eStreamer Server Timestamp (in events, only if bit 23 is set) |
||||||||||||||||||||||||||||||||
The following table describes the discovery event header.
|
|
|
---|---|---|
ID number of the device that generated the discovery event. You can obtain the metadata for the device by requesting Version 3 and 4 metadata. See Managed Device Record Metadata for more information. |
||
This field is reserved but no longer populated. The IPv4 address is stored in the IPv6 Address field. See IP Addresses for more information. |
||
UNIX timestamp (seconds since 01/01/1970) that the system generated the event. |
||
Microsecond (one millionth of a second) increment that the system generated the event. |
||
Event type ( |
||
Event subtype. See Host Discovery Structures by Event Type for a list of available event subtypes. |
||
Serial file number. This field is for Cisco internal use and can be disregarded. |
||
Event’s position in the serial file. This field is for Cisco internal use and can be disregarded. |
||
IPv6 address. This field is present and used if the Has IPv6 flag is set. |
Discovery and Connection Event Types and Subtypes
The values in the Event Type and Event Subtype fields identify and classify the event contained in a host discovery or user data message. They also identify the structure of the data in the message.
The following table lists the event types and event subtypes for discovery and connection events.
|
|
|
---|---|---|
Tip For information about the data structure used for each event type/subtype, see Host Discovery Structures by Event Type.
Host Discovery Structures by Event Type
eStreamer builds host discovery event messages based on the event type indicated in the discovery event header. The following sub-sections describe the high-level structure for each event type:
- New Host and Host Last Seen Messages
- Server Messages
- New Network Protocol Message
- New Transport Protocol Message
- Client Application Messages
- IP Address Change Message
- Operating System Update Messages
- IP Address Reused and Host Timeout/Deleted Messages
- Hops Change Message
- Hops Change Message
- TCP and UDP Port Closed/Timeout Messages
- MAC Address Messages
- Host Identified as a Bridge/Router Message
- VLAN Tag Information Update Messages
- Change NetBIOS Name Message
- Update Banner Message
- Policy Control Message
- Connection Statistics Data Message
- Connection Chunk Message
- User Set Vulnerabilities Messages for Version 4.6.1+
- User Add and Delete Host Messages
- User Delete Server Message
- User Set Host Criticality Messages
- Attribute Messages
- Attribute Value Messages
- User Server and Operating System Messages
- User Protocol Messages
- User Client Application Messages
- Add Scan Result Messages
- New Operating System Messages
- Identity Conflict and Identity Timeout System Messages
- Host IOC Set Messages
The data block diagrams in the following sections depict the different record data blocks returned in host discovery event messages.
New Host and Host Last Seen Messages
New Host and Host Last Seen event messages have a standard discovery event header and a Host Profile data block (as documented in Host Profile Data Block for 5.2+). The Host Profile data block is block type 139 in series 1.
Note that the Host Last Seen message includes server information only for servers on the host that have changed within the Update Interval set in the discovery detection policy. In other words, only servers that have changed since the system last reported information will be included in the Host Last Seen message.
Note The Host Profile data block differs depending on which system version created the message. For information on legacy versions of the Host Profile data block, see Legacy Host Data Structures.
Server Messages
The following TCP and UDP server event messages have a standard discovery event header (as documented in Discovery Event Header 5.2+) followed by a Server data block (as documented in Host Server Data Block 4.10.0+, block type 103 in series 1):
- New TCP Server
- New UDP Server
- TCP Server Information Update
- UDP Server Information Update
- TCP Server Confidence Update
- UDP Server Confidence Update
Note The Server data block differs depending on which system version created the message. For information on the legacy versions of the Server data block, see Understanding Legacy Data Structures.
Each of these events use the following format:
New Network Protocol Message
A New Network Protocol event message has a standard discovery event header (as documented in Discovery Event Header 5.2+) followed by a two-byte field for the network protocol (using protocol values described in following table).
New Transport Protocol Message
A New Transport Protocol event message has a standard discovery event header (as documented in Discovery Event Header 5.2+, block type 4 in series 1) and a one-byte field for the transport protocol number (using values described in following table).
Client Application Messages
New Client Application, Client Application Update, and Client Application Timeout events have the same format and contain a standard discovery event header (as documented in Discovery Event Header 5.2+) followed by a Client Application data block (see Host Client Application Data Block for 5.0+, block type 122 in series 1). The discovery event header has a different record type, event type, and event subtype, depending on the event transmitted.
Note The Client Application data block differs depending on the system version that created the message. For information on the legacy version of the Client Application data block, see Understanding Legacy Data Structures.
IP Address Change Message
The following host discovery messages have a standard discovery event header (as documented in Discovery Event Header 5.2+) and two different forms, structures, one with four bytes for the IP address and one with 16 bytes for the IP address.
Four bytes are used for the IP address (in IP address octets) in the following case:
16 bytes are used for the IP address in the following cases:
Operating System Update Messages
The OS Information Update event message has a standard discovery event header (as documented in Discovery Event Header 5.2+) followed by an Operating System data block (as documented in Operating System Data Block 3.5+, block type 53 in series 1).
IP Address Reused and Host Timeout/Deleted Messages
The following host event messages have a standard discovery event header (as documented in Discovery Event Header 5.2+) with no other data:
- Host IP Address Reused
- Host Timeout
- Host Deleted: Host Limit Reached
- Host Dropped: Host Limit Reached
Hops Change Message
A Hops Change event message has a standard discovery event header (as documented in Discovery Event Header 5.2+) followed by a one-byte field for the hops count.
TCP and UDP Port Closed/Timeout Messages
TCP and UDP Port Closed and Port Timeout event messages have a standard discovery event header (as documented in Discovery Event Header 5.2+) followed by a two-byte field for the port number.
MAC Address Messages
MAC Information Change and Additional MAC Detected for Host messages have a standard discovery event header (as documented in Discovery Event Header 5.2+), 1 byte for the TTL value, 6 bytes for the MAC address, and 1 byte to indicate whether the MAC address was detected via ARP/DHCP traffic as the actual MAC address.
Note If you receive MAC address messages from a system running version 4.9.x, you must check for the length of the MAC address data block and decode accordingly. If the data block is 8 bytes in length (16 bytes with the header), see MAC Address Messages. If the data block is 12 bytes in length (20 bytes with the header), see Host MAC Address 4.9+.
Note that the MAC address data block header is not used within MAC Information Change and Additional MAC Detected for Host messages.
Host Identified as a Bridge/Router Message
A Host Identified as a Bridge/Router event message has a standard discovery event header (as documented in Discovery Event Header 5.2+) followed by a four-byte field for the value that matches the host type:
VLAN Tag Information Update Messages
The VLAN Tag Information Update event has a standard discovery event header (as documented in Discovery Event Header 5.2+) followed by VLAN data block (as documented in VLAN Data Block). The VLAN Data block is block type 14 in the series 1 group of blocks.
Change NetBIOS Name Message
A Change NetBIOS Name event message has a standard discovery event header (as documented in Discovery Event Header 5.2+) followed by a String Information data block (as documented in String Information Data Block). The String Information data block is block type 35 in series 1.
Note The Change NetBIOS Domain event is not currently generated by the Firepower System.
Update Banner Message
An Update Banner event message has a standard discovery event header (as documented in Discovery Event Header 5.2+) followed by a Server Banner data block (as documented in Server Banner Data Block). The server banner data block is block type 37 in series 1.
Policy Control Message
The Policy Control Message event has a standard discovery event header (as documented in Discovery Event Header 5.2+) followed by a Policy Control Message data block. The format of the Policy Control Message data block differs depending on the system version. For information on policy control message data block format for the current version, see Policy Engine Control Message Data Block.
Connection Statistics Data Message
The Connection Statistics event has a standard discovery event header (as documented in Discovery Event Header 5.2+) followed by a Connection Statistics data block. The documentation of each version of the Connection Statistics data block includes the system versions that use it. For information on the connection statistics data block format for version 6.1+, see Connection Statistics Data Block 6.2+.
Note The Connection Statistics data block differs depending on which system version created the message. For information on legacy versions, see the Connection Statistics data block in Understanding Legacy Data Structures.
Connection Chunk Message
The Connection Chunk event has a standard discovery event header (as documented in Discovery Event Header 5.2+) followed by a Connection Chunk data block. The format differs depending on the system version. For information on connection chunk data block format for the current version, see Connection Chunk Data Block for 6.1+. The Connection Chunk data block is block type 136 in series 1.
User Set Vulnerabilities Messages for Version 4.6.1+
User Set Valid Vulnerabilities, User Set Invalid Vulnerabilities, and User Vulnerability Qualification messages use the same data format: the standard discovery event header (see Discovery Event Header 5.2+) followed by a User Vulnerability change data block (see User Vulnerability Change Data Block 4.7+, block type 80 in series 1). They are differentiated by record type, event type, and event subtype.
User Add and Delete Host Messages
The following host input event messages have the standard discovery event header (see Discovery Event Header 5.2+) followed by a User Hosts data block (see User Hosts Data Block 4.7+, block type 78 in series 1):
User Delete Server Message
User Delete Server messages have the standard discovery event header (see Discovery Event Header 5.2+) followed by a User Server List data block (see User Server List Data Block). The User Server List data block is block type 77 in series 1.
User Set Host Criticality Messages
User Set Host Criticality messages have the standard discovery event header (see Discovery Event Header 5.2+) followed by a User Criticality Change data block (see User Criticality Change Data Block 4.7+). The User Criticality Change data block is block type 81 in series 1.
Attribute Messages
The following event messages have a standard discovery event header (as documented in Discovery Event Header 5.2+) followed by an Attribute Definition data block (as documented in Attribute Definition Data Block for 4.7+, block type 55 in series 1):
Each of these events use the following format:
Attribute Value Messages
The following event messages have a standard discovery event header (as documented in Discovery Event Header 5.2+) followed by a User Attribute Value data block (as documented in User Attribute Value Data Block 4.7+, block type 82 in series 1):
Each of these events use the following format:
User Server and Operating System Messages
The following event messages have a standard discovery event header (as documented in Discovery Event Header 5.2+) followed by a User Product data block (as documented in User Product Data Block 5.1+, block type 60 in series 1):
Each of these events use the following format:
User Protocol Messages
The following event messages have a standard discovery event header (as documented in Discovery Event Header 5.2+) followed by a User Protocol List data block (as documented in User Protocol List Data Block 4.7+, block type 83 in series 1):
Each of these events use the following format:
User Client Application Messages
The following event messages have a standard discovery event header (as documented in Discovery Event Header 5.2+) followed by a User Client Application List data block (as documented in User Client Application List Data Block, block type 60 in series 1):
Each of these events use the following format:
Add Scan Result Messages
The Add Scan Result event message has a standard discovery event header (as documented in Discovery Event Header 5.2+) followed by a Scan Results data block (as documented in Scan Result Data Block 5.2+). The Scan Result data block is block type 142 in series 1.
This event uses the following format:
New Operating System Messages
The New OS event message has a standard discovery event header (as documented in Discovery Event Header 5.2+) followed by an Operating System Fingerprint data block (as documented in Operating System Fingerprint Data Block 5.1+).
This event uses the following format:
Identity Conflict and Identity Timeout System Messages
The Identity Conflict and Identity Timeout event messages each have a standard discovery event header (as documented in Discovery Event Header 5.2+) followed by an Identity data block (as documented in Identity Data Block). The Identity data block is block type 94 in series 1. These messages are generated when there are conflicts or timeouts in a fingerprint source identity.
This event uses the following format:
Host IOC Set Messages
The Host IOC Set message has a standard discovery event header (as documented in Discovery Event Header 5.2+) followed by an integer data block (as documented in Integer (INT32) Data Block). This integer data block contains the ID number of the IOC set for the host.
This event uses the following format:
User Data Structures by Event Type
eStreamer builds user event messages based on the event type indicated in the discovery event header. The following sub-sections describe the high-level structure for each event type:
User Modification Messages
When any of the following events occurs through system detection, a user modification message is sent:
- a new user is detected (a New User Identity event—event type 1004, subtype 1)
- a user is removed (a Delete User Identity event—event type 1004, subtype 3)
- a user is dropped (a User Identity Dropped: User Limit Reached event—event type 1004, subtype 4)
User Modification event messages have a standard discovery event header (as documented in Discovery Event Header 5.2+) and a User Information data block (as documented in User Information Data Block for 6.0+). The User Information data block is block type 120 in series 1.
User Information Update Message Block
When the login changes for a user (a User Login event—event type 1004, subtype 2) detected by the system, a user information update message is sent. This block is also used when a user login fails (a failed user login event—event type 1004, subtype 5), when a VPN user logs in (a VPN user login event—event type 1004, subtype 8) or a VPN user logs off (a VPN user logoff event—event type 1004, subtype 9).
User Information Update event messages have a standard discovery event header (as documented in Discovery Event Header 5.2+) and a User Login Information data block (as documented in User Login Information Data Block 6.2+). The User Login Information data block is block type 121 in series 1.
Understanding Discovery (Series 1) Blocks
Most discovery and connection events incorporate one or more data blocks from the series 1 group of data structures. Each series 1 data block type conveys a particular type of information. The block type number appears in the data block header which precedes the data in the block. For information on block header format, see Data Block Header.
Series 1 Data Block Header
The series 1 data block header, like the series 2 block header, has two 32-bit integer fields that contain the block’s type number and the block length.
Note The data block length field contains the number of bytes in the entire data block, including the eight bytes of the two data block header fields.
For some block series 1 types, the block header is followed immediately by raw data. In more complex block types, the header may be followed by standard fixed length fields or by the header of a series 1 primitive block that encapsulates another series 1 data block or list of blocks.
Series 1 Primitive Data Blocks
Both series 1 and series 2 blocks include a set of primitives that encapsulate lists of variable-length blocks as well as variable-length strings and BLOBs within messages. These primitive blocks have the standard series 1 block header discussed above. These primitives appear only within other series 1 data blocks. Any number can be included in a given block type. For details on the structure of the primitive blocks, see the following:
Host Discovery and Connection Data Blocks
For the list of block types in host discovery and connection events, see Table 4-30. The block types in user events are described in Table 4-86. These are all Series 1 data blocks.
Each entry in the table below contains a link to the subsection where the data block is defined. For each block type, the status (current or legacy) is indicated. A current data block is the latest version. A legacy data block is one that is used for an older version of the product, and the message format can still be requested from eStreamer.
|
|
|
|
---|---|---|---|
Contains string data. See String Data Block for more information. |
|||
Contains information about a sub-server detected on a server. See Sub-Server Data Block for more information. |
|||
Contains protocol data. See Protocol Data Block for more information. |
|||
Contains integer (numeric) data. See Integer (INT32) Data Block for more information. |
|||
Contains a raw block of binary data and is used specifically for banners. See BLOB Data Block for more information. |
|||
Contains a list of other data blocks. See List Data Block for more information. |
|||
Contains VLAN information. See VLAN Data Block for more information. |
|||
Contains intrusion impact alert information. Intrusion impact alert events have slightly different headers than other data blocks. See Intrusion Impact Alert Data 5.3+ for more information. |
|||
Contains generic list information, for example, to encapsulate lists of blocks, such as Client Application blocks, in the Host Profile block. See Generic List Block for more information. |
|||
Contains string information. For example, when used in the Scan Vulnerability data block, the String Information data block contains the CVE identification number data. See String Information Data Block. |
|||
Contains server banner data. See Server Banner Data Block for more information. |
|||
Contains the host attribute address (as documented in earlier versions of the product). The successor block is 146. |
|||
Contains a host attribute list item value. See Attribute List Item Data Block for more information. |
|||
Contains client application information for New Client Application events (as documented for earlier versions of the product). |
|||
Contains complete host profile information (as documented in earlier versions of the product). |
|||
Contains attribute identification numbers and values for host attributes. See Attribute Value Data Block for more information. |
|||
Contains information about a sub-server detected on a server. Referenced in Full Server information blocks and in full host profiles. Includes vulnerability information for each sub-server. See Full Sub-Server Data Block for more information. |
|||
Contains operating system information for Version 3.5+. See Operating System Data Block 3.5+ for more information. |
|||
Contains information on user policy control changes. See Policy Engine Control Message Data Block for more information. |
|||
Contains information on attribute definitions. See Attribute Definition Data Block for 4.7+ for more information. |
|||
Contains information for connection statistics events in 4.7 - 4.9.0 (as documented in earlier versions of the product). |
|||
Contains protocol information from user input. See User Protocol Data Block for more information. |
|||
Contains client application data from user input. See User Client Application Data Block for 5.0 - 5.1 for more information. Superseded by block 138. |
|||
Contains lists of user client application data blocks. See User Client Application List Data Block for more information. |
|||
Contains IP address range specifications. See IP Range Specification Data Block for 5.0 - 5.1.1.x for more information. Superseded by block 141. |
|||
Contains an attribute name and value. See Attribute Specification Data Block for more information. |
|||
Contains MAC address range specifications. See MAC Address Specification Data Block for more information. |
|||
Contains lists of IP and MAC address specification blocks. See Address Specification Data Block for more information. |
|||
Contains host input data imported from a third-party application, including third-party application string mappings. See User Product Data Block for 5.0.x for more information. The successor block type 118 introduced for 5.0 has an identical structure as block type 65. |
|||
Contains connection chunk information. See Connection Chunk Data Block for 5.0 - 5.1 for more information. The successor block type 119 introduced for 5.0 has an identical structure as block type 66. |
|||
Contains a fix that applies to a host. See Fix List Data Block for more information. |
|||
Contains results from an Nmap scan (as documented in earlier versions of the product). |
|||
Contains results from a third-party scan (as documented in earlier versions of the product). |
|||
Contains server information from a user input event. See User Server Data Block for more information. |
|||
Contains lists of user server blocks. See User Server List Data Block for more information. |
|||
Contains information about host ranges from a user host input event. See User Hosts Data Block 4.7+ for more information. |
|||
Contains information about a vulnerability for a host or hosts (as documented in earlier versions of the product). The successor block introduced for version 5.0 has block type 124. |
|||
Contains lists of deactivated or activated vulnerabilities. See User Vulnerability Change Data Block 4.7+ for more information. |
|||
Contains information on criticality changes for a host or host. See User Criticality Change Data Block 4.7+ for more information. |
|||
Contains attribute value changes for a host or hosts. See User Attribute Value Data Block 4.7+ for more information. |
|||
Contains lists of protocols for a host or hosts. See User Protocol List Data Block 4.7+ for more information. |
|||
Contains vulnerabilities that apply to a host. See Host Vulnerability Data Block 4.9.0+ for more information. |
|||
Contains information on vulnerabilities detected by a scan (as documented in earlier versions of the product). |
|||
Contains lists of operating system fingerprints. See Operating System Fingerprint Data Block for 5.0 - 5.0.2 for more information. The successor block introduced for version 5.1 has block type 130. |
|||
Contains server information used in server fingerprints (as documented in earlier versions of the product). |
|||
Contains server information for a host (as documented in earlier versions of the product). |
|||
Contains server information for a host (as documented in earlier versions of the product). |
|||
Contains profile information for a host. See Host Profile Data Block for 5.2+ for more information. The successor block introduced for version 5.1 has block type 132. |
|||
Contains complete host profile information (as documented in earlier versions of the product). Supersedes data block 47. |
|||
Contains identity data for a host. See Identity Data Block for more information. |
|||
Contains MAC address information for a host. See Host MAC Address 4.9+ for more information. |
|||
Contains lists of MAC address information reported by a secondary Secondary Host Update. |
|||
Contains lists of web application data (as documented in earlier versions of the product). The successor block introduced for version 5.0 has block type 123. |
|||
Contains server information for a host (as documented in earlier versions of the product). |
|||
Contains server information for a host (as documented in earlier versions of the product). |
|||
Contains client application information for New Client Application events (as documented in earlier versions of the product). The successor block type 122 introduced for version 5.0 has the same structure as block type 100. |
|||
Contains information for connection statistics events in 4.9.1+ (as documented in earlier versions of the product). |
|||
Contains information about a vulnerability and is used within Add Scan Result events. See Scan Result Data Block 5.0 - 5.1.1.x. |
|||
Contains server information for a host. See Host Server Data Block 4.10.0+ for more information. |
|||
Contains server information for a host. See Full Host Server Data Block 4.10.0+ for more information. |
|||
Contains server information used in server fingerprints. See Server Information Data Block for 4.10.x, 5.0 - 5.0.2 for more information. The successor block type 117 introduced for 5.0 has an identical structure as block type 105. |
|||
Contains information about a server detected on a host. See Full Server Information Data Block for more information. |
|||
Contains results from an Nmap scan. See Generic Scan Results Data Block for 4.10.0+ for more information. |
|||
Contains information on vulnerabilities detected by a third-party scan. See Scan Vulnerability Data Block for 4.10.0+. |
|||
Contains complete host profile information. See Full Host Profile Data Block 5.0 - 5.0.2 for more information. Supersedes data block 92. |
|||
Contains client application information for New Client Application events and includes a list of vulnerabilities. See Full Host Client Application Data Block 5.0+ for more information. |
|||
Contains information for connection statistics events in 5.0 - 5.0.2. See Connection Statistics Data Block 5.0 - 5.0.2 for more information. The successor block introduced for version 5.1 has block type 126. |
|||
Contains server information used in server fingerprints. See Server Information Data Block for 4.10.x, 5.0 - 5.0.2 for more information. |
|||
Contains host input data imported from a third-party application, including third-party application string mappings. See User Product Data Block for 5.0.x for more information. The predecessor block type 65, superseded in 5.0, has the same structure as this block type. The successor block introduced for version 5.1 has block type 132. |
|||
Contains connection chunk information for versions 4.10.1 - 5.1. See Connection Chunk Data Block for 5.0 - 5.1 for more information. The successor block is 136. |
|||
Contains client application information for New Client Application events for version 5.0+. See Host Client Application Data Block for 5.0+ for more information. It supersedes block type 100. |
|||
Contains web application data for version 5.0+. See Web Application Data Block for 5.0+ for more information. It supersedes block type 97. |
|||
Contains information about a vulnerability for a host or hosts. See User Vulnerability Data Block 5.0+. It supersedes block type 79. |
|||
Contains information for connection statistics events in 4.10.2 (as documented in earlier versions of the product). The successor block introduced for version 5.1 has block type 115. |
|||
Contains information for connection statistics events in 5.1. See Connection Statistics Data Block 5.1 for more information. It supersedes block type 115. This block type is superseded by block type 137. |
|||
Contains lists of operating system fingerprints. See Operating System Fingerprint Data Block 5.1+ for more information. It supersedes block type 87. |
|||
Contains information about a detected mobile device’s hardware. See Mobile Device Information Data Block for 5.1+ for more information. |
|||
Contains profile information for a host. See Full Host Profile Data Block 5.2.x for more information. It supersedes block type 91. Superseded by block 139. |
|||
Contains host input data imported from a third-party application, including third-party application string mappings. See User Product Data Block 5.1+ for more information. This supersedes the predecessor block type 118. |
|||
Contains complete host profile information. See Full Host Profile Data Block 5.1.1 for more information. Supersedes data block 111. |
|||
Contains connection chunk information. See Connection Chunk Data Block for 6.1+ for more information. Supersedes block 119. |
|||
Contains information for connection events in 5.1.1. See Connection Chunk Data Block for 5.0 - 5.1 for more information. It supersedes block type 126. It is superseded by block type 144. |
|||
Contains client application data from user input. See User Client Application Data Block for 5.1.1+ for more information. It supersedes block type. |
|||
Contains profile information for a host. See Host Profile Data Block for 5.2+ for more information. It supersedes block type 132. |
|||
Contains complete host profile information. See Full Host Profile Data Block 5.3+ for more information. Supersedes data block 135. |
|||
Contains IP address range specifications. See IP Address Range Data Block for 5.2+ for more information. It supersedes block 61. |
|||
Contains information about a vulnerability and is used within Add Scan Result events. See Scan Result Data Block 5.2+. It supersedes block 102. |
|||
Contains a host’s IP address and last seen information. See Host IP Address Data Block for more information. |
|||
Contains information for connection events in 5.2.x. See Connection Statistics Data Block 5.2.x for more information. It supersedes block type 137. |
|||
Contains the host attribute address for 5.2+. See Attribute Address Data Block 5.2+ for more information. It supersedes block type 38. |
|||
Contains information about user changes to IOCs. See User IOC Change Data Block 5.3+ for more information. |
|||
Contains complete host profile information. See Full Host Profile Data Block 5.3+ for more information. Supersedes data block 135. |
|||
Contains information for connection events in 5.3+. See Connection Statistics Data Block 5.3 for more information. It supersedes block type 144. |
|||
Contains information for connection events in 5.3. See Connection Statistics Data Block 5.3.1 for more information. It supersedes block type 152. |
|||
Contains information for connection events in 5.4. See Connection Statistics Data Block 5.4 for more information. It supersedes block type 154. |
|||
Contains information for connection events in 5.4.1. See Connection Statistics Data Block 5.4.1 for more information. It supersedes block type 155. |
|||
Contains information for connection events in 5.4.1. See Connection Statistics Data Block 6.0.x for more information. It supersedes block type 157. |
|||
Contains information for connection events in 6.0+. See Connection Statistics Data Block 6.2+ for more information. It supersedes block type 160. |
String Data Block
The String data block is used for sending string data in series 1 blocks. It commonly appears within other series 1 data blocks to describe, for example, operating system or server names.
Empty string data blocks (string data blocks containing no string data) have a block length value of 8
and are followed by zero bytes of string data. An empty string data block is returned when there is no content for the string value, as might happen, for example, in the OS vendor string field in an Operating System data block when the vendor of the operating system is unknown.
The String data block has a block type of 0 in the series 1 group of blocks.
Note Strings returned in this data block are not always null-terminated (that is, they are not always terminated with a 0).
The following diagram shows the format of the String data block:
The following table describes the fields of the String data block.
|
|
|
---|---|---|
Combined length of the string data block header and string data. |
||
Contains the string data and may contain a terminating character (null byte) at the end of the string. |
BLOB Data Block
The BLOB data block can be used to convey binary data. For example, it is used to hold the server banner captured by the system. The BLOB data block has a block type of 10 in the series 1 group of blocks.
The following diagram shows the format of the BLOB data block:
The following table describes the fields of the BLOB data block.
|
|
|
---|---|---|
Number of bytes in the BLOB data block, including eight bytes for the BLOB block type and length fields, plus the length of the binary data that follows. |
||
List Data Block
The List data block is used to encapsulate a list of series 1 data blocks. For example, if a list of TCP servers is being transmitted, the Server data blocks containing the data are encapsulated in a List data block. The List data block has a block type of 11 in the series 1 group of blocks.
The following diagram shows the basic format of a List data block:
The following table describes the fields of the List data block.
Generic List Block
The Generic List data block is used to encapsulate a list of series 1 data blocks. For example, when client application information is transmitted within a Host Profile data block, a list of Client Application data blocks are encapsulated by the Generic List data block. The Generic List data block has a block type of 31 in the series 1 group of blocks.
The following diagram shows the basic structure of a Generic List data block:
The following table describes the fields of the Generic List data block.
Sub-Server Data Block
The Sub-Server data block conveys information about an individual sub-server, which is a server called by another server on the same host and has associated vulnerabilities. The Sub-Server data block has a block type of 1 in the series 1 group of blocks.
The following diagram shows the format of the Sub-Server data block:
The following table describes the fields of the Sub-Server data block.
Protocol Data Block
The Protocol data block defines protocols. It is a very simple data block, with only the block type, block length, and the IANA protocol number identifying the protocol. The Protocol data block has a block type of 4 in the series 1 group of blocks.
The following graphic shows the format of the Protocol data block:
The following table describes the fields of the Protocol data block.
Integer (INT32) Data Block
The Integer (INT32) data block is used in List data blocks to convey 32-bit integer data.
The Integer data block has a block type of 7 in the series 1 group of blocks.
The following diagram shows the format of the integer data block:
The following table describes the fields of the Integer data block:
|
|
|
---|---|---|
Number of bytes in the Integer data block. This value is always |
||
VLAN Data Block
The VLAN data block contains VLAN tag information for a host. The VLAN data block has a block type of 14 in the series 1 group of blocks.The following diagram shows the format of the VLAN data block:
The following table describes the fields of the VLAN data block.
|
|
|
---|---|---|
Number of bytes in the VLAN data block. This value is always |
||
Contains the VLAN identification number that indicates which VLAN the host is a member of. |
||
Server Banner Data Block
The Server Banner data block provides information about the banner for a server running on a host. It contains the server port, protocol, and the banner data. The Server Banner data block has a block type of 37 in the series 1 group of blocks.
The following diagram shows the format of the Server Banner data block.
Note An asterisk(*) next to a block type field in the following diagram indicates the message may contain zero or more instances of the series 1 data block.
The following table describes the fields of the Server Banner data block.
String Information Data Block
The String Information data block contains string data. For example, the String Information data block is used to convey the Common Vulnerabilities and Exposures (CVE) identification string within a Scan Vulnerability data block. The String Information data block has a block type of 35 in the series 1 group of blocks.
The following diagram shows the format of the String Information data block:
The following table describes the fields of the String Information data block.
Attribute Address Data Block 5.2+
The Attribute Address data block contains an attribute list item and is used within an Attribute Definition data block. It has a block type of 146 in the series 1 group of blocks.
The following diagram shows the basic structure of an Attribute Address data block:
The following table describes the fields of the Attribute Address data block.
User IOC Change Data Block 5.3+
The User IOC Change data block contains information regarding IOC changes made by a user. It is used within the User Host IOC Delete, User Host IOC Enable, and User Host IOC Disable records. It has a block type of 148 in the series 1 group of blocks.
The following diagram shows the basic structure of a User IOC Change data block:
The following table describes the fields of the User IOC Change data block.
|
|
|
---|---|---|
Initiates a User IOC Change data block. This value is always |
||
Initiates a Generic List data block comprising IP Range Specification data blocks conveying IP address range data. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated IP Range Specification data blocks. |
||
IP Range Specification data blocks containing information about the IP address ranges for the user input. See IP Address Range Data Block for 5.2+ for a description of this data block. |
||
Attribute List Item Data Block
The Attribute List Item data block contains an attribute list item and is used within an Attribute Definition data block. It has a block type of 39 in the series 1 group of blocks.
The following diagram shows the basic structure of an Attribute List Item data block:
The following table describes the fields of the Attribute List Item data block.
Attribute Value Data Block
The Attribute Value data block conveys attribute identification numbers and values for host attributes. An Attribute Value data block for each attribute applied to the host in the event is included in a list in the Full Host Profile data block. The Attribute Value data block has a block type of 48 in the series 1 group of blocks.
The following diagram shows the format of the Attribute Value data block:
The following table describes the components of the Attribute Value data block.
Full Sub-Server Data Block
The Full Sub-Server data block conveys information about a sub-server associated with a server detected on a host, and includes information about the sub-server such as its vendor and version and any related VDB and third-party vulnerabilities for the sub-server on the host. A sub-server is a loadable module of a server that has its own associated vulnerabilities. A Full Host Server data block includes a Full Sub-Server data block for each sub-server detected on the host. The Full Sub-Server data block has a block type of 51 in the series 1 group of blocks.
Note An asterisk (*) next to a series 1 data block name in the following diagram indicates that multiple instances of the data block may occur.
The following diagram shows the format of the Full Sub-Server data block:
The following table describes the components of the Full Sub-Server data block.
|
|
|
---|---|---|
Initiates a Full Sub-Server data block. This value is always |
||
Total number of bytes in the Full Sub-Server data block, including eight bytes for the Full Sub-Server block type and length fields, plus the number of bytes in the full sub-server data that follows. |
||
Initiates a String data block containing the sub-server name. This value is always |
||
Number of bytes in the sub-server name String data block, including eight bytes for the block type and length fields, plus the number of bytes in the sub-server name. |
||
Initiates a String data block containing the sub-server vendor’s name. This value is always |
||
Number of bytes in the vendor name String data block, including eight bytes for the block type and length fields, plus the number of bytes in the sub-server vendor name. |
||
Initiates a String data block that contains the sub-server version. This value is always |
||
Number of bytes in the sub-server version String data block, including eight bytes for the block type and length fields, plus the number of bytes in the sub-server version. |
||
Initiates a Generic List data block comprising Host Vulnerability data blocks conveying VDB Vulnerability data. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Host Vulnerability data blocks. |
||
Host Vulnerability data blocks containing information about host vulnerabilities identified by Cisco. See Host Vulnerability Data Block 4.9.0+ for a description of this data block. |
||
Initiates a Generic List data block comprising Host Vulnerability data blocks conveying Third-Party Scan Vulnerability data. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Host Vulnerability data blocks. |
||
Host Vulnerability data blocks containing information about host vulnerabilities identified by a third-party vulnerability scanner. See Host Vulnerability Data Block 4.9.0+ for a description of this data block. |
Operating System Data Block 3.5+
The operating system data block for Version 3.5+ has a block type of 53 in the series 1 group of blocks. The block includes a fingerprint Universally Unique Identifier (UUID). The following diagram shows the format of an operating system data block in 3.5+.
The following table describes the fields of the v3.5 operating system data block.
Policy Engine Control Message Data Block
The Policy Engine Control Message data block conveys the control message content for policy types. The Policy Engine Control Message data block has a block type of 54 in the series 1 group of blocks.
The following diagram shows the format of the Policy Engine Control Message data block:
The following table describes the components of the Policy Engine Control Message data block.
Attribute Definition Data Block for 4.7+
The Attribute Definition data block contains the attribute definition in an attribute creation, change, or deletion event and is used within Host Attribute Add events (event type 1002, subtype 6), Host Attribute Update events (event type 1002, subtype 7), and Host Attribute Delete events (event type 1002, subtype 8). It has a block type of 55 in the series 1 group of blocks.
For more information on those events, see Attribute Messages.
The following diagram shows the basic structure of an Attribute Definition data block:
The following table describes the fields of the Attribute Definition data block.
|
|
|
---|---|---|
Initiates an Attribute Definition data block. This value is always |
||
Number of bytes in the Attribute Definition data block, including eight bytes for the attribute definition block type and length, plus the number of bytes in the attribute definition data that follows. |
||
Identification number that maps to the source of the attribute data. Depending on the source type, this may map to RNA, a user, a scanner, or a third-party application. |
||
An ID number that acts as a unique identifier for the affected attribute. |
||
Identification number of the affected attribute, if applicable. |
||
Initiates a String data block for the attribute definition name. This value is always |
||
Number of bytes in the String data block for the attribute definition name, including eight bytes for the string block type and length, plus the number of bytes in the attribute definition name. |
||
Type of attribute. Possible values are:
|
||
First integer in the integer range for the defined attribute. |
||
Last integer in the integer range for the defined attribute. |
||
Flag indicating if an IP address is auto-assigned based on the attribute. |
||
Initiates a List data block comprising Attribute List Item data blocks conveying attribute list items. This value is always |
||
Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus all encapsulated Attribute List Item data blocks. This field is followed by zero or more Attribute List Item data blocks. |
||
Initiates the first Attribute List Item data block. This data block can be followed by other Attribute List Item data blocks up to the limit defined in the list block length field. |
||
Number of bytes in the Attribute List Item String data block, including eight bytes for the block type and header fields, plus the number of bytes in the attribute list item. |
||
Attribute List Item data as documented in Attribute List Item Data Block. |
||
Initiates a List data block comprising Attribute Address data blocks conveying IP addresses for hosts with the attribute. This value is always |
||
Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus all encapsulated Attribute Address data blocks. This field is followed by zero or more Attribute Address data blocks. |
||
Initiates the first Attribute Address data block. This data block can be followed by other Attribute Address data blocks up to the limit defined in the list block length field. |
||
Number of bytes in the Attribute Address data block, including eight bytes for the block type and header fields, plus the number of bytes in the attribute address. |
||
Attribute Address data as documented in Attribute Address Data Block 5.2+. |
User Protocol Data Block
The User Protocol data block is used to contain information about added protocols, the type of the protocol, and lists of IP address and MAC address ranges for the hosts with the protocol. The User Protocol data block has a block type of 57 in the series 1 group of blocks.
The following diagram shows the basic structure of a User Protocol data block:
The following table describes the fields of the User Protocol data block.
|
|
|
---|---|---|
Initiates a User Protocol data block. This value is always |
||
Total number of bytes in the User Protocol data block, including eight bytes for the user protocol block type and length fields, plus the number of bytes of user protocol data that follows. |
||
Initiates a Generic List data block comprising IP Range Specification data blocks conveying IP address range data. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated IP Range Specification data blocks. |
||
IP Range Specification data blocks containing information about the IP address ranges for the user input. See IP Address Range Data Block for 5.2+ for a description of this data block. |
||
Initiates a Generic List data block comprising MAC Range Specification data blocks conveying MAC address range data. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated MAC Range Specification data blocks. |
||
MAC Range Specification data blocks containing information about the MAC address ranges for the user input. See MAC Address Specification Data Block for a description of this data block. |
||
Indicates the type of the protocol. The protocol can be either |
||
Indicates the protocol for the data contained in the data block. |
User Client Application Data Block for 5.1.1+
The User Client Application data block contains information about the source of the client application data, the identification number for the user who added the data, and the lists of IP address range data blocks. The payload ID, which was added in Version 6.7, specifies the application instance associated with the record. The User Client Application data block has a block type of 138 in the series 1 group of blocks. It replaces block type 59.
The following diagram shows the basic structure of a User Client Application data block:
The following table describes the fields of the User Client Application data block.
|
|
|
---|---|---|
Initiates a User Client Application data block. This value is always |
||
Total number of bytes in the User Client Application data block, including eight bytes for the user client application block type and length fields, plus the number of bytes of user client application data that follows. |
||
Initiates a Generic List data block comprising IP Range Specification data blocks conveying IP address range data. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated IP Range Specification data blocks. |
||
IP Range Specification data blocks containing information about the IP address ranges for the user input. See IP Address Range Data Block for 5.2+ for a description of this data block. |
||
The internal identification number for the application protocol, if applicable. |
||
The internal identification number of the detected client application, if applicable. |
||
Initiates a String data block that contains the client application version. This value is always |
||
Number of bytes in the client application version String data block, including the string block type and length fields, plus the number of bytes in the version. |
||
This field is included for backwards compatibility. It is always |
||
The internal identification number for the web application, if applicable. |
User Client Application List Data Block
The User Client Application List data block contains information about the source of the client application data, the identification number for the user who added the data, and the lists of client application blocks. The User Client Application List data block has a block type of 60 in the series 1 group of blocks.
The following diagram shows the basic structure of a User Client Application List data block:
The following table describes the fields of the User Client Application List data block.
|
|
|
---|---|---|
Initiates a User Client Application List data block. This value is always |
||
Total number of bytes in the User Client Application List data block, including eight bytes for the user client application list block type and length fields, plus the number of bytes of user client application list data that follows. |
||
Identification number that maps to the source that added the affected client application. Depending on the source type, this may map to RNA, a user, a scanner, or a third-party application. |
||
Initiates a Generic List data block. This value is always |
||
Number of bytes in the Generic List block and encapsulated data blocks. This number includes the eight bytes of the generic list block header fields, plus the number of bytes in all of the encapsulated data blocks. |
||
Encapsulated User Client Application data blocks up to the maximum number of bytes in the list block length. For more information on the User Client Application data block, see User Client Application Data Block for 5.1.1+. |
IP Address Range Data Block for 5.2+
The IP Address Range data block for 5.2+ conveys a range of IP addresses. IP Address Range data blocks are used in User Protocol, User Client Application, Address Specification, User Product, User Server, User Hosts, User Vulnerability, User Criticality, and User Attribute Value data blocks. The IP Address Range data block has a block type of 141 in the series 1 group of blocks.
The following diagram shows the format of the IP Address Range data block:
The following table describes the components of the IP Address Range Specification data block.
Attribute Specification Data Block
The Attribute Specification data block conveys the attribute name and value. The Attribute Specification data block has a block type of 62 in the series 1 group of blocks.
The following diagram shows the format of the Attribute Specification data block:
The following table describes the components of the Attribute Specification data block.
Host IP Address Data Block
The Host IP Address data block conveys an individual IP address. The IP address may be either an IPv4 or IPv6 address. Host IP Address data blocks are used in User Protocol, Address Specification, and User Host data blocks. The Host IP data block has a block type of 143 in the series 1 group of blocks.
The following diagram shows the format of the Host IP Address data block:
The following table describes the components of the Host IP Address data block.
MAC Address Specification Data Block
The MAC Address Specification data block conveys an individual MAC address. MAC Address Specification data blocks are used in User Protocol, Address Specification, and User Hosts data blocks. The MAC Address Specification data block has a block type of 63 in the series 1 group of blocks.
The following diagram shows the format of the MAC Address Specification data block:
The following table describes the components of the MAC Address Specification data block.
Address Specification Data Block
The Address Specification data block is used to contain lists of IP address range specifications and MAC address specifications. The Address Specification data block has a block type of 64 in the series 1 group of blocks.
The following diagram shows the basic structure of an Address Specification data block:
The following table describes the fields of the Address Specification data block.
|
|
|
---|---|---|
Initiates an Address Specification data block. This value is always |
||
Total number of bytes in the Address Specification data block, including eight bytes for the address specification block type and length fields, plus the number of bytes of address specification data that follows. |
||
Initiates a Generic List data block. This value is always |
||
Number of bytes in the Generic List block and encapsulated data blocks. This number includes the eight bytes of the generic list block header fields, plus the number of bytes in all of the encapsulated data blocks. |
||
Encapsulated IP Address Range Specification data blocks up to the maximum number of bytes in the list block length. For more information, see IP Address Range Data Block for 5.2+. |
||
Initiates a Generic List data block. This value is always |
||
Number of bytes in the Generic List block and encapsulated data blocks. This number includes the eight bytes of the generic list block header fields, plus the number of bytes in all of the encapsulated data blocks. |
||
Encapsulated MAC Address Specification data blocks up to the maximum number of bytes in the list block length. For more information, see MAC Address Specification Data Block. |
Connection Chunk Data Block for 6.1+
The Connection Chunk data block conveys connection data. It stores connection log data that aggregates over a five-minute period. The version for 6.1+ introduces the new field Original Client IP Address. The Connection Chunk data block has a block type of 164 in the series 1 group of blocks. It supersedes block type 136.
The following diagram shows the format of the Connection Chunk data block:
The following table describes the components of the Connection Chunk data block.
Fix List Data Block
The Fix List data block conveys a fix that applies to a host. A Fix List data block for each fix applied to the affected host is included in a User Product data block. The Fix List data block has a block type of 67 in the series 1 group of blocks.
The following diagram shows the format of the Fix List data block:
The following table describes the components of the Fix List data block.
User Server Data Block
The User Server data block contains server details from a user input event. The User Server data block has a block type of 76 in the series 1 group of blocks.
The following diagram shows the basic structure of a User Server data block:
The following table describes the fields of the User Server data block.
User Server List Data Block
The User Server List data block contains a list of server data blocks from a user input event. The User Server List data block has a block type of 77 in the series 1 group of blocks. The following diagram shows the basic structure of a User Server List data block:
The following table describes the fields of the User Server List data block.