- Secure Firewall Management Center Event Streamer Integration Guide, Version 7.2.0
- Introduction to Event Streamer
- Understanding the eStreamer Application Protocol
- Understanding Intrusion and Correlation Data Structures
- Understanding Discovery & Connection Data Structures
- Understanding Host Data Structures
- Configuring eStreamer
- Data Structure Examples
- Understanding Legacy Data Structures
- Intrusion Event Data Structure Examples
- Example of an Intrusion Event for the Management Center 5.4+
- Example of an Intrusion Impact Alert
- Example of a Packet Record
- Example of a Classification Record
- Example of a Priority Record
- Example of a Rule Message Record
- Example of a Connection Statistics Data Block for 6.1.x
- Example of a Version 5.1+ User Event
- Discovery Data Structure Examples
Data Structure Examples
This appendix contains data structure examples for selected intrusion, correlation, and discovery events. Each example is displayed in binary format to clearly display how each bit is set.
Intrusion Event Data Structure Examples
This section contains examples of data structures that may be transmitted by eStreamer for intrusion events. The following examples are provided:
- Example of an Intrusion Event for the Management Center 5.4+
- Example of an Intrusion Impact Alert
- Example of a Packet Record
- Example of a Classification Record
- Example of a Priority Record
- Example of a Rule Message Record
- Example of a Connection Statistics Data Block for 6.1.x
- Example of a Version 5.1+ User Event
Example of an Intrusion Event for the Management Center 5.4+
The following diagram shows an example event record:
In the preceding example, the following event information appears:
Example of an Intrusion Impact Alert
The following diagram shows an example intrusion impact alert record:
In the preceding example, the following information appears:
|
|
---|---|
The first two bytes of this line indicate the standard header value of |
|
This line indicates that the message that follows is |
|
The first bit of this is a flag indicating that the header is not an extended header containing an archive timestamp. The next 15 bits are an optional field containing the Netmap ID for the domain on which the event was detected. The remainder of the line indicates a record type value of |
|
This line indicates that the data that follows is |
|
This line contains a value of |
|
This line indicates that the length of the impact alert block, including the impact alert block header, is |
|
This line indicates that the event identification number is |
|
This line indicates that the event is collected from device number |
|
This line indicates that the event occurred at second |
|
This line indicates that |
|
This line indicates that the IP address associated with the violation event is |
|
This line indicates that there is no destination IP address associated with the violation (values are set to |
|
This line indicates that a string block follows, containing a string block length and a text string which, in this case, contains the impact name. For more information about string blocks, see String Data Block. |
|
This line indicates that the total length of the string block, including the string block indicator and length is |
|
This line indicates that the description of the impact is “Vulnerable.” |
Example of a Packet Record
The following diagram shows an example packet record:
In the preceding example, the following packet information appears:
Example of a Classification Record
The following diagram shows an example classification record:
In the preceding example, the following event information appears:
Example of a Priority Record
The following example shows a sample priority record:
In the preceding example, the following event information appears:
Example of a Rule Message Record
The following example shows a sample rule record:
In the preceding example, the following event information appears:
Example of a Connection Statistics Data Block for 6.1.x
The following diagram shows an example connection statistics record:
In the preceding example, the following event information appears: