- Secure Firewall Management Center Event Streamer Integration Guide, Version 7.2.0
- Introduction to Event Streamer
- Understanding the eStreamer Application Protocol
- Understanding Intrusion and Correlation Data Structures
- Understanding Discovery & Connection Data Structures
- Understanding Host Data Structures
- Configuring eStreamer
- Data Structure Examples
- Understanding Legacy Data Structures
- Legacy Intrusion Data Structures
- Intrusion Event (IPv4) Record 5.0.x - 5.1
- Intrusion Event (IPv6) Record 5.0.x - 5.1
- Intrusion Event Record 5.2.x
- Intrusion Event Record 5.3
- Intrusion Event Record 5.1.1.x
- Intrusion Event Record 5.3.1
- Intrusion Event Record 5.4.x
- Intrusion Event Record 6.x
- Intrusion Event Record 7.0
- Intrusion Impact Alert Data
- Intrusion Event Extra Data Record
- Intrusion Event Extra Data Metadata
- Legacy Malware Event Data Structures
- Legacy Discovery Data Structures
- Legacy Discovery Event Header
- Legacy Server Data Blocks
- Attribute Address Data Block for 5.0 - 5.1.1.x
- Legacy Client Application Data Blocks
- Legacy Scan Result Data Blocks
- Legacy User Login Data Blocks
- User Login Information Data Block 6.1.x
- Legacy Host Profile Data Blocks
- Legacy OS Fingerprint Data Blocks
- Connection Statistics Data Block 5.0 - 5.0.2
- Connection Statistics Data Block 5.1
- Connection Statistics Data Block 5.2.x
- Connection Chunk Data Block for 5.0 - 5.1
- Connection Chunk Data Block for 5.1.1-6.0.x
- Connection Statistics Data Block 5.1.1.x
- Connection Statistics Data Block 5.3
- Connection Statistics Data Block 5.3.1
- Connection Statistics Data Block 5.4
- Connection Statistics Data Block 5.4.1
- Connection Statistics Data Block 6.0.x
- Connection Statistics Data Block 6.1.x
- Connection Statistics Data Block 6.2-6.7.x
- Connection Statistics Data Block 7.0
Understanding Legacy Data Structures
This appendix contains information about data structures supported by eStreamer at previous versions of Secure Firewall System products.
If your client uses event stream requests with bits set to request data in older version formats, you can use the information in this appendix to identify the data structures of the data messages you receive.
Note that prior to version 5.0, separate detection engines were assigned IDs. For version 5.0, devices are assigned IDs. Based on the version, data structures reflect this.

Note This appendix describes only data structures from version 4.9 or later of the Secure Firewall System. If you require documentation for structures from earlier data structure versions, contact Cisco Customer Support.
Legacy Intrusion Data Structures
- Intrusion Event (IPv4) Record 5.0.x - 5.1
- Intrusion Event (IPv6) Record 5.0.x - 5.1
- Intrusion Event Record 5.2.x
- Intrusion Event Record 5.3
- Intrusion Event Record 5.1.1.x
- Intrusion Event Record 5.3.1
- Intrusion Event Record 5.4.x
- Intrusion Event Record 6.x
- Intrusion Event Record 7.0
- Intrusion Impact Alert Data
- Intrusion Event Extra Data Record
- Intrusion Event Extra Data Metadata
Intrusion Event (IPv4) Record 5.0.x - 5.1
The fields in the intrusion event (IPv4) record are shaded in the following graphic. The record type is 207.
You request intrusion event records by setting the intrusion event flag or the extended requests flag in the request message. See Request Flags and Submitting Extended Requests.
For version 5.0.x - 5.1 intrusion events, the event ID, the managed device ID, and the event second form a unique identifier.
eStreamer Server Timestamp (in events, only if bit 23 is set) |
||||||||||||||||||||||||||||||||
The following table describes each intrusion event record data field.
|
|
|
---|---|---|
Contains the identification number of the detecting managed device. You can obtain the managed device name by requesting Version 3 or 4 metadata. See Managed Device Record Metadata for more information. |
||
UNIX timestamp (seconds since 01/01/1970) of the event’s detection. |
||
Microsecond (one millionth of a second) increment of the timestamp of the event’s detection. |
||
Identification number of the Secure Firewall System preprocessor that generated the event. |
||
Identification number of the priority associated with the event. |
||
Destination IPv4 address used in the event, in address octets. |
||
The source port number if the event protocol type is TCP or UDP. |
||
The destination port number if the event protocol type is TCP or UDP. |
||
Impact flag value of the event. The low-order eight bits indicate the impact level. Values are:
The following impact level values map to specific priorities on the Defense Center. An |
||
A policy ID number that acts as a unique identifier for the intrusion policy. |
||
The internal identification number for the user, if applicable. |
||
The internal identification number for the web application, if applicable. |
||
The internal identification number for the client application, if applicable. |
||
The internal identification number for the application protocol, if applicable. |
||
A rule ID number that acts as a unique identifier for the access control rule. |
||
A policy ID number that acts as a unique identifier for the access control policy. |
||
An interface ID number that acts as a unique identifier for the ingress interface. |
||
An interface ID number that acts as a unique identifier for the egress interface. |
||
A zone ID number that acts as a unique identifier for the ingress security zone. |
||
A zone ID number that acts as a unique identifier for the egress security zone. |
Intrusion Event (IPv6) Record 5.0.x - 5.1
The fields in the intrusion event (IPv6) record are shaded in the following graphic. The record type is 208.
You request intrusion event records by setting the intrusion event flag or the extended requests flag in the request message. See Request Flags and Submitting Extended Requests.
For version 5.0.x - 5.1 intrusion events, the event ID, the managed device ID, and the event second form a unique identifier.
eStreamer Server Timestamp (in events, only if bit 23 is set) |
||||||||||||||||||||||||||||||||
The following table describes each intrusion event record data field.
|
|
|
---|---|---|
Contains the identification number of the detecting device. You can obtain the managed device name by requesting Version 3 or 4 metadata. See Managed Device Record Metadata for more information. |
||
UNIX timestamp (seconds since 01/01/1970) of the event’s detection. |
||
Microsecond (one millionth of a second) increment of the timestamp of the event’s detection. |
||
Identification number of the Secure Firewall System preprocessor that generated the event. |
||
Identification number of the priority associated with the event. |
||
Destination IPv6 address used in the event, in address octets. |
||
The source port number if the event protocol type is TCP or UDP. If the protocol type is ICMP, this indicates the ICMP type. |
||
The destination port number if the event protocol type is TCP or UDP. If the protocol type is ICMP, this indicates the ICMP code. |
||
Impact flag value of the event. The low-order eight bits indicate the impact level. Values are:
The following impact level values map to specific priorities on the Defense Center. An |
||
Indicates the ID of the VLAN where the packet originated. (Applies to 4.9+ events only.) |
||
A policy ID number that acts as a unique identifier for the intrusion policy. |
||
The internal identification number for the user, if applicable. |
||
The internal identification number for the web application, if applicable. |
||
The internal identification number for the client application, if applicable. |
||
The internal identification number for the application protocol, if applicable. |
||
A rule ID number that acts as a unique identifier for the access control rule. |
||
A policy ID number that acts as a unique identifier for the access control policy. |
||
An interface ID number that acts as a unique identifier for the ingress interface. |
||
An interface ID number that acts as a unique identifier for the egress interface. |
||
A zone ID number that acts as a unique identifier for the ingress security zone. |
||
A zone ID number that acts as a unique identifier for the egress security zone. |
Intrusion Event Record 5.2.x
The fields in the intrusion event record are shaded in the following graphic. The record type is 400 and the block type is 34 in the series 2 set of data blocks.
You can request 5.2.x intrusion events from eStreamer only by extended request, for which you request event type code 12 and version code 5 in the Stream Request message (see Submitting Extended Requests for information about submitting extended requests).
For version 5.2.x intrusion events, the event ID, the managed device ID, and the event second form a unique identifier. The connection second, connection instance, and connection counter together form a unique identifier for the connection event associated with the intrusion event.
eStreamer Server Timestamp (in events, only if bit 23 is set) |
||||||||||||||||||||||||||||||||
Destination IP Address, continued |
||||||||||||||||||||||||||||||||
The following table describes each intrusion event record data field.
|
|
|
---|---|---|
Initiates an Intrusion Event data block. This value is always |
||
Total number of bytes in the Intrusion Event data block, including eight bytes for the Intrusion Event block type and length fields, plus the number of bytes of data that follows. |
||
Contains the identification number of the detecting managed device. You can obtain the managed device name by requesting Version 3 or 4 metadata. See Managed Device Record Metadata for more information. |
||
UNIX timestamp (seconds since 01/01/1970) of the event’s detection. |
||
Microsecond (one millionth of a second) increment of the timestamp of the event’s detection. |
||
Identification number of the Secure Firewall System preprocessor that generated the event. |
||
Identification number of the priority associated with the event. |
||
The source port number if the event protocol type is TCP or UDP, or the ICMP type if the event is caused by ICMP traffic. |
||
The destination port number if the event protocol type is TCP or UDP, or the ICMP code if the event is caused by ICMP traffic. |
||
Impact flag value of the event. The low-order eight bits indicate the impact level. Values are:
The following impact level values map to specific priorities on the Defense Center. An |
||
A policy ID number that acts as a unique identifier for the intrusion policy. |
||
The internal identification number for the user, if applicable. |
||
The internal identification number for the web application, if applicable. |
||
The internal identification number for the client application, if applicable. |
||
The internal identification number for the application protocol, if applicable. |
||
A rule ID number that acts as a unique identifier for the access control rule. |
||
A policy ID number that acts as a unique identifier for the access control policy. |
||
An interface ID number that acts as a unique identifier for the ingress interface. |
||
An interface ID number that acts as a unique identifier for the egress interface. |
||
A zone ID number that acts as a unique identifier for the ingress security zone. |
||
A zone ID number that acts as a unique identifier for the egress security zone. |
||
UNIX timestamp (seconds since 01/01/1970) of the connection event associated with the intrusion event. |
||
Numerical ID of the Snort instance on the managed device that generated the connection event. |
||
Value used to distinguish between connection events that happen during the same second. |
||
Intrusion Event Record 5.3
The fields in the intrusion event record are shaded in the following graphic. The record type is 400 and the block type is 41 in the series 2 set of data blocks.
You can request 5.3 intrusion events from eStreamer only by extended request, for which you request event type code 12 and version code 6 in the Stream Request message (see Submitting Extended Requests for information about submitting extended requests).
For version 5.3 intrusion events, the event ID, the managed device ID, and the event second form a unique identifier. The connection second, connection instance, and connection counter together form a unique identifier for the connection event associated with the intrusion event.
eStreamer Server Timestamp (in events, only if bit 23 is set) |
||||||||||||||||||||||||||||||||
Destination IP Address, continued |
||||||||||||||||||||||||||||||||
The following table describes each intrusion event record data field.
|
|
|
---|---|---|
Initiates an Intrusion Event data block. This value is always |
||
Total number of bytes in the Intrusion Event data block, including eight bytes for the Intrusion Event block type and length fields, plus the number of bytes of data that follows. |
||
Contains the identification number of the detecting managed device. You can obtain the managed device name by requesting Version 3 or 4 metadata. See Managed Device Record Metadata for more information. |
||
UNIX timestamp (seconds since 01/01/1970) of the event’s detection. |
||
Microsecond (one millionth of a second) increment of the timestamp of the event’s detection. |
||
Identification number of the Secure Firewall System preprocessor that generated the event. |
||
Identification number of the priority associated with the event. |
||
The source port number if the event protocol type is TCP or UDP, or the ICMP type if the event is caused by ICMP traffic. |
||
The destination port number if the event protocol type is TCP or UDP, or the ICMP code if the event is caused by ICMP traffic. |
||
Impact flag value of the event. The low-order eight bits indicate the impact level. Values are:
The following impact level values map to specific priorities on the Defense Center. An |
||
A policy ID number that acts as a unique identifier for the intrusion policy. |
||
The internal identification number for the user, if applicable. |
||
The internal identification number for the web application, if applicable. |
||
The internal identification number for the client application, if applicable. |
||
The internal identification number for the application protocol, if applicable. |
||
A rule ID number that acts as a unique identifier for the access control rule. |
||
A policy ID number that acts as a unique identifier for the access control policy. |
||
An interface ID number that acts as a unique identifier for the ingress interface. |
||
An interface ID number that acts as a unique identifier for the egress interface. |
||
A zone ID number that acts as a unique identifier for the ingress security zone. |
||
A zone ID number that acts as a unique identifier for the egress security zone. |
||
UNIX timestamp (seconds since 01/01/1970) of the connection event associated with the intrusion event. |
||
Numerical ID of the Snort instance on the managed device that generated the connection event. |
||
Value used to distinguish between connection events that happen during the same second. |
||
Intrusion Event Record 5.1.1.x
The fields in the intrusion event record are shaded in the following graphic. The record type is 400 and the block type is 25.
You can request 5.1.1.x intrusion events from eStreamer only by extended request, for which you request event type code 12 and version code 4 in the Stream Request message (see Submitting Extended Requests for information about submitting extended requests).
For version 5.1.1.x intrusion events, the event ID, the managed device ID, and the event second form a unique identifier. The connection second, connection instance, and connection counter together form a unique identifier for the connection event associated with the intrusion event.
eStreamer Server Timestamp (in events, only if bit 23 is set) |
||||||||||||||||||||||||||||||||
Destination IP Address, continued |
||||||||||||||||||||||||||||||||
The following table describes each intrusion event record data field.
|
|
|
---|---|---|
Initiates an Intrusion Event data block. This value is always |
||
Total number of bytes in the Intrusion Event data block, including eight bytes for the Intrusion Event block type and length fields, plus the number of bytes of data that follows. |
||
Contains the identification number of the detecting managed device. You can obtain the managed device name by requesting Version 3 or 4 metadata. See Managed Device Record Metadata for more information. |
||
UNIX timestamp (seconds since 01/01/1970) of the event’s detection. |
||
Microsecond (one millionth of a second) increment of the timestamp of the event’s detection. |
||
Identification number of the Secure Firewall System preprocessor that generated the event. |
||
Identification number of the priority associated with the event. |
||
The source port number if the event protocol type is TCP or UDP, or the ICMP type if the event is caused by ICMP traffic. |
||
The destination port number if the event protocol type is TCP or UDP, or the ICMP code if the event is caused by ICMP traffic. |
||
Impact flag value of the event. The low-order eight bits indicate the impact level. Values are:
The following impact level values map to specific priorities on the Defense Center. An |
||
A policy ID number that acts as a unique identifier for the intrusion policy. |
||
The internal identification number for the user, if applicable. |
||
The internal identification number for the web application, if applicable. |
||
The internal identification number for the client application, if applicable. |
||
The internal identification number for the application protocol, if applicable. |
||
A rule ID number that acts as a unique identifier for the access control rule. |
||
A policy ID number that acts as a unique identifier for the access control policy. |
||
An interface ID number that acts as a unique identifier for the ingress interface. |
||
An interface ID number that acts as a unique identifier for the egress interface. |
||
A zone ID number that acts as a unique identifier for the ingress security zone. |
||
A zone ID number that acts as a unique identifier for the egress security zone. |
||
UNIX timestamp (seconds since 01/01/1970) of the connection event associated with the intrusion event. |
||
Numerical ID of the Snort instance on the managed device that generated the connection event. |
||
Value used to distinguish between connection events that happen during the same second. |
Intrusion Event Record 5.3.1
The fields in the intrusion event record are shaded in the following graphic. The record type is 400 and the block type is 42 in the series 2 set of data blocks.
You can request 5.3.1 intrusion events from eStreamer only by extended request, for which you request event type code 12 and version code 7 in the Stream Request message (see Submitting Extended Requests for information about submitting extended requests).
For version 5.3.1 intrusion events, the event ID, the managed device ID, and the event second form a unique identifier. The connection second, connection instance, and connection counter together form a unique identifier for the connection event associated with the intrusion event.
eStreamer Server Timestamp (in events, only if bit 23 is set) |
||||||||||||||||||||||||||||||||
Destination IP Address, continued |
||||||||||||||||||||||||||||||||
The following table describes each intrusion event record data field.
|
|
|
---|---|---|
Initiates an Intrusion Event data block. This value is always 42. |
||
Total number of bytes in the Intrusion Event data block, including eight bytes for the Intrusion Event block type and length fields, plus the number of bytes of data that follows. |
||
Contains the identification number of the detecting managed device. You can obtain the managed device name by requesting Version 3 or 4 metadata. See Managed Device Record Metadata for more information. |
||
UNIX timestamp (seconds since 01/01/1970) of the event’s detection. |
||
Microsecond (one millionth of a second) increment of the timestamp of the event’s detection. |
||
Identification number of the Secure Firewall System preprocessor that generated the event. |
||
Identification number of the priority associated with the event. |
||
The source port number if the event protocol type is TCP or UDP, or the ICMP type if the event is caused by ICMP traffic. |
||
The destination port number if the event protocol type is TCP or UDP, or the ICMP code if the event is caused by ICMP traffic. |
||
Impact flag value of the event. The low-order eight bits indicate the impact level. Values are:
The following impact level values map to specific priorities on the Defense Center. An |
||
A policy ID number that acts as a unique identifier for the intrusion policy. |
||
The internal identification number for the user, if applicable. |
||
The internal identification number for the web application, if applicable. |
||
The internal identification number for the client application, if applicable. |
||
The internal identification number for the application protocol, if applicable. |
||
A rule ID number that acts as a unique identifier for the access control rule. |
||
A policy ID number that acts as a unique identifier for the access control policy. |
||
An interface ID number that acts as a unique identifier for the ingress interface. |
||
An interface ID number that acts as a unique identifier for the egress interface. |
||
A zone ID number that acts as a unique identifier for the ingress security zone. |
||
A zone ID number that acts as a unique identifier for the egress security zone. |
||
UNIX timestamp (seconds since 01/01/1970) of the connection event associated with the intrusion event. |
||
Numerical ID of the Snort instance on the managed device that generated the connection event. |
||
Value used to distinguish between connection events that happen during the same second. |
||
ID number for the security context (virtual firewall) that the traffic passed through. Note that the system only populates this field for ASA FirePOWER devices in multi-context mode. |
Intrusion Event Record 5.4.x
The fields in the intrusion event record are shaded in the following graphic. The record type is 400 and the block type is 45 in the series 2 set of data blocks. It supersedes block type 42, and is superseded by block type 60. Fields for SSL support and Network Analysis Policy have been added.
You can request 5.4.x intrusion events from eStreamer only by extended request, for which you request event type code 12 and version code 8 in the Stream Request message (see Submitting Extended Requests for information about submitting extended requests).
eStreamer Server Timestamp (in events, only if bit 23 is set) |
||||||||||||||||||||||||||||||||
Destination IP Address, continued |
||||||||||||||||||||||||||||||||
The following table describes each intrusion event record data field.
|
|
|
---|---|---|
Initiates an Intrusion Event data block. This value is always 45. |
||
Total number of bytes in the Intrusion Event data block, including eight bytes for the Intrusion Event block type and length fields, plus the number of bytes of data that follows. |
||
Contains the identification number of the detecting managed device. You can obtain the managed device name by requesting Version 3 or 4 metadata. See Managed Device Record Metadata for more information. |
||
UNIX timestamp (seconds since 01/01/1970) of the event’s detection. |
||
Microsecond (one millionth of a second) increment of the timestamp of the event’s detection. |
||
Identification number of the Secure Firewall System preprocessor that generated the event. |
||
Identification number of the priority associated with the event. |
||
The source port number if the event protocol type is TCP or UDP, or the ICMP type if the event is caused by ICMP traffic. |
||
The destination port number if the event protocol type is TCP or UDP, or the ICMP code if the event is caused by ICMP traffic. |
||
Impact flag value of the event. The low-order eight bits indicate the impact level. Values are:
The following impact level values map to specific priorities on the Defense Center. An |
||
A policy ID number that acts as a unique identifier for the intrusion policy. |
||
The internal identification number for the user, if applicable. |
||
The internal identification number for the web application, if applicable. |
||
The internal identification number for the client application, if applicable. |
||
The internal identification number for the application protocol, if applicable. |
||
A rule ID number that acts as a unique identifier for the access control rule. |
||
A policy ID number that acts as a unique identifier for the access control policy. |
||
An interface ID number that acts as a unique identifier for the ingress interface. |
||
An interface ID number that acts as a unique identifier for the egress interface. |
||
A zone ID number that acts as a unique identifier for the ingress security zone. |
||
A zone ID number that acts as a unique identifier for the egress security zone. |
||
UNIX timestamp (seconds since 01/01/1970) of the connection event associated with the intrusion event. |
||
Numerical ID of the Snort instance on the managed device that generated the connection event. |
||
Value used to distinguish between connection events that happen during the same second. |
||
ID number for the security context (virtual firewall) that the traffic passed through. Note that the system only populates this field for ASA FirePOWER devices in multi-context mode. |
||
The action performed on the connection based on the SSL Rule. This may differ from the expected action, as the action as specified in the rule may be impossible. Possible values include: |
||
Status of the SSL Flow. These values describe the reason behind the action taken or the error message seen. Possible values include:
|
||
The UUID of the Network Analysis Policy that created the intrusion event. |
Intrusion Event Record 6.x
The fields in the intrusion event record are shaded in the following graphic. The record type is 400 and the block type is 60 in the series 2 set of data blocks. It supersedes block type 45, and is superseded by block type 81 in 7.0. An HTTP Response field has been added.
You can request 6.x intrusion events from eStreamer only by extended request, for which you request event type code 12 and version code 9 in the Stream Request message (see Submitting Extended Requests for information about submitting extended requests).
eStreamer Server Timestamp (in events, only if bit 23 is set) |
||||||||||||||||||||||||||||||||
Destination IP Address, continued |
||||||||||||||||||||||||||||||||
The following table describes each intrusion event record data field.
|
|
|
---|---|---|
Initiates an Intrusion Event data block. This value is always 60. |
||
Total number of bytes in the Intrusion Event data block, including eight bytes for the Intrusion Event block type and length fields, plus the number of bytes of data that follows. |
||
Contains the identification number of the detecting managed device. You can obtain the managed device name by requesting Version 3 or 4 metadata. See Managed Device Record Metadata for more information. |
||
UNIX timestamp (seconds since 01/01/1970) of the event’s detection. |
||
Microsecond (one millionth of a second) increment of the timestamp of the event’s detection. |
||
Identification number of the Secure Firewall System preprocessor that generated the event. |
||
Identification number of the priority associated with the event. |
||
The source port number if the event protocol type is TCP or UDP, or the ICMP type if the event is caused by ICMP traffic. |
||
The destination port number if the event protocol type is TCP or UDP, or the ICMP code if the event is caused by ICMP traffic. |
||
Impact flag value of the event. The low-order eight bits indicate the impact level. Values are:
The following impact level values map to specific priorities on the Management Center. An |
||
A policy ID number that acts as a unique identifier for the intrusion policy. |
||
The internal identification number for the user, if applicable. |
||
The internal identification number for the web application, if applicable. |
||
The internal identification number for the client application, if applicable. |
||
The internal identification number for the application protocol, if applicable. |
||
A rule ID number that acts as a unique identifier for the access control rule. |
||
A policy ID number that acts as a unique identifier for the access control policy. |
||
An interface ID number that acts as a unique identifier for the ingress interface. |
||
An interface ID number that acts as a unique identifier for the egress interface. |
||
A zone ID number that acts as a unique identifier for the ingress security zone. |
||
A zone ID number that acts as a unique identifier for the egress security zone. |
||
UNIX timestamp (seconds since 01/01/1970) of the connection event associated with the intrusion event. |
||
Numerical ID of the Snort instance on the managed device that generated the connection event. |
||
Value used to distinguish between connection events that happen during the same second. |
||
ID number for the security context (virtual firewall) that the traffic passed through. Note that the system only populates this field for ASA FirePOWER devices in multi-context mode. |
||
The action performed on the connection based on the SSL Rule. This may differ from the expected action, as the action as specified in the rule may be impossible. Possible values include: |
||
Status of the SSL Flow. These values describe the reason behind the action taken or the error message seen. Possible values include:
|
||
The UUID of the Network Analysis Policy that created the intrusion event. |
||
Intrusion Event Record 7.0
The fields in the intrusion event record are shaded in the following graphic. The record type is 400 and the block type is 81 in the series 2 set of data blocks. It supersedes block type 60, and is superseded by block type 85. Inline Result Reason, Ingress and Egress Virtual Route Forwarding, and Snort Version fields have been added. The Blocked field has been renamed Inline Result.
You can request 7.0 intrusion events from eStreamer only by extended request, for which you request event type code 12 and version code 10in the Stream Request message (see Submitting Extended Requests for information about submitting extended requests).
eStreamer Server Timestamp (in events, only if bit 23 is set) |
||||||||||||||||||||||||||||||||
Destination IP Address, continued |
||||||||||||||||||||||||||||||||
The following table describes each intrusion event record data field.
|
|
|
---|---|---|
Initiates an Intrusion Event data block. This value is always 81. |
||
Total number of bytes in the Intrusion Event data block, including eight bytes for the Intrusion Event block type and length fields, plus the number of bytes of data that follows. |
||
Contains the identification number of the detecting managed device. You can obtain the managed device name by requesting Version 3 or 4 metadata. See Managed Device Record Metadata for more information. |
||
UNIX timestamp (seconds since 01/01/1970) of the event’s detection. |
||
Microsecond (one millionth of a second) increment of the timestamp of the event’s detection. |
||
Identification number of the Secure Firewall System preprocessor that generated the event. |
||
Identification number of the priority associated with the event. |
||
The source port number if the event protocol type is TCP or UDP, or the ICMP type if the event is caused by ICMP traffic. |
||
The destination port number if the event protocol type is TCP or UDP, or the ICMP code if the event is caused by ICMP traffic. |
||
Impact flag value of the event. The low-order eight bits indicate the impact level. Values are:
The following impact level values map to specific priorities on the Management Center. An |
||
A policy ID number that acts as a unique identifier for the intrusion policy. |
||
The internal identification number for the user, if applicable. |
||
The internal identification number for the web application, if applicable. |
||
The internal identification number for the client application, if applicable. |
||
The internal identification number for the application protocol, if applicable. |
||
A rule ID number that acts as a unique identifier for the access control rule. |
||
A policy ID number that acts as a unique identifier for the access control policy. |
||
An interface ID number that acts as a unique identifier for the ingress interface. |
||
An interface ID number that acts as a unique identifier for the egress interface. |
||
A zone ID number that acts as a unique identifier for the ingress security zone. |
||
A zone ID number that acts as a unique identifier for the egress security zone. |
||
UNIX timestamp (seconds since 01/01/1970) of the connection event associated with the intrusion event. |
||
Numerical ID of the Snort instance on the managed device that generated the connection event. |
||
Value used to distinguish between connection events that happen during the same second. |
||
ID number for the security context (virtual firewall) that the traffic passed through. Note that the system only populates this field for ASA FirePOWER devices in multi-context mode. |
||
The action performed on the connection based on the SSL Rule. This may differ from the expected action, as the action as specified in the rule may be impossible. Possible values include: |
||
Status of the SSL Flow. These values describe the reason behind the action taken or the error message seen. Possible values include:
|
||
The UUID of the Network Analysis Policy that created the intrusion event. |
||
Initiates a String data block containing the name of the ingress VRF. This value is always |
||
The number of bytes included in the name String data block, including eight bytes for the block type and header fields plus the number of bytes in the Ingress VRF name field. |
||
The virtual router through which traffic entered the network. |
||
Initiates a String data block containing the name of the egress VRF. This value is always |
||
The number of bytes included in the name String data block, including eight bytes for the block type and header fields plus the number of bytes in the Egress VRF name field. |
||
The name of the virtual router through which traffic exited the network. |
||
Intrusion Impact Alert Data
The Intrusion Impact Alert event contains information about impact events. It is transmitted when an intrusion event is compared to the system network map data and the impact is determined. It uses the standard record header with a record type of 9, followed by an Intrusion Impact Alert data block with a data block type of 20 in the series 1 group of blocks. (The Impact Alert data block is a type of series 1 data block. For more information about series 1 data blocks, see Understanding Discovery (Series 1) Blocks.)
You can request that eStreamer only transmit intrusion impact events by setting bit 5 in the Flags field of the request message. See Event Stream Request Message Format for more information about request messages. Version 1 of these alerts only handles IPv4. Version 2, introduced in 5.3, handles IPv6 events in addition to IPv4.
The following table describes each data field in an impact event.
|
|
|
---|---|---|
Indicates that an intrusion impact alert data block follows. This field will always have a value of |
||
Indicates the length of the intrusion impact alert data block, including all data that follows and 8 bytes for the intrusion impact alert block type and length. |
||
Indicates the second (from 01/01/1970) that the event was detected. |
||
Impact flag value of the event. The low-order eight bits indicate the impact level. Values are:
The following impact level values map to specific priorities on the Defense Center. An |
||
IP address of the host associated with the impact event, in IP address octets. |
||
IP address of the destination IP address associated with the impact event (if applicable), in IP address octets. This value is |
||
Initiates a string data block that contains the impact name. This value is always set to |
||
Number of bytes in the event description string block. This includes the four bytes for the string block type, the four bytes for the string block length, and the number of bytes in the description. |
||
Intrusion Event Extra Data Record
The eStreamer service transmits the event extra data associated with an intrusion event in the Intrusion Event Extra Data record. The record type is always 110
.
This record is deprecated in version 7.1. While it can still be requested no records will be generated.
The event extra data appears in an encapsulated Event Extra Data data block, which always has a data block type value of 4
. (The Event Extra Data data block is a series 2 data block. For more information about series 2 data blocks, see Understanding Series 2 Data Blocks.)
The supported types of extra data include IPv6 source and destination addresses, as well as the originating IP addresses (v4 or v6) of clients connecting to a web server through an HTTP proxy or load balancer. The graphic below shows the format of the Intrusion Event Extra Data record.
If bit 27 is set in the Request Flags field of the request message, you receive the event extra data for each intrusion event. If you set bit 20, you also receive the event extra data metadata described in Intrusion Event Extra Data Metadata. If you enable bit 23, eStreamer will include the extended event header. See Request Flags for information on setting request flags.
eStreamer Server Timestamp (in events, only if bit 23 is set) |
||||||||||||||||||||||||||||||||
Note that the Event Extra Data block structure includes a BLOB block type, which is one of several variable length data structures introduced in Version 4.10 of the Secure Firewall System.
The following table describes the fields in the Intrusion Event Extra Data record.
|
|
|
---|---|---|
Initiates an Event Extra Data data block. This value is always |
||
Length of the data block. Includes the number of bytes of data plus the 8 bytes in the two data block header fields. |
||
Initiates a BLOB data block containing extra data. This value is always |
||
The content of the extra data. The data type is indicated in the Type field. |
Intrusion Event Extra Data Metadata
The eStreamer service transmits the event extra data metadata associated with intrusion event extra data records in the Intrusion Event Extra Data Metadata record. The record type is always 111
.
This record is deprecated in version 7.1. While it can still be requested no records will be generated.
The event extra data metadata appears in an encapsulated Event Extra Data Metadata data block, which always has a data block type value of 5
. The Event Extra Data data block is a series 2 data block.
If bit 20 is set in the Request Flags field of a request message, you receive the event extra data metadata. If you want to receive both intrusion events and event extra data metadata, you must set bit 2 as well. See Request Flags. If you enable bit 23, an extended event header is included in the record.
eStreamer Server Timestamp (in events, only if bit 23 is set) |
||||||||||||||||||||||||||||||||
Note that the block structure includes encapsulated String block types, one of several series 2 variable length data structures introduced in Version 4.10 of the Secure Firewall System.
The following table describes the fields in the Event Extra Data Metadata record.
Legacy Malware Event Data Structures
- Malware Event Data Block 5.1
- Malware Event Data Block 5.1.1.x
- Malware Event Data Block 5.2.x
- Malware Event Data Block 5.3
- Malware Event Data Block 5.3.1
- Malware Event Data Block 5.4.x
- Malware Event Data Block 6.x
Malware Event Data Block 5.1
The eStreamer service uses the malware event data block to store information on malware events. These events contain information on malware detected or quarantined within a cloud, the detection method, and hosts and users affected by the malware. The malware event data block has a block type of 16 in the series 2 group of blocks. You request the event as part of the malware event record by setting the malware event flag—bit 30 in the request flags field—in the request message with an event version of 1 and an event code of 101.
The following graphic shows the structure of the malware event data block:
The following table describes the fields in the malware event data block.
Malware Event Data Block 5.1.1.x
The eStreamer service uses the malware event data block to store information on malware events. These events contain information on malware detected or quarantined within a cloud, the detection method, and hosts and users affected by the malware. The malware event data block has a block type of 24 in the series 2 group of blocks. You request the event as part of the malware event record by setting the malware event flag—bit 30 in the request flags field—in the request message with an event version of 2 and an event code of 101.
The following graphic shows the structure of the malware event data block:
The following table describes the fields in the malware event data block.
Malware Event Data Block 5.2.x
The eStreamer service uses the malware event data block to store information on malware events. These events contain information on malware detected or quarantined within a cloud, the detection method, and hosts and users affected by the malware. The malware event data block has a block type of 33 in the series 2 group of blocks. You request the event as part of the malware event record by setting the malware event flag—bit 30 in the request flags field—in the request message with an event version of 3 and an event code of 101.
The following graphic shows the structure of the malware event data block:
The following table describes the fields in the malware event data block.
Malware Event Data Block 5.3
The eStreamer service uses the malware event data block to store information on malware events. These events contain information on malware detected or quarantined within a cloud, the detection method, and hosts and users affected by the malware. The malware event data block has a block type of 35 in the series 2 group of blocks. You request the event as part of the malware event record by setting the malware event flag—bit 30 in the request flags field—in the request message with an event version of 4 and an event code of 101.
The following graphic shows the structure of the malware event data block:
The following table describes the fields in the malware event data block.
|
|
|
---|---|---|
Initiates a malware event data block. This value is always |
||
Total number of bytes in the malware event data block, including eight bytes for the malware event block type and length fields, plus the number of bytes of data that follows. |
||
The internal unique ID of the AMP for Endpoints agent reporting the malware event. |
||
The internal unique ID of the malware awareness network from which the malware event originated. |
||
The internal ID of the action that led to malware detection. |
||
The internal ID of the detection technology that detected the malware. |
||
Initiates a String data block containing the detection name. This value is always |
||
The number of bytes included in the Detection Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the Detection Name field. |
||
Initiates a String data block containing the username. This value is always |
||
The number of bytes included in the User String data block, including eight bytes for the block type and header fields plus the number of bytes in the User field. |
||
The user of the computer where the Cisco Agent is installed and where the malware event occurred. Note that these users are not tied to user discovery. |
||
Initiates a String data block containing the file name. This value is always |
||
The number of bytes included in the File Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the File Name field. |
||
Initiates a String data block containing the file path. This value is always |
||
The number of bytes included in the File Path String data block, including eight bytes for the block type and header fields plus the number of bytes in the File Path field. |
||
The file path, not including the file name, of the detected or quarantined file. |
||
Initiates a String data block containing the file SHA hash. This value is always |
||
The number of bytes included in the File SHA Hash String data block, including eight bytes for the block type and header fields plus the number of bytes in the File SHA Hash field. |
||
The rendered string of the SHA-256 hash value of the detected or quarantined file. |
||
The file type of the detected or quarantined file. The meaning of this field is transmitted in the metadata with this event. See AMP for Endpoints File Type Metadata for more information. |
||
UNIX timestamp (seconds since 01/01/1970) of the creation of the detected or quarantined file. |
||
Initiates a String data block containing the parent file name. This value is always |
||
The number of bytes included in the Parent File Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the Parent File Name field. |
||
The name of the file accessing the detected or quarantined file when detection occurred. |
||
Initiates a String data block containing the parent file SHA hash. This value is always |
||
The number of bytes included in the Parent File SHA Hash String data block, including eight bytes for the block type and header fields plus the number of bytes in the Parent File SHA Hash field. |
||
The SHA-256 hash value of the parent file accessing the detected or quarantined file when detection occurred. |
||
Initiates a String data block containing the event description. This value is always |
||
The number of bytes included in the Event Description String data block, including eight bytes for the block type and header fields plus the number of bytes in the Event Description field. |
||
The additional event information associated with the event type. |
||
Snort instance on the device that generated the event. Used to link the event with a connection or IDS event. |
||
Value used to distinguish between connection events that happen during the same second. |
||
Indicates whether the file was uploaded or downloaded. Can have the following values: Currently the value depends on the protocol (for example, if the connection is HTTP it is a download). |
||
ID number that maps to the application using the file transfer. |
||
Identification number for the user logged into the destination host, as identified by the system. |
||
Identification number that acts as a unique identifier for the access control policy that triggered the event. |
||
The malware status of the file. Possible values include:
|
||
Disposition of the file if the disposition is updated. If the disposition is not updated, this field contains the same value as the Disposition field. The possible values are the same as the Disposition field. |
||
Initiates a String data block containing the URI. This value is always |
||
The number of bytes included in the URI data block, including eight bytes for the block type and header fields plus the number of bytes in the URI field. |
||
The internal identification number of the detected web application, if applicable. |
||
The internal identification number of the detected client application, if applicable. |
||
The action taken on the file based on the file type. Can have the following values: |
||
A numeric value from |
||
Malware Event Data Block 5.3.1
The eStreamer service uses the malware event data block to store information on malware events. These events contain information on malware detected or quarantined within a cloud, the detection method, and hosts and users affected by the malware. The malware event data block has a block type of 44 in the series 2 group of blocks. It supersedes block 35. You request the event as part of the malware event record by setting the malware event flag—bit 30 in the request flags field—in the request message with an event version of 5 and an event code of 101.
The following graphic shows the structure of the malware event data block:
The following table describes the fields in the malware event data block.
|
|
|
---|---|---|
Initiates a malware event data block. This value is always |
||
Total number of bytes in the malware event data block, including eight bytes for the malware event block type and length fields, plus the number of bytes of data that follows. |
||
The internal unique ID of the AMP for Endpoints agent reporting the malware event. |
||
The internal unique ID of the Cisco Advanced Malware Protection cloud from which the malware event originated. |
||
The internal ID of the action that led to malware detection. |
||
The internal ID of the detection technology that detected the malware. |
||
Initiates a String data block containing the detection name. This value is always 0. |
||
The number of bytes included in the Detection Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the Detection Name field. |
||
Initiates a String data block containing the username. This value is always 0. |
||
The number of bytes included in the User String data block, including eight bytes for the block type and header fields plus the number of bytes in the User field. |
||
The user of the computer where the Cisco Agent is installed and where the malware event occurred. Note that these users are not tied to user discovery. |
||
Initiates a String data block containing the file name. This value is always 0. |
||
The number of bytes included in the File Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the File Name field. |
||
Initiates a String data block containing the file path. This value is always 0. |
||
The number of bytes included in the File Path String data block, including eight bytes for the block type and header fields plus the number of bytes in the File Path field. |
||
The file path, not including the file name, of the detected or quarantined file. |
||
Initiates a String data block containing the file SHA hash. This value is always 0. |
||
The number of bytes included in the File SHA Hash String data block, including eight bytes for the block type and header fields plus the number of bytes in the File SHA Hash field. |
||
The rendered string of the SHA-256 hash value of the detected or quarantined file. |
||
The file type of the detected or quarantined file. The meaning of this field is transmitted in the metadata with this event. See AMP for Endpoints File Type Metadata for more information. |
||
UNIX timestamp (seconds since 01/01/1970) of the creation of the detected or quarantined file. |
||
Initiates a String data block containing the parent file name. This value is always 0. |
||
The number of bytes included in the Parent File Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the Parent File Name field. |
||
The name of the file accessing the detected or quarantined file when detection occurred. |
||
Initiates a String data block containing the parent file SHA hash. This value is always 0. |
||
The number of bytes included in the Parent File SHA Hash String data block, including eight bytes for the block type and header fields plus the number of bytes in the Parent File SHA Hash field. |
||
The SHA-256 hash value of the parent file accessing the detected or quarantined file when detection occurred. |
||
Initiates a String data block containing the event description. This value is always 0. |
||
The number of bytes included in the Event Description String data block, including eight bytes for the block type and header fields plus the number of bytes in the Event Description field. |
||
The additional event information associated with the event type. |
||
Snort instance on the device that generated the event. Used to link the event with a connection or IDS event. |
||
Value used to distinguish between connection events that happen during the same second. |
||
Indicates whether the file was uploaded or downloaded. Can have the following values: Currently the value depends on the protocol (for example, if the connection is HTTP it is a download). |
||
ID number that maps to the application using the file transfer. |
||
Identification number for the user logged into the destination host, as identified by the system. |
||
Identification number that acts as a unique identifier for the access control policy that triggered the event. |
||
The malware status of the file. Possible values include:
|
||
Disposition of the file if the disposition is updated. If the disposition is not updated, this field contains the same value as the Disposition field. The possible values are the same as the Disposition field. |
||
Initiates a String data block containing the URI. This value is always 0. |
||
The number of bytes included in the URI data block, including eight bytes for the block type and header fields plus the number of bytes in the URI field. |
||
The internal identification number of the detected web application, if applicable. |
||
The internal identification number of the detected client application, if applicable. |
||
The action taken on the file based on the file type. Can have the following values: |
||
A numeric value from 0 to 100 based on the potentially malicious behaviors observed during dynamic analysis. |
||
ID number for the security context (virtual firewall) that the traffic passed through. Note that the system only populates this field for ASA FirePOWER devices in multi-context mode. |
Malware Event Data Block 5.4.x
The eStreamer service uses the malware event data block to store information on malware events. These events contain information on malware detected or quarantined within a cloud, the detection method, and hosts and users affected by the malware. The malware event data block has a block type of 47 in the series 2 group of blocks. It supersedes block 44 and is superseded by block. Fields for SSL and file archive support have been added.
You request the event as part of the malware event record by setting the malware event flag—bit 30 in the request flags field—in the request message with an event version of 6 and an event code of 101.
The following graphic shows the structure of the malware event data block:
The following table describes the fields in the malware event data block.
|
|
|
---|---|---|
Initiates a malware event data block. This value is always 47. |
||
Total number of bytes in the malware event data block, including eight bytes for the malware event block type and length fields, plus the number of bytes of data that follows. |
||
The internal unique ID of the AMP for Endpoints agent reporting the malware event. |
||
The internal unique ID of the Cisco Advanced Malware Protection cloud from which the malware event originated. |
||
The internal ID of the action that led to malware detection. |
||
The internal ID of the detection technology that detected the malware. |
||
Initiates a String data block containing the detection name. This value is always |
||
The number of bytes included in the Detection Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the Detection Name field. |
||
Initiates a String data block containing the username. This value is always |
||
The number of bytes included in the User String data block, including eight bytes for the block type and header fields plus the number of bytes in the User field. |
||
The user of the computer where the Cisco Agent is installed and where the malware event occurred. Note that these users are not tied to user discovery. |
||
Initiates a String data block containing the file name. This value is always |
||
The number of bytes included in the File Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the File Name field. |
||
Initiates a String data block containing the file path. This value is always |
||
The number of bytes included in the File Path String data block, including eight bytes for the block type and header fields plus the number of bytes in the File Path field. |
||
The file path, not including the file name, of the detected or quarantined file. |
||
Initiates a String data block containing the file SHA hash. This value is always |
||
The number of bytes included in the File SHA Hash String data block, including eight bytes for the block type and header fields plus the number of bytes in the File SHA Hash field. |
||
The rendered string of the SHA-256 hash value of the detected or quarantined file. |
||
The file type of the detected or quarantined file. The meaning of this field is transmitted in the metadata with this event. See AMP for Endpoints File Type Metadata for more information. |
||
UNIX timestamp (seconds since 01/01/1970) of the creation of the detected or quarantined file. |
||
Initiates a String data block containing the parent file name. This value is always |
||
The number of bytes included in the Parent File Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the Parent File Name field. |
||
The name of the file accessing the detected or quarantined file when detection occurred. |
||
Initiates a String data block containing the parent file SHA hash. This value is always |
||
The number of bytes included in the Parent File SHA Hash String data block, including eight bytes for the block type and header fields plus the number of bytes in the Parent File SHA Hash field. |
||
The SHA-256 hash value of the parent file accessing the detected or quarantined file when detection occurred. |
||
Initiates a String data block containing the event description. This value is always |
||
The number of bytes included in the Event Description String data block, including eight bytes for the block type and header fields plus the number of bytes in the Event Description field. |
||
The additional event information associated with the event type. |
||
Snort instance on the device that generated the event. Used to link the event with a connection or IDS event. |
||
Value used to distinguish between connection events that happen during the same second. |
||
Indicates whether the file was uploaded or downloaded. Can have the following values: Currently the value depends on the protocol (for example, if the connection is HTTP it is a download). |
||
ID number that maps to the application using the file transfer. |
||
Identification number for the user logged into the destination host, as identified by the system. |
||
Identification number that acts as a unique identifier for the access control policy that triggered the event. |
||
The malware status of the file. Possible values include:
|
||
Disposition of the file if the disposition is updated. If the disposition is not updated, this field contains the same value as the Disposition field. The possible values are the same as the Disposition field. |
||
Initiates a String data block containing the URI. This value is always |
||
The number of bytes included in the URI data block, including eight bytes for the block type and header fields plus the number of bytes in the URI field. |
||
The internal identification number of the detected web application, if applicable. |
||
The internal identification number of the detected client application, if applicable. |
||
The action taken on the file based on the file type. Can have the following values: |
||
A numeric value from 0 to 100 based on the potentially malicious behaviors observed during dynamic analysis. |
||
ID number for the security context (virtual firewall) that the traffic passed through. Note that the system only populates this field for ASA FirePOWER devices in multi-context mode. |
||
The action performed on the connection based on the SSL Rule. This may differ from the expected action, as the action as specified in the rule may be impossible. Possible values include: |
||
Status of the SSL Flow. These values describe the reason behind the action taken or the error message seen. Possible values include:
|
||
Initiates a String data block containing the Archive SHA. This value is always |
||
The number of bytes included in the Archive SHA String data block, including eight bytes for the block type and header fields plus the number of bytes in the intrusion policy name. |
||
SHA1 hash of the parent archive in which the file is contained. |
||
Initiates a String data block containing the Archive Name. This value is always |
||
The number of bytes included in the Archive Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the intrusion policy name. |
||
Number of layers in which the file is nested. For example, if a text file is in a zip archive, this has a value of |
Malware Event Data Block 6.x
The eStreamer service uses the malware event data block to store information on malware events. These events contain information on malware detected or quarantined within a cloud, the detection method, and hosts and users affected by the malware. The malware event data block has a block type of 62 in the series 2 group of blocks. It supersedes block 47. A field for HTTP response has been added. It is superseded by block 80.
You request the event as part of the malware event record by setting the malware event flag—bit 30 in the request flags field—in the request message with an event version of 7 and an event code of 101.
The following graphic shows the structure of the malware event data block.
The following table describes the fields in the malware event data block.
|
|
|
---|---|---|
Initiates a malware event data block. This value is always 62. |
||
Total number of bytes in the malware event data block, including eight bytes for the malware event block type and length fields, plus the number of bytes of data that follows. |
||
The internal unique ID of the AMP for Endpoints agent reporting the malware event. |
||
The internal unique ID of the AMP cloud from which the malware event originated. |
||
The internal ID of the action that led to malware detection. |
||
The internal ID of the detection technology that detected the malware. |
||
Initiates a String data block containing the detection name. This value is always |
||
The number of bytes included in the Detection Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the Detection Name field. |
||
Initiates a String data block containing the username. This value is always |
||
The number of bytes included in the User String data block, including eight bytes for the block type and header fields plus the number of bytes in the User field. |
||
The user of the computer where the Cisco Agent is installed and where the malware event occurred. Note that these users are not tied to user discovery. |
||
Initiates a String data block containing the file name. This value is always |
||
The number of bytes included in the File Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the File Name field. |
||
Initiates a String data block containing the file path. This value is always |
||
The number of bytes included in the File Path String data block, including eight bytes for the block type and header fields plus the number of bytes in the File Path field. |
||
The file path, not including the file name, of the detected or quarantined file. |
||
Initiates a String data block containing the file SHA hash. This value is always |
||
The number of bytes included in the File SHA Hash String data block, including eight bytes for the block type and header fields plus the number of bytes in the File SHA Hash field. |
||
The rendered string of the SHA-256 hash value of the detected or quarantined file. |
||
The file type of the detected or quarantined file. The meaning of this field is transmitted in the metadata with this event. See AMP for Endpoints File Type Metadata for more information. |
||
UNIX timestamp (seconds since 01/01/1970) of the creation of the detected or quarantined file. |
||
Initiates a String data block containing the parent file name. This value is always |
||
The number of bytes included in the Parent File Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the Parent File Name field. |
||
The name of the file accessing the detected or quarantined file when detection occurred. |
||
Initiates a String data block containing the parent file SHA hash. This value is always |
||
The number of bytes included in the Parent File SHA Hash String data block, including eight bytes for the block type and header fields plus the number of bytes in the Parent File SHA Hash field. |
||
The SHA-256 hash value of the parent file accessing the detected or quarantined file when detection occurred. |
||
Initiates a String data block containing the event description. This value is always |
||
The number of bytes included in the Event Description String data block, including eight bytes for the block type and header fields plus the number of bytes in the Event Description field. |
||
The additional event information associated with the event type. |
||
Snort instance on the device that generated the event. Used to link the event with a connection or IDS event. |
||
Value used to distinguish between connection events that happen during the same second. |
||
Indicates whether the file was uploaded or downloaded. Can have the following values: Currently the value depends on the protocol (for example, if the connection is HTTP it is a download). |
||
ID number that maps to the application using the file transfer. |
||
Identification number for the user logged into the destination host, as identified by the system. |
||
Identification number that acts as a unique identifier for the access control policy that triggered the event. |
||
The malware status of the file. Possible values include:
|
||
Disposition of the file if the disposition is updated. If the disposition is not updated, this field contains the same value as the Disposition field. The possible values are the same as the Disposition field. |
||
Initiates a String data block containing the URI. This value is always |
||
The number of bytes included in the URI data block, including eight bytes for the block type and header fields plus the number of bytes in the URI field. |
||
The internal identification number of the detected web application, if applicable. |
||
The internal identification number of the detected client application, if applicable. |
||
The action taken on the file based on the file type. Can have the following values: |
||
A numeric value from 0 to 100 based on the potentially malicious behaviors observed during dynamic analysis. |
||
ID number for the security context (virtual firewall) that the traffic passed through. Note that the system only populates this field for ASA FirePOWER devices in multi-context mode. |
||
The action performed on the connection based on the SSL Rule. This may differ from the expected action, as the action as specified in the rule may be impossible. Possible values include: |
||
Status of the SSL Flow. These values describe the reason behind the action taken or the error message seen. Possible values include:
|
||
Initiates a String data block containing the Archive SHA. This value is always |
||
The number of bytes included in the Archive SHA String data block, including eight bytes for the block type and header fields plus the number of bytes in the intrusion policy name. |
||
SHA1 hash of the parent archive in which the file is contained. |
||
Initiates a String data block containing the Archive Name. This value is always |
||
The number of bytes included in the Archive Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the intrusion policy name. |
||
Number of layers in which the file is nested. For example, if a text file is in a zip archive, this has a value of |
||
Legacy Discovery Data Structures
- Legacy Discovery Event Header
- Legacy Server Data Blocks
- Legacy Client Application Data Blocks
- Legacy Scan Result Data Blocks
- Legacy Host Profile Data Blocks
- Legacy OS Fingerprint Data Blocks
Legacy Discovery Event Header
Discovery Event Header 5.0 - 5.1.1.x
Discovery and connection event messages contain a discovery event header. It conveys the type and subtype of the event, the time the event occurred, the device on which the event occurred, and the structure of the event data in the message. This header is followed by the actual host discovery, user, or connection event data. The structures associated with the different event type/subtype values are described in Host Discovery Structures by Event Type.
The event type and event subtype fields of the discovery event header identify the structure of the transmitted event message. Once the structure of the event data block is determined, your program can parse the message appropriately.
The shaded rows in the following diagram illustrate the format of the discovery event header.
eStreamer Server Timestamp (in events, only if bit 23 is set) |
||||||||||||||||||||||||||||||||
The following table describes the discovery event header.
|
|
|
---|---|---|
ID number of the device that generated the discovery event. You can obtain the metadata for the device by requesting Version 3 and 4 metadata. See Managed Device Record Metadata for more information. |
||
UNIX timestamp (seconds since 01/01/1970) that the system generated the event. |
||
Microsecond (one millionth of a second) increment that the system generated the event. |
||
Event type ( |
||
Event subtype. See Host Discovery Structures by Event Type for a list of available event subtypes. |
||
Serial file number. This field is for Cisco internal use and can be disregarded. |
||
Event’s position in the serial file. This field is for Cisco internal use and can be disregarded. |
Legacy Server Data Blocks
Attribute Address Data Block for 5.0 - 5.1.1.x
The Attribute Address data block contains an attribute list item and is used within an Attribute Definition data block. It has a block type of 38.
The following diagram shows the basic structure of an Attribute Address data block:
The following table describes the fields of the Attribute Address data block.
Legacy Client Application Data Blocks
User Client Application Data Block for 5.0 - 5.1
The User Client Application data block contains information about the source of the client application data, the identification number for the user who added the data, and the lists of IP address range data blocks. The User Client Application data block has a block type of 59.
The following diagram shows the basic structure of a User Client Application data block:
The following table describes the fields of the User Client Application data block.
|
|
|
---|---|---|
Initiates a User Client Application data block. This value is always. |
||
Total number of bytes in the User Client Application data block, including eight bytes for the user client application block type and length fields, plus the number of bytes of user client application data that follows. |
||
Initiates a Generic List data block comprising IP Range Specification data blocks conveying IP address range data. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated IP Range Specification data blocks. |
||
IP Range Specification data blocks containing information about the IP address ranges for the user input. See User Server Data Block Fields for a description of this data block. |
||
The internal identification number for the application protocol, if applicable. |
||
The internal identification number of the detected client application, if applicable. |
||
Initiates a String data block that contains the client application version. This value is always |
||
Number of bytes in the client application version String data block, including the string block type and length fields, plus the number of bytes in the version. |
||
Legacy Scan Result Data Blocks
Scan Result Data Block 5.0 - 5.1.1.x
The Scan Result data block describes a vulnerability and is used within Add Scan Result events (event type 1002, subtype 11). The Scan Result data block has a block type of 102.
The following diagram shows the format of a Scan Result data block:
The following table describes the fields of the Scan Result data block.
|
|
|
---|---|---|
Initiates a Scan Result data block. This value is always |
||
Number of bytes in the Scan Vulnerability data block, including eight bytes for the scan vulnerability block type and length fields, plus the number of bytes of scan vulnerability data that follows. |
||
Contains the user identification number for the user who imported the scan result or ran the scan that produced the scan result. |
||
IP address of the host affected by the vulnerabilities in the result, in IP address octets. |
||
Port used by the sub-server affected by the vulnerabilities in the results. |
||
Initiates a List data block comprising Scan Vulnerability data blocks conveying transport Scan Vulnerability data. This value is always |
||
Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus all encapsulated Scan Vulnerability data blocks. This field is followed by zero or more Scan Vulnerability data blocks. |
||
Initiates a Scan Vulnerability data block describing a vulnerability detected during a scan. This value is always |
||
Number of bytes in the Scan Vulnerability data block, including eight bytes for the scan vulnerability block type and length fields, plus the number of bytes in the scan vulnerability data that follows. |
||
Initiates a List data block comprising Scan Vulnerability data blocks conveying transport Scan Vulnerability data. This value is always |
||
Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus all encapsulated Scan Vulnerability data blocks. This field is followed by zero or more Scan Vulnerability data blocks. |
||
Initiates a Generic Scan Results data block describing server and operating system data detected during a scan. This value is always 108. |
||
Number of bytes in the Generic Scan Results data block, including eight bytes for the generic scan results block type and length fields, plus the number of bytes in the scan result data that follows. |
||
Initiates a Generic List data block comprising User Product data blocks conveying host input data from a third party application. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated User Product data blocks. |
||
User Product data blocks containing host input data. See User Product Data Block 5.1+ for a description of this data block. |
User Product Data Block for 5.0.x
The User Product data block conveys host input data imported from a third party application, including third party application string mappings. This data block is used in Connection Statistics Data Block 6.0.x and User Server and Operating System Messages. The User Product data block has a block type of 65 for 4.10.x, and a block type of 118 for 5.0 - 5.0.x. The block types have the same structure.

Note An asterisk(*) next to a data block name in the following diagram indicates that multiple instances of the data block may occur.
The following diagram shows the format of the User Product data block:
The following table describes the components of the User Product data block.
|
|
|
---|---|---|
Initiates a User Product data block. This value is |
||
Total number of bytes in the User Product data block, including eight bytes for the user product block type and length fields, plus the number of bytes in the user product data that follows. |
||
Initiates a Generic List data block comprising IP Range Specification data blocks conveying IP address range data. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated IP Range Specification data blocks. |
||
IP Range Specification data blocks containing information about the IP address ranges for the user input. See IP Address Range Data Block for 5.2+ for a description of this data block. |
||
Indicates whether the user OS definition was deleted from the host: |
||
Initiates a String data block containing the custom vendor name specified in the user input. This value is always |
||
Number of bytes in the custom vendor String data block, including eight bytes for the block type and length fields, plus the number of bytes in the vendor name. |
||
Initiates a String data block containing the custom product name specified in the user input. This value is always |
||
Number of bytes in the custom product String data block, including eight bytes for the block type and length fields, plus the number of bytes in the product name. |
||
Initiates a String data block containing the custom version specified in the user input. This value is always |
||
Number of bytes in the custom version String data block, including eight bytes for the block type and length fields, plus the number of bytes in the version. |
||
The identifier for a specific revision of a server or operating system in the Cisco database. |
||
The Cisco application identifier for the application protocol on the host server specified in user input. |
||
The identifier for the vendor of a third party operating system specified when the third party operating system is mapped to a Cisco 3D operating system definition. |
||
The product identification string of a third party operating system string specified when the third party operating system string is mapped to a Cisco 3D operating system definition. |
||
Initiates a String data block containing the major version number of the Cisco 3D operating system definition that a third party operating system string in the user input is mapped to. This value is always |
||
Number of bytes in the major String data block, including eight bytes for the block type and length fields, plus the number of bytes in the version. |
||
Major version of the Cisco 3D operating system definition that a third party operating system string is mapped to. |
||
Initiates a String data block containing the minor version number of the Cisco 3D operating system definition that a third party operating system string is mapped to. This value is always |
||
Number of bytes in the minor String data block, including eight bytes for the block type and length fields, plus the number of bytes in the version. |
||
Minor version number of the Cisco 3D operating system definition that a third party operating system string in the user input is mapped to. |
||
Initiates a String data block containing the revision number of the Cisco operating system definition that a third party operating system string in the user input is mapped to. This value is always |
||
Number of bytes in the revision String data block, including eight bytes for the block type and length fields, plus the number of bytes in the revision number. |
||
Revision number of the Cisco 3D operating system definition that a third party operating system string in the user input is mapped to. |
||
Initiates a String data block containing the last major version of the Cisco 3D operating system definition that a third party operating system string is mapped to. This value is always |
||
Number of bytes in the To Major String data block, including eight bytes for the block type and length fields, plus the number of bytes in the version. |
||
Last version number in a range of major version numbers of the Cisco 3D operating system definition that a third party operating system string in the user input is mapped to. |
||
Initiates a String data block containing the last minor version of the Cisco 3D operating system definition that a third party operating system string is mapped to. This value is always |
||
Number of bytes in the To Minor String data block, including eight bytes for the block type and length fields, plus the number of bytes in the version. |
||
Last version number in a range of minor version numbers of the Cisco 3D operating system definition that a third party operating system string in the user input is mapped to. |
||
Initiates a String data block containing the Last revision number of the Cisco 3D operating system definition that a third party operating system string is mapped to. This value is always |
||
Number of bytes in the To Revision String data block, including eight bytes for the block type and length fields, plus the number of bytes in the revision number. |
||
Last revision number in a range of revision numbers of the Cisco 3D operating system definitions that a third party operating system string in the user input is mapped to. |
||
Initiates a String data block containing the build number of the Cisco 3D operating system that the third party operating system string is mapped. This value is always |
||
Number of bytes in the build String data block, including eight bytes for the block type and length fields, plus the number of bytes in the build number. |
||
Build number of the Cisco 3D operating system that the third party operating system string in the user input is mapped to. |
||
Initiates a String data block containing the patch number of the Cisco 3D operating system that the third party operating system string is mapped to. This value is always |
||
Number of bytes in the patch String data block, including eight bytes for the block type and length fields, plus the number of bytes in the patch number. |
||
Patch number of the Cisco 3D operating system that the third party operating system string in the user input is mapped to. |
||
Initiates a String data block containing the extension number of the Cisco 3D operating system that the third party operating system string is mapped. This value is always |
||
Number of bytes in the extension String data block, including eight bytes for the block type and length fields, plus the number of bytes in the extension number. |
||
Extension number of the Cisco 3D operating system that the third party operating system string in the user input is mapped to. |
||
Contains the unique identification number for the operating system. |
||
Initiates a Generic List data block comprising Fix List data blocks conveying user input data regarding what fixes have been applied to hosts in the specified IP address ranges. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Fix List data blocks. |
||
Fix List data blocks containing information about fixes applied to the hosts. See Fix List Data Block for a description of this data block. |
Legacy User Login Data Blocks
User Login Information Data Block for 5.0 - 5.0.2
The User Login Information data block is used in User Information Update messages and conveys changes in login information for a detected user. For more information, see User Information Update Message Block.
The User Login Information data block has a block type of 121 for version 5.0 - 5.0.2.
The graphic below shows the format of the User Login Information data block:
The following table describes the components of the User Login Information data block.
User Login Information Data Block 5.1-5.4.x
The User Login Information data block is used in User Information Update messages and conveys changes in login information for a detected user. For more information, see User Account Update Message Data Block.
The User Login Information data block has a block type of 73 for version 4.7 - 4.10.x, a block type of 121 in the series 1 group of blocks for version 5.0 - 5.0.2, and a block type of 127 in the series 1 group of blocks for version 5.1-5.4.x.
The graphic below shows the format of the User Login Information data block:
The following table describes the components of the User Login Information data block.
|
|
|
---|---|---|
Initiates a User Login Information data block. This value is |
||
Total number of bytes in the User Login Information data block, including eight bytes for the user login information block type and length fields, plus the number of bytes in the user login information data that follows. |
||
This field is reserved but no longer populated. The IPv4 address is stored in the IPv6 Address field. See IP Addresses for more information. |
||
Initiates a String data block containing the username for the user. This value is always |
||
Number of bytes in the username String data block, including eight bytes for the block type and length fields, plus the number of bytes in the username. |
||
The application ID for the application protocol used in the connection that the login information was derived from. |
||
Initiates a String data block containing the email address for the user. This value is always |
||
Number of bytes in the email address String data block, including eight bytes for the block type and length fields, plus the number of bytes in the email address. |
||
IPv6 address from the host where the user was detected logging in, in IP address octets. |
||
Initiates a String data block containing the Reported By value. This value is always |
||
Number of bytes in the Reported By String data block, including eight bytes for the block type and length fields, plus the number of bytes in the Reported By field. |
||
User Login Information Data Block 6.0.x
The User Login Information data block is used in User Information Update messages and conveys changes in login information for a detected user. For more information, see User Account Update Message Data Block.
he User Login Information data block has a block type of 159 for version 6.0.x. It has new ISE integration endpoint profile, Security Intelligence fields.
The User Login Information data block has a block type of 73 for version 4.7 - 4.10.x, a block type of 121 in the series 1 group of blocks for version 5.0 - 5.0.2, and a block type of 127 in the series 1 group of blocks for version 5.1+. See User Login Information Data Block 5.1-5.4.x for more information.
The graphic below shows the format of the User Login Information data block:
The following table describes the components of the User Login Information data block.
|
|
|
---|---|---|
Initiates a User Login Information data block. This value is |
||
Total number of bytes in the User Login Information data block, including eight bytes for the user login information block type and length fields, plus the number of bytes in the user login information data that follows. |
||
This field is reserved but no longer populated. The IPv4 address is stored in the IPv6 Address field. See IP Addresses for more information. |
||
Initiates a String data block containing the username for the user. This value is always |
||
Number of bytes in the username String data block, including eight bytes for the block type and length fields, plus the number of bytes in the username. |
||
Initiates a String data block containing the domain. This value is always |
||
Number of bytes in the username String data block, including eight bytes for the block type and length fields, plus the number of bytes in the domain. |
||
ID number of the type of device used by the connection endpoint. This is unique for each DC and resolved in metadata. |
||
Protocol used to detect or report the user. Possible values are: |
||
Initiates a String data block containing the email address for the user. This value is always |
||
Number of bytes in the email address String data block, including eight bytes for the block type and length fields, plus the number of bytes in the email address. |
||
IPv6 address from the host where the user was detected logging in, in IP address octets. |
||
Most recent IP address on which the user logged in. Can be either an IPv4 or IPv6 address. |
||
Initiates a String data block containing the Reported By value. This value is always |
||
Number of bytes in the Reported By String data block, including eight bytes for the block type and length fields, plus the number of bytes in the Reported By field. |
||
User Login Information Data Block 6.1.x
The User Login Information data block has a block type of 165 in the series 1 group of blocks for version 6.1+. It has new port and tunneling fields. It supersedes block type 159. See User Login Information Data Block 6.0.x for more information. It is superseded by block type 167.
The graphic below shows the format of the User Login Information data block:
The following table describes the components of the User Login Information data block.
|
|
|
---|---|---|
Initiates a User Login Information data block. This value is |
||
Total number of bytes in the User Login Information data block, including eight bytes for the user login information block type and length fields, plus the number of bytes in the user login information data that follows. |
||
This field is reserved but no longer populated. The IPv4 address is stored in the IPv6 Address field. See IP Addresses for more information. |
||
Initiates a String data block containing the username for the user. This value is always |
||
Number of bytes in the username String data block, including eight bytes for the block type and length fields, plus the number of bytes in the username. |
||
Initiates a String data block containing the domain. This value is always |
||
Number of bytes in the username String data block, including eight bytes for the block type and length fields, plus the number of bytes in the domain. |
||
ID number of the type of device used by the connection endpoint. This is unique for each DC and resolved in metadata. |
||
Protocol used to detect or report the user. Possible values are: |
||
The start port in the range the TS Agent assigned to the individual user. |
||
The end port in the range the TS Agent assigned to the individual user. |
||
Initiates a String data block containing the email address for the user. This value is always |
||
Number of bytes in the email address String data block, including eight bytes for the block type and length fields, plus the number of bytes in the email address. |
||
IPv6 address from the host where the user was detected logging in, in IP address octets. |
||
Most recent IP address on which the user logged in. Can be either an IPv4 or IPv6 address. |
||
Initiates a String data block containing the Reported By value. This value is always |
||
Number of bytes in the Reported By String data block, including eight bytes for the block type and length fields, plus the number of bytes in the Reported By field. |
||
User Login Information Data Block 6.1.x
The User Login Information data block is used in User Information Update messages and conveys changes in login information for a detected user. For more information, see User Information Update Message Block.
The User Login Information data block has a block type of 165 in the series 1 group of blocks for version 6.1x. It has new port and tunneling fields. It supersedes block type 159. It is superseded by block type 167. See User Login Information Data Block 6.0.x for more information.
The graphic below shows the format of the User Login Information data block: