Understanding Legacy Data Structures

This appendix contains information about data structures supported by eStreamer at previous versions of Secure Firewall System products.

If your client uses event stream requests with bits set to request data in older version formats, you can use the information in this appendix to identify the data structures of the data messages you receive.

Note that prior to version 5.0, separate detection engines were assigned IDs. For version 5.0, devices are assigned IDs. Based on the version, data structures reflect this.

note.gif

Noteblank.gif This appendix describes only data structures from version 4.9 or later of the Secure Firewall System. If you require documentation for structures from earlier data structure versions, contact Cisco Customer Support.


See the following sections for more information:

Legacy Intrusion Data Structures

Intrusion Event (IPv4) Record 5.0.x - 5.1

The fields in the intrusion event (IPv4) record are shaded in the following graphic. The record type is 207.

You request intrusion event records by setting the intrusion event flag or the extended requests flag in the request message. See Request Flags and Submitting Extended Requests.

For version 5.0.x - 5.1 intrusion events, the event ID, the managed device ID, and the event second form a unique identifier.

 

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

 

Header Version (1)

Message Type (4)

 

Message Length

 

Netmap ID

Record Type (207)

 

Record Length

 

eStreamer Server Timestamp (in events, only if bit 23 is set)

 

Reserved for Future Use (in events, only if bit 23 is set)

 

Device ID

 

Event ID

 

Event Second

 

Event Microsecond

 

Rule ID (Signature ID)

 

Generator ID

 

Rule Revision

 

Classification ID

 

Priority ID

 

Source IPv4 Address

 

Destination IPv4 Address

 

Source Port

Destination Port

 

IP Protocol ID

Impact Flags

Impact

Blocked

 

MPLS Label

 

VLAN ID

Pad

 

Policy UUID

 

Policy UUID, continued

 

Policy UUID, continued

 

Policy UUID, continued

 

User ID

 

Web Application ID

 

Client Application ID

 

Application Protocol ID

 

Access Control Rule ID

 

Access Control Policy UUID

 

Access Control Policy UUID, continued

 

Access Control Policy UUID, continued

 

Access Control Policy UUID, continued

 

Interface Ingress UUID

 

Interface Ingress UUID, continued

 

Interface Ingress UUID, continued

 

Interface Ingress UUID, continued

 

Interface Egress UUID

 

Interface Egress UUID, continued

 

Interface Egress UUID, continued

 

Interface Egress UUID, continued

 

Security Zone Ingress UUID

 

Security Zone Ingress UUID, continued

 

Security Zone Ingress UUID, continued

 

Security Zone Ingress UUID, continued

 

Security Zone Egress UUID

 

Security Zone Egress UUID, continued

 

Security Zone Egress UUID, continued

 

Security Zone Egress UUID, continued

The following table describes each intrusion event record data field.

 

Table B-1 Intrusion Event (IPv4) Record Fields

Field
Data Type
Description

Device ID

unit32

Contains the identification number of the detecting managed device. You can obtain the managed device name by requesting Version 3 or 4 metadata. See Managed Device Record Metadata for more information.

Event ID

uint32

Event identification number.

Event Second

uint32

UNIX timestamp (seconds since 01/01/1970) of the event’s detection.

Event Microsecond

uint32

Microsecond (one millionth of a second) increment of the timestamp of the event’s detection.

Rule ID (Signature ID)

uint32

Rule identification number that corresponds with the event.

Generator ID

uint32

Identification number of the Secure Firewall System preprocessor that generated the event.

Rule Revision

uint32

Rule revision number.

Classification ID

uint32

Identification number of the event classification message.

Priority ID

uint32

Identification number of the priority associated with the event.

Source IPv4 Address

uint8[4]

Source IPv4 address used in the event, in address octets.

Destination IPv4 Address

uint8[4]

Destination IPv4 address used in the event, in address octets.

Source Port

uint16

The source port number if the event protocol type is TCP or UDP.

Destination Port

uint16

The destination port number if the event protocol type is TCP or UDP.

IP Protocol Number

uint8

IANA-specified protocol number. For example:

  • 0 — IP
  • 1 — ICMP
  • 6 — TCP
  • 17 — UDP

Impact Flags

bits[8]

Impact flag value of the event. The low-order eight bits indicate the impact level. Values are:

  • 0x01 (bit 0) — Source or destination host is in a network monitored by the system.
  • 0x02 (bit 1) — Source or destination host exists in the network map.
  • 0x04 (bit 2) — Source or destination host is running a server on the port in the event (if TCP or UDP) or uses the IP protocol.
  • 0x08 (bit 3) — There is a vulnerability mapped to the operating system of the source or destination host in the event.
  • 0x10 (bit 4) — There is a vulnerability mapped to the server detected in the event.
  • 0x20 (bit 5) — The event caused the managed device to drop the session (used only when the device is running in inline, switched, or routed deployment). Corresponds to blocked status in the Secure Firewall System web interface.
  • 0x40 (bit 6) — The rule that generated this event contains rule metadata setting the impact flag to red. The source or destination host is potentially compromised by a virus, trojan, or other piece of malicious software.
  • 0x80 (bit 7) — There is a vulnerability mapped to the client detected in the event.

The following impact level values map to specific priorities on the Defense Center. An X indicates the value can be 0 or 1 :

  • (0, unknown): 00X00000
  • red (1, vulnerable): XXXX1XXX, XXX1XXXX, X1XXXXXX, 1XXXXXXX
  • orange (2, potentially vulnerable): 00X00111
  • yellow (3, currently not vulnerable): 00X00011
  • blue (4, unknown target): 00X00001

Impact

uint8

Impact flag value of the event. Values are:

  • 1 — Red (vulnerable)
  • 2 — Orange (potentially vulnerable)
  • 3 — Yellow (currently not vulnerable)
  • 4 — Blue (unknown target)
  • 5 — (unknown impact)

Blocked

uint8

Value indicating whether the event was blocked.

  • 0 — Not blocked
  • 1 — Blocked
  • 2 — Would be blocked (but not permitted by configuration)

MPLS Label

uint32

MPLS label.

VLAN ID

uint16

Indicates the ID of the VLAN where the packet originated.

Pad

uint16

Reserved for future use.

Policy UUID

uint8[16]

A policy ID number that acts as a unique identifier for the intrusion policy.

User ID

uint32

The internal identification number for the user, if applicable.

Web Application ID

uint32

The internal identification number for the web application, if applicable.

Client Application ID

uint32

The internal identification number for the client application, if applicable.

Application Protocol ID

uint32

The internal identification number for the application protocol, if applicable.

Access Control Rule ID

uint32

A rule ID number that acts as a unique identifier for the access control rule.

Access Control Policy UUID

uint8[16]

A policy ID number that acts as a unique identifier for the access control policy.

Ingress Interface UUID

uint8[16]

An interface ID number that acts as a unique identifier for the ingress interface.

Egress Interface UUID

uint8[16]

An interface ID number that acts as a unique identifier for the egress interface.

Ingress Security Zone UUID

uint8[16]

A zone ID number that acts as a unique identifier for the ingress security zone.

Egress Security Zone UUID

uint8[16]

A zone ID number that acts as a unique identifier for the egress security zone.

Intrusion Event (IPv6) Record 5.0.x - 5.1

The fields in the intrusion event (IPv6) record are shaded in the following graphic. The record type is 208.

You request intrusion event records by setting the intrusion event flag or the extended requests flag in the request message. See Request Flags and Submitting Extended Requests.

For version 5.0.x - 5.1 intrusion events, the event ID, the managed device ID, and the event second form a unique identifier.

 

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

 

Header Version (1)

Message Type (4)

 

Message Length

 

Netmap ID

Record Type (208)

 

Record Length

 

eStreamer Server Timestamp (in events, only if bit 23 is set)

 

Reserved for Future Use (in events, only if bit 23 is set)

 

Device ID

 

Event ID

 

Event Second

 

Event Microsecond

 

Rule ID (Signature ID)

 

Generator ID

 

Rule Revision

 

Classification ID

 

Priority ID

 

Source IPv6 Address

 

Source IPv6 Address, continued

 

Source IPv6 Address, continued

 

Source IPv6 Address, continued

 

Destination IPv6 Address

 

Destination IPv6 Address, continued

 

Destination IPv6 Address, continued

 

Destination IPv6 Address, continued

 

Source Port/ICMP Type

Destination Port/ICMP Code

 

IP Protocol ID

Impact Flags

Impact

Blocked

 

MPLS Label

 

VLAN ID

Pad

 

Policy UUID

 

Policy UUID, continued

 

Policy UUID, continued

 

Policy UUID, continued

 

User ID

 

Web Application ID

 

Client Application ID

 

Application Protocol ID

 

Access Control Rule ID

 

Access Control Policy UUID

 

Access Control Policy UUID, continued

 

Access Control Policy UUID, continued

 

Access Control Policy UUID, continued

 

Interface Ingress UUID

 

Interface Ingress UUID, continued

 

Interface Ingress UUID, continued

 

Interface Ingress UUID, continued

 

Interface Egress UUID

 

Interface Egress UUID, continued

 

Interface Egress UUID, continued

 

Interface Egress UUID, continued

 

Security Zone Ingress UUID

 

Security Zone Ingress UUID, continued

 

Security Zone Ingress UUID, continued

 

Security Zone Ingress UUID, continued

 

Security Zone Egress UUID

 

Security Zone Egress UUID, continued

 

Security Zone Egress UUID, continued

 

Security Zone Egress UUID, continued

The following table describes each intrusion event record data field.

 

Table B-2 Intrusion Event (IPv6) Record Fields

Field
Data Type
Description

Device ID

unit32

Contains the identification number of the detecting device. You can obtain the managed device name by requesting Version 3 or 4 metadata. See Managed Device Record Metadata for more information.

Event ID

uint32

Event identification number.

Event Second

uint32

UNIX timestamp (seconds since 01/01/1970) of the event’s detection.

Event Microsecond

uint32

Microsecond (one millionth of a second) increment of the timestamp of the event’s detection.

Rule ID (Signature ID)

uint32

Rule identification number that corresponds with the event.

Generator ID

uint32

Identification number of the Secure Firewall System preprocessor that generated the event.

Rule Revision

uint32

Rule revision number.

Classification ID

uint32

Identification number of the event classification message.

Priority ID

uint32

Identification number of the priority associated with the event.

Source IPv6 Address

uint8[16]

Source IPv6 address used in the event, in address octets.

Destination IPv6 Address

uint8[16]

Destination IPv6 address used in the event, in address octets.

Source Port/ICMP Type

uint16

The source port number if the event protocol type is TCP or UDP. If the protocol type is ICMP, this indicates the ICMP type.

Destination Port/ICMP Code

uint16

The destination port number if the event protocol type is TCP or UDP. If the protocol type is ICMP, this indicates the ICMP code.

IP Protocol Number

uint8

IANA-specified protocol number. For example:

  • 0 — IP
  • 1 — ICMP
  • 6 — TCP
  • 17 — UDP

Impact Flags

bits[8]

Impact flag value of the event. The low-order eight bits indicate the impact level. Values are:

  • 0x01 (bit 0) — Source or destination host is in a network monitored by the system.
  • 0x02 (bit 1) — Source or destination host exists in the network map.
  • 0x04 (bit 2) — Source or destination host is running a server on the port in the event (if TCP or UDP) or uses the IP protocol.
  • 0x08 (bit 3) — There is a vulnerability mapped to the operating system of the source or destination host in the event.
  • 0x10 (bit 4) — There is a vulnerability mapped to the server detected in the event.
  • 0x20 (bit 5) — The event caused the managed device to drop the session (used only when the device is running in inline, switched, or routed deployment). Corresponds to blocked status in the Secure Firewall System web interface.
  • 0x40 (bit 6) — The rule that generated this event contains rule metadata setting the impact flag to red. The source or destination host is potentially compromised by a virus, trojan, or other piece of malicious software.
  • 0x80 (bit 7) — There is a vulnerability mapped to the client detected in the event.

The following impact level values map to specific priorities on the Defense Center. An X indicates the value can be 0 or 1 :

  • (0, unknown): 00X00000
  • red (1, vulnerable): XXXX1XXX, XXX1XXXX, X1XXXXXX, 1XXXXXXX
  • orange (2, potentially vulnerable): 00X00111
  • yellow (3, currently not vulnerable): 00X00011
  • blue (4, unknown target): 00X00001

Impact

uint8

Impact flag value of the event. Values are:

  • 1 — Red (vulnerable)
  • 2 — Orange (potentially vulnerable)
  • 3 — Yellow (currently not vulnerable)
  • 4 — Blue (unknown target)
  • 5 — (unknown impact)

Blocked

uint8

Value indicating whether the event was blocked.

  • 0 — Not blocked
  • 1 — Blocked
  • 2 — Would be blocked (but not permitted by configuration)

MPLS Label

uint32

MPLS label. (Applies to 4.9+ events only.)

VLAN ID

uint16

Indicates the ID of the VLAN where the packet originated. (Applies to 4.9+ events only.)

Pad

uint16

Reserved for future use.

Policy UUID

uint8[16]

A policy ID number that acts as a unique identifier for the intrusion policy.

User ID

uint32

The internal identification number for the user, if applicable.

Web Application ID

uint32

The internal identification number for the web application, if applicable.

Client Application ID

uint32

The internal identification number for the client application, if applicable.

Application Protocol ID

uint32

The internal identification number for the application protocol, if applicable.

Access Control Rule ID

uint32

A rule ID number that acts as a unique identifier for the access control rule.

Access Control Policy UUID

uint8[16]

A policy ID number that acts as a unique identifier for the access control policy.

Ingress Interface UUID

uint8[16]

An interface ID number that acts as a unique identifier for the ingress interface.

Egress Interface UUID

uint8[16]

An interface ID number that acts as a unique identifier for the egress interface.

Ingress Security Zone UUID

uint8[16]

A zone ID number that acts as a unique identifier for the ingress security zone.

Egress Security Zone UUID

uint8[16]

A zone ID number that acts as a unique identifier for the egress security zone.

Intrusion Event Record 5.2.x

The fields in the intrusion event record are shaded in the following graphic. The record type is 400 and the block type is 34 in the series 2 set of data blocks.

You can request 5.2.x intrusion events from eStreamer only by extended request, for which you request event type code 12 and version code 5 in the Stream Request message (see Submitting Extended Requests for information about submitting extended requests).

For version 5.2.x intrusion events, the event ID, the managed device ID, and the event second form a unique identifier. The connection second, connection instance, and connection counter together form a unique identifier for the connection event associated with the intrusion event.

 

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

 

Header Version (1)

Message Type (4)

 

Message Length

 

Netmap ID

Record Type (400)

 

Record Length

 

eStreamer Server Timestamp (in events, only if bit 23 is set)

 

Reserved for Future Use (in events, only if bit 23 is set)

 

Block Type (34)

 

Block Length

 

Device ID

 

Event ID

 

Event Second

 

Event Microsecond

 

Rule ID (Signature ID)

 

Generator ID

 

Rule Revision

 

Classification ID

 

Priority ID

 

Source IP Address

Source IP Address, continued

Source IP Address, continued

Source IP Address, continued

 

 

 

 

Destination IP Address

Destination IP Address, continued


Destination IP Address, continued

Destination IP Address, continued

 

 

 

 

Source Port or ICMP Type

Destination Port or ICMP Code

 

IP Protocol ID

Impact Flags

Impact

Blocked

 

MPLS Label

 

VLAN ID

Pad

 

Policy UUID

 

Policy UUID, continued

 

Policy UUID, continued

 

Policy UUID, continued

 

User ID

 

Web Application ID

 

Client Application ID

 

Application Protocol ID

 

Access Control Rule ID

 

Access Control Policy UUID

 

Access Control Policy UUID, continued

 

Access Control Policy UUID, continued

 

Access Control Policy UUID, continued

 

Interface Ingress UUID

 

Interface Ingress UUID, continued

 

Interface Ingress UUID, continued

 

Interface Ingress UUID, continued

 

Interface Egress UUID

 

Interface Egress UUID, continued

 

Interface Egress UUID, continued

 

Interface Egress UUID, continued

 

Security Zone Ingress UUID

 

Security Zone Ingress UUID, continued

 

Security Zone Ingress UUID, continued

 

Security Zone Ingress UUID, continued

 

Security Zone Egress UUID

 

Security Zone Egress UUID, continued

 

Security Zone Egress UUID, continued

 

Security Zone Egress UUID, continued

 

Connection Timestamp

 

Connection Instance ID

Connection Counter

 

Source Country

Destination Country

The following table describes each intrusion event record data field.

 

Table B-3 Intrusion Event Record 5.2.x Fields

Field
Data Type
Description

Block Type

unint32

Initiates an Intrusion Event data block. This value is always 34.

Block Length

unint32

Total number of bytes in the Intrusion Event data block, including eight bytes for the Intrusion Event block type and length fields, plus the number of bytes of data that follows.

Device ID

unit32

Contains the identification number of the detecting managed device. You can obtain the managed device name by requesting Version 3 or 4 metadata. See Managed Device Record Metadata for more information.

Event ID

uint32

Event identification number.

Event Second

uint32

UNIX timestamp (seconds since 01/01/1970) of the event’s detection.

Event Microsecond

uint32

Microsecond (one millionth of a second) increment of the timestamp of the event’s detection.

Rule ID (Signature ID)

uint32

Rule identification number that corresponds with the event.

Generator ID

uint32

Identification number of the Secure Firewall System preprocessor that generated the event.

Rule Revision

uint32

Rule revision number.

Classification ID

uint32

Identification number of the event classification message.

Priority ID

uint32

Identification number of the priority associated with the event.

Source IP Address

uint8[16]

Source IPv4 or IPv6 address used in the event.

Destination IP Address

uint8[16]

Destination IPv4 or IPv6 address used in the event.

Source Port or ICMP Type

uint16

The source port number if the event protocol type is TCP or UDP, or the ICMP type if the event is caused by ICMP traffic.

Destination Port or ICMP Code

uint16

The destination port number if the event protocol type is TCP or UDP, or the ICMP code if the event is caused by ICMP traffic.

IP Protocol Number

uint8

IANA-specified protocol number. For example:

  • 0 — IP
  • 1 — ICMP
  • 6 — TCP
  • 17 — UDP

Impact Flags

bits[8]

Impact flag value of the event. The low-order eight bits indicate the impact level. Values are:

  • 0x01 (bit 0) — Source or destination host is in a network monitored by the system.
  • 0x02 (bit 1) — Source or destination host exists in the network map.
  • 0x04 (bit 2) — Source or destination host is running a server on the port in the event (if TCP or UDP) or uses the IP protocol.
  • 0x08 (bit 3) — There is a vulnerability mapped to the operating system of the source or destination host in the event.
  • 0x10 (bit 4) — There is a vulnerability mapped to the server detected in the event.
  • 0x20 (bit 5) — The event caused the managed device to drop the session (used only when the device is running in inline, switched, or routed deployment). Corresponds to blocked status in the Secure Firewall System web interface.
  • 0x40 (bit 6) — The rule that generated this event contains rule metadata setting the impact flag to red. The source or destination host is potentially compromised by a virus, trojan, or other piece of malicious software.
  • 0x80 (bit 7) — There is a vulnerability mapped to the client detected in the event. (version 5.0+ only)

The following impact level values map to specific priorities on the Defense Center. An X indicates the value can be 0 or 1:

  • (0, unknown): 00X00000
  • red (1, vulnerable): XXXX1XXX, XXX1XXXX, X1XXXXXX, 1XXXXXXX (version 5.0+ only)
  • orange (2, potentially vulnerable): 00X0011X
  • yellow (3, currently not vulnerable): 00X0001X
  • blue (4, unknown target): 00X00001

Impact

uint8

Impact flag value of the event. Values are:

  • 1 — Red (vulnerable)
  • 2 — Orange (potentially vulnerable)
  • 3 — Yellow (currently not vulnerable)
  • 4 — Blue (unknown target)
  • 5 — (unknown impact)

Blocked

uint8

Value indicating whether the event was blocked.

  • 0 — Not blocked
  • 1 — Blocked
  • 2 — Would be blocked (but not permitted by configuration)

MPLS Label

uint32

MPLS label.

VLAN ID

uint16

Indicates the ID of the VLAN where the packet originated.

Pad

uint16

Reserved for future use.

Policy UUID

uint8[16]

A policy ID number that acts as a unique identifier for the intrusion policy.

User ID

uint32

The internal identification number for the user, if applicable.

Web Application ID

uint32

The internal identification number for the web application, if applicable.

Client Application ID

uint32

The internal identification number for the client application, if applicable.

Application Protocol ID

uint32

The internal identification number for the application protocol, if applicable.

Access Control Rule ID

uint32

A rule ID number that acts as a unique identifier for the access control rule.

Access Control Policy UUID

uint8[16]

A policy ID number that acts as a unique identifier for the access control policy.

Ingress Interface UUID

uint8[16]

An interface ID number that acts as a unique identifier for the ingress interface.

Egress Interface UUID

uint8[16]

An interface ID number that acts as a unique identifier for the egress interface.

Ingress Security Zone UUID

uint8[16]

A zone ID number that acts as a unique identifier for the ingress security zone.

Egress Security Zone UUID

uint8[16]

A zone ID number that acts as a unique identifier for the egress security zone.

Connection Timestamp

uint32

UNIX timestamp (seconds since 01/01/1970) of the connection event associated with the intrusion event.

Connection Instance ID

uint16

Numerical ID of the Snort instance on the managed device that generated the connection event.

Connection Counter

uint16

Value used to distinguish between connection events that happen during the same second.

Source Country

uint16

Code for the country of the source host.

Destination Country

uint 16

Code for the country of the destination host.

Intrusion Event Record 5.3

The fields in the intrusion event record are shaded in the following graphic. The record type is 400 and the block type is 41 in the series 2 set of data blocks.

You can request 5.3 intrusion events from eStreamer only by extended request, for which you request event type code 12 and version code 6 in the Stream Request message (see Submitting Extended Requests for information about submitting extended requests).

For version 5.3 intrusion events, the event ID, the managed device ID, and the event second form a unique identifier. The connection second, connection instance, and connection counter together form a unique identifier for the connection event associated with the intrusion event.

 

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

 

Header Version (1)

Message Type (4)

 

Message Length

 

Netmap ID

Record Type (400)

 

Record Length

 

eStreamer Server Timestamp (in events, only if bit 23 is set)

 

Reserved for Future Use (in events, only if bit 23 is set)

 

Block Type (41)

 

Block Length

 

Device ID

 

Event ID

 

Event Second

 

Event Microsecond

 

Rule ID (Signature ID)

 

Generator ID

 

Rule Revision

 

Classification ID

 

Priority ID

 

Source IP Address

Source IP Address, continued

Source IP Address, continued

Source IP Address, continued

 

 

 

 

Destination IP Address

Destination IP Address, continued


Destination IP Address, continued

Destination IP Address, continued

 

 

 

 

Source Port or ICMP Type

Destination Port or ICMP Code

 

IP Protocol ID

Impact Flags

Impact

Blocked

 

MPLS Label

 

VLAN ID

Pad

 

Policy UUID

 

Policy UUID, continued

 

Policy UUID, continued

 

Policy UUID, continued

 

User ID

 

Web Application ID

 

Client Application ID

 

Application Protocol ID

 

Access Control Rule ID

 

Access Control Policy UUID

 

Access Control Policy UUID, continued

 

Access Control Policy UUID, continued

 

Access Control Policy UUID, continued

 

Interface Ingress UUID

 

Interface Ingress UUID, continued

 

Interface Ingress UUID, continued

 

Interface Ingress UUID, continued

 

Interface Egress UUID

 

Interface Egress UUID, continued

 

Interface Egress UUID, continued

 

Interface Egress UUID, continued

 

Security Zone Ingress UUID

 

Security Zone Ingress UUID, continued

 

Security Zone Ingress UUID, continued

 

Security Zone Ingress UUID, continued

 

Security Zone Egress UUID

 

Security Zone Egress UUID, continued

 

Security Zone Egress UUID, continued

 

Security Zone Egress UUID, continued

 

Connection Timestamp

 

Connection Instance ID

Connection Counter

 

Source Country

Destination Country

 

IOC Number

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

The following table describes each intrusion event record data field.

 

Table B-4 Intrusion Event Record 5.3 Fields

Field
Data Type
Description

Block Type

unint32

Initiates an Intrusion Event data block. This value is always 34.

Block Length

unint32

Total number of bytes in the Intrusion Event data block, including eight bytes for the Intrusion Event block type and length fields, plus the number of bytes of data that follows.

Device ID

unit32

Contains the identification number of the detecting managed device. You can obtain the managed device name by requesting Version 3 or 4 metadata. See Managed Device Record Metadata for more information.

Event ID

uint32

Event identification number.

Event Second

uint32

UNIX timestamp (seconds since 01/01/1970) of the event’s detection.

Event Microsecond

uint32

Microsecond (one millionth of a second) increment of the timestamp of the event’s detection.

Rule ID (Signature ID)

uint32

Rule identification number that corresponds with the event.

Generator ID

uint32

Identification number of the Secure Firewall System preprocessor that generated the event.

Rule Revision

uint32

Rule revision number.

Classification ID

uint32

Identification number of the event classification message.

Priority ID

uint32

Identification number of the priority associated with the event.

Source IP Address

uint8[16]

Source IPv4 or IPv6 address used in the event.

Destination IP Address

uint8[16]

Destination IPv4 or IPv6 address used in the event.

Source Port or ICMP Type

uint16

The source port number if the event protocol type is TCP or UDP, or the ICMP type if the event is caused by ICMP traffic.

Destination Port or ICMP Code

uint16

The destination port number if the event protocol type is TCP or UDP, or the ICMP code if the event is caused by ICMP traffic.

IP Protocol Number

uint8

IANA-specified protocol number. For example:

  • 0 — IP
  • 1 — ICMP
  • 6 — TCP
  • 17 — UDP

Impact Flags

bits[8]

Impact flag value of the event. The low-order eight bits indicate the impact level. Values are:

  • 0x01 (bit 0) — Source or destination host is in a network monitored by the system.
  • 0x02 (bit 1) — Source or destination host exists in the network map.
  • 0x04 (bit 2) — Source or destination host is running a server on the port in the event (if TCP or UDP) or uses the IP protocol.
  • 0x08 (bit 3) — There is a vulnerability mapped to the operating system of the source or destination host in the event.
  • 0x10 (bit 4) — There is a vulnerability mapped to the server detected in the event.
  • 0x20 (bit 5) — The event caused the managed device to drop the session (used only when the device is running in inline, switched, or routed deployment). Corresponds to blocked status in the Secure Firewall System web interface.
  • 0x40 (bit 6) — The rule that generated this event contains rule metadata setting the impact flag to red. The source or destination host is potentially compromised by a virus, trojan, or other piece of malicious software.
  • 0x80 (bit 7) — There is a vulnerability mapped to the client detected in the event. (version 5.0+ only)

The following impact level values map to specific priorities on the Defense Center. An X indicates the value can be 0 or 1 :

  • (0, unknown): 00X00000
  • red (1, vulnerable): XXXX1XXX, XXX1XXXX, X1XXXXXX, 1XXXXXXX (version 5.0+ only)
  • orange (2, potentially vulnerable): 00X0011X
  • yellow (3, currently not vulnerable): 00X0001X
  • blue (4, unknown target): 00X00001

Impact

uint8

Impact flag value of the event. Values are:

  • 1 — Red (vulnerable)
  • 2 — Orange (potentially vulnerable)
  • 3 — Yellow (currently not vulnerable)
  • 4 — Blue (unknown target)
  • 5 — (unknown impact)

Blocked

uint8

Value indicating whether the event was blocked.

  • 0 — Not blocked
  • 1 — Blocked
  • 2 — Would be blocked (but not permitted by configuration)

MPLS Label

uint32

MPLS label.

VLAN ID

uint16

Indicates the ID of the VLAN where the packet originated.

Pad

uint16

Reserved for future use.

Policy UUID

uint8[16]

A policy ID number that acts as a unique identifier for the intrusion policy.

User ID

uint32

The internal identification number for the user, if applicable.

Web Application ID

uint32

The internal identification number for the web application, if applicable.

Client Application ID

uint32

The internal identification number for the client application, if applicable.

Application Protocol ID

uint32

The internal identification number for the application protocol, if applicable.

Access Control Rule ID

uint32

A rule ID number that acts as a unique identifier for the access control rule.

Access Control Policy UUID

uint8[16]

A policy ID number that acts as a unique identifier for the access control policy.

Ingress Interface UUID

uint8[16]

An interface ID number that acts as a unique identifier for the ingress interface.

Egress Interface UUID

uint8[16]

An interface ID number that acts as a unique identifier for the egress interface.

Ingress Security Zone UUID

uint8[16]

A zone ID number that acts as a unique identifier for the ingress security zone.

Egress Security Zone UUID

uint8[16]

A zone ID number that acts as a unique identifier for the egress security zone.

Connection Timestamp

uint32

UNIX timestamp (seconds since 01/01/1970) of the connection event associated with the intrusion event.

Connection Instance ID

uint16

Numerical ID of the Snort instance on the managed device that generated the connection event.

Connection Counter

uint16

Value used to distinguish between connection events that happen during the same second.

Source Country

uint16

Code for the country of the source host.

Destination Country

uint 16

Code for the country of the destination host.

IOC Number

uint16

ID Number of the compromise associated with this event.

Intrusion Event Record 5.1.1.x

The fields in the intrusion event record are shaded in the following graphic. The record type is 400 and the block type is 25.

You can request 5.1.1.x intrusion events from eStreamer only by extended request, for which you request event type code 12 and version code 4 in the Stream Request message (see Submitting Extended Requests for information about submitting extended requests).

For version 5.1.1.x intrusion events, the event ID, the managed device ID, and the event second form a unique identifier. The connection second, connection instance, and connection counter together form a unique identifier for the connection event associated with the intrusion event.

 

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

 

Header Version (1)

Message Type (4)

 

Message Length

 

Netmap ID

Record Type (400)

 

Record Length

 

eStreamer Server Timestamp (in events, only if bit 23 is set)

 

Reserved for Future Use (in events, only if bit 23 is set)

 

Block Type (25)

 

Block Length

 

Device ID

 

Event ID

 

Event Second

 

Event Microsecond

 

Rule ID (Signature ID)

 

Generator ID

 

Rule Revision

 

Classification ID

 

Priority ID

 

Source IP Address

Source IP Address, continued

Source IP Address, continued

Source IP Address, continued

 

 

 

 

Destination IP Address

Destination IP Address, continued


Destination IP Address, continued

Destination IP Address, continued

 

 

 

 

Source Port/ICMP Type

Destination Port/ICMP Code

 

IP Protocol ID

Impact Flags

Impact

Blocked

 

MPLS Label

 

VLAN ID

Pad

 

Policy UUID

 

Policy UUID, continued

 

Policy UUID, continued

 

Policy UUID, continued

 

User ID

 

Web Application ID

 

Client Application ID

 

Application Protocol ID

 

Access Control Rule ID

 

Access Control Policy UUID

 

Access Control Policy UUID, continued

 

Access Control Policy UUID, continued

 

Access Control Policy UUID, continued

 

Interface Ingress UUID

 

Interface Ingress UUID, continued

 

Interface Ingress UUID, continued

 

Interface Ingress UUID, continued

 

Interface Egress UUID

 

Interface Egress UUID, continued

 

Interface Egress UUID, continued

 

Interface Egress UUID, continued

 

Security Zone Ingress UUID

 

Security Zone Ingress UUID, continued

 

Security Zone Ingress UUID, continued

 

Security Zone Ingress UUID, continued

 

Security Zone Egress UUID

 

Security Zone Egress UUID, continued

 

Security Zone Egress UUID, continued

 

Security Zone Egress UUID, continued

 

Connection Timestamp

 

Connection Instance ID

Connection Counter

The following table describes each intrusion event record data field.

 

Table B-5 Intrusion Event Record 5.1.1 Fields

Field
Data Type
Description

Block Type

unint32

Initiates an Intrusion Event data block. This value is always 25.

Block Length

unint32

Total number of bytes in the Intrusion Event data block, including eight bytes for the Intrusion Event block type and length fields, plus the number of bytes of data that follows.

Device ID

unit32

Contains the identification number of the detecting managed device. You can obtain the managed device name by requesting Version 3 or 4 metadata. See Managed Device Record Metadata for more information.

Event ID

uint32

Event identification number.

Event Second

uint32

UNIX timestamp (seconds since 01/01/1970) of the event’s detection.

Event Microsecond

uint32

Microsecond (one millionth of a second) increment of the timestamp of the event’s detection.

Rule ID (Signature ID)

uint32

Rule identification number that corresponds with the event.

Generator ID

uint32

Identification number of the Secure Firewall System preprocessor that generated the event.

Rule Revision

uint32

Rule revision number.

Classification ID

uint32

Identification number of the event classification message.

Priority ID

uint32

Identification number of the priority associated with the event.

Source IP Address

uint8[16]

Source IPv4 or IPv6 address used in the event.

Destination IP Address

uint8[16]

Destination IPv4 or IPv6 address used in the event.

Source Port/ICMP Type

uint16

The source port number if the event protocol type is TCP or UDP, or the ICMP type if the event is caused by ICMP traffic.

Destination Port/ICMP Code

uint16

The destination port number if the event protocol type is TCP or UDP, or the ICMP code if the event is caused by ICMP traffic.

IP Protocol Number

uint8

IANA-specified protocol number. For example:

  • 0 — IP
  • 1 — ICMP
  • 6 — TCP
  • 17 — UDP

Impact Flags

bits[8]

Impact flag value of the event. The low-order eight bits indicate the impact level. Values are:

  • 0x01 (bit 0) — Source or destination host is in a network monitored by the system.
  • 0x02 (bit 1) — Source or destination host exists in the network map.
  • 0x04 (bit 2) — Source or destination host is running a server on the port in the event (if TCP or UDP) or uses the IP protocol.
  • 0x08 (bit 3) — There is a vulnerability mapped to the operating system of the source or destination host in the event.
  • 0x10 (bit 4) — There is a vulnerability mapped to the server detected in the event.
  • 0x20 (bit 5) — The event caused the managed device to drop the session (used only when the device is running in inline, switched, or routed deployment). Corresponds to blocked status in the Secure Firewall System web interface.
  • 0x40 (bit 6) — The rule that generated this event contains rule metadata setting the impact flag to red. The source or destination host is potentially compromised by a virus, trojan, or other piece of malicious software.
  • 0x80 (bit 7) — There is a vulnerability mapped to the client detected in the event.

The following impact level values map to specific priorities on the Defense Center. An X indicates the value can be 0 or 1 :

  • (0, unknown): 00X00000
  • red (1, vulnerable): XXXX1XXX, XXX1XXXX, X1XXXXXX, 1XXXXXXX
  • orange (2, potentially vulnerable): 00X00111
  • yellow (3, currently not vulnerable): 00X00011
  • blue (4, unknown target): 00X00001

Impact

uint8

Impact flag value of the event. Values are:

  • 1 — Red (vulnerable)
  • 2 — Orange (potentially vulnerable)
  • 3 — Yellow (currently not vulnerable)
  • 4 — Blue (unknown target)
  • 5 — (unknown impact)

Blocked

uint8

Value indicating whether the event was blocked.

  • 0 — Not blocked
  • 1 — Blocked
  • 2 — Would be blocked (but not permitted by configuration)

MPLS Label

uint32

MPLS label.

VLAN ID

uint16

Indicates the ID of the VLAN where the packet originated.

Pad

uint16

Reserved for future use.

Policy UUID

uint8[16]

A policy ID number that acts as a unique identifier for the intrusion policy.

User ID

uint32

The internal identification number for the user, if applicable.

Web Application ID

uint32

The internal identification number for the web application, if applicable.

Client Application ID

uint32

The internal identification number for the client application, if applicable.

Application Protocol ID

uint32

The internal identification number for the application protocol, if applicable.

Access Control Rule ID

uint32

A rule ID number that acts as a unique identifier for the access control rule.

Access Control Policy UUID

uint8[16]

A policy ID number that acts as a unique identifier for the access control policy.

Ingress Interface UUID

uint8[16]

An interface ID number that acts as a unique identifier for the ingress interface.

Egress Interface UUID

uint8[16]

An interface ID number that acts as a unique identifier for the egress interface.

Ingress Security Zone UUID

uint8[16]

A zone ID number that acts as a unique identifier for the ingress security zone.

Egress Security Zone UUID

uint8[16]

A zone ID number that acts as a unique identifier for the egress security zone.

Connection Timestamp

uint32

UNIX timestamp (seconds since 01/01/1970) of the connection event associated with the intrusion event.

Connection Instance ID

uint16

Numerical ID of the Snort instance on the managed device that generated the connection event.

Connection Counter

uint16

Value used to distinguish between connection events that happen during the same second.

Intrusion Event Record 5.3.1

The fields in the intrusion event record are shaded in the following graphic. The record type is 400 and the block type is 42 in the series 2 set of data blocks.

You can request 5.3.1 intrusion events from eStreamer only by extended request, for which you request event type code 12 and version code 7 in the Stream Request message (see Submitting Extended Requests for information about submitting extended requests).

For version 5.3.1 intrusion events, the event ID, the managed device ID, and the event second form a unique identifier. The connection second, connection instance, and connection counter together form a unique identifier for the connection event associated with the intrusion event.

 

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

 

Header Version (1)

Message Type (4)

 

Message Length

 

Netmap ID

Record Type (400)

 

Record Length

 

eStreamer Server Timestamp (in events, only if bit 23 is set)

 

Reserved for Future Use (in events, only if bit 23 is set)

 

Block Type (42)

 

Block Length

 

Device ID

 

Event ID

 

Event Second

 

Event Microsecond

 

Rule ID (Signature ID)

 

Generator ID

 

Rule Revision

 

Classification ID

 

Priority ID

 

Source IP Address

Source IP Address, continued

Source IP Address, continued

Source IP Address, continued

 

 

 

 

Destination IP Address

Destination IP Address, continued


Destination IP Address, continued

Destination IP Address, continued

 

 

 

 

Source Port or ICMP Type

Destination Port or ICMP Code

 

IP Protocol ID

Impact Flags

Impact

Blocked

 

MPLS Label

 

VLAN ID

Pad

 

Policy UUID

 

Policy UUID, continued

 

Policy UUID, continued

 

Policy UUID, continued

 

User ID

 

Web Application ID

 

Client Application ID

 

Application Protocol ID

 

Access Control Rule ID

 

Access Control Policy UUID

 

Access Control Policy UUID, continued

 

Access Control Policy UUID, continued

 

Access Control Policy UUID, continued

 

Interface Ingress UUID

 

Interface Ingress UUID, continued

 

Interface Ingress UUID, continued

 

Interface Ingress UUID, continued

 

Interface Egress UUID

 

Interface Egress UUID, continued

 

Interface Egress UUID, continued

 

Interface Egress UUID, continued

 

Security Zone Ingress UUID

 

Security Zone Ingress UUID, continued

 

Security Zone Ingress UUID, continued

 

Security Zone Ingress UUID, continued

 

Security Zone Egress UUID

 

Security Zone Egress UUID, continued

 

Security Zone Egress UUID, continued

 

Security Zone Egress UUID, continued

 

Connection Timestamp

 

Connection Instance ID

Connection Counter

 

Source Country

Destination Country

 

IOC Number

Security Context

 

Security Context, continued

 

Security Context, continued

 

Security Context, continued

 

Security Context, continued

 

The following table describes each intrusion event record data field.

 

Table B-6 Intrusion Event Record 5.3.1 Fields

Field
Data Type
Description

Block Type

unint32

Initiates an Intrusion Event data block. This value is always 42.

Block Length

unint32

Total number of bytes in the Intrusion Event data block, including eight bytes for the Intrusion Event block type and length fields, plus the number of bytes of data that follows.

Device ID

unit32

Contains the identification number of the detecting managed device. You can obtain the managed device name by requesting Version 3 or 4 metadata. See Managed Device Record Metadata for more information.

Event ID

uint32

Event identification number.

Event Second

uint32

UNIX timestamp (seconds since 01/01/1970) of the event’s detection.

Event Microsecond

uint32

Microsecond (one millionth of a second) increment of the timestamp of the event’s detection.

Rule ID (Signature ID)

uint32

Rule identification number that corresponds with the event.

Generator ID

uint32

Identification number of the Secure Firewall System preprocessor that generated the event.

Rule Revision

uint32

Rule revision number.

Classification ID

uint32

Identification number of the event classification message.

Priority ID

uint32

Identification number of the priority associated with the event.

Source IP Address

uint8[16]

Source IPv4 or IPv6 address used in the event.

Destination IP Address

uint8[16]

Destination IPv4 or IPv6 address used in the event.

Source Port or ICMP Type

uint16

The source port number if the event protocol type is TCP or UDP, or the ICMP type if the event is caused by ICMP traffic.

Destination Port or ICMP Code

uint16

The destination port number if the event protocol type is TCP or UDP, or the ICMP code if the event is caused by ICMP traffic.

IP Protocol Number

uint8

IANA-specified protocol number. For example:

  • 0 — IP
  • 1 — ICMP
  • 6 — TCP
  • 17 — UDP

Impact Flags

bits[8]

Impact flag value of the event. The low-order eight bits indicate the impact level. Values are:

  • 0x01 (bit 0) — Source or destination host is in a network monitored by the system.
  • 0x02 (bit 1) — Source or destination host exists in the network map.
  • 0x04 (bit 2) — Source or destination host is running a server on the port in the event (if TCP or UDP) or uses the IP protocol.
  • 0x08 (bit 3) — There is a vulnerability mapped to the operating system of the source or destination host in the event.
  • 0x10 (bit 4) — There is a vulnerability mapped to the server detected in the event.
  • 0x20 (bit 5) — The event caused the managed device to drop the session (used only when the device is running in inline, switched, or routed deployment). Corresponds to blocked status in the Secure Firewall System web interface.
  • 0x40 (bit 6) — The rule that generated this event contains rule metadata setting the impact flag to red. The source or destination host is potentially compromised by a virus, trojan, or other piece of malicious software.
  • 0x80 (bit 7) — There is a vulnerability mapped to the client detected in the event. (version 5.0+ only)

The following impact level values map to specific priorities on the Defense Center. An X indicates the value can be 0 or 1:

  • (0, unknown): 00X00000
  • red (1, vulnerable): XXXX1XXX, XXX1XXXX, X1XXXXXX, 1XXXXXXX (version 5.0+ only)
  • orange (2, potentially vulnerable): 00X0011X
  • yellow (3, currently not vulnerable): 00X0001X
  • blue (4, unknown target): 00X00001

Impact

uint8

Impact flag value of the event. Values are:

  • 1 — Red (vulnerable)
  • 2 — Orange (potentially vulnerable)
  • 3 — Yellow (currently not vulnerable)
  • 4 — Blue (unknown target)
  • 5 — (unknown impact)

Blocked

uint8

Value indicating whether the event was blocked.

  • 0 — Not blocked
  • 1 — Blocked
  • 2 — Would be blocked (but not permitted by configuration)

MPLS Label

uint32

MPLS label.

VLAN ID

uint16

Indicates the ID of the VLAN where the packet originated.

Pad

uint16

Reserved for future use.

Policy UUID

uint8[16]

A policy ID number that acts as a unique identifier for the intrusion policy.

User ID

uint32

The internal identification number for the user, if applicable.

Web Application ID

uint32

The internal identification number for the web application, if applicable.

Client Application ID

uint32

The internal identification number for the client application, if applicable.

Application Protocol ID

uint32

The internal identification number for the application protocol, if applicable.

Access Control Rule ID

uint32

A rule ID number that acts as a unique identifier for the access control rule.

Access Control Policy UUID

uint8[16]

A policy ID number that acts as a unique identifier for the access control policy.

Ingress Interface UUID

uint8[16]

An interface ID number that acts as a unique identifier for the ingress interface.

Egress Interface UUID

uint8[16]

An interface ID number that acts as a unique identifier for the egress interface.

Ingress Security Zone UUID

uint8[16]

A zone ID number that acts as a unique identifier for the ingress security zone.

Egress Security Zone UUID

uint8[16]

A zone ID number that acts as a unique identifier for the egress security zone.

Connection Timestamp

uint32

UNIX timestamp (seconds since 01/01/1970) of the connection event associated with the intrusion event.

Connection Instance ID

uint16

Numerical ID of the Snort instance on the managed device that generated the connection event.

Connection Counter

uint16

Value used to distinguish between connection events that happen during the same second.

Source Country

uint16

Code for the country of the source host.

Destination Country

uint 16

Code for the country of the destination host.

IOC Number

uint16

ID number of the compromise associated with this event.

Security Context

uint8(16)

ID number for the security context (virtual firewall) that the traffic passed through. Note that the system only populates this field for ASA FirePOWER devices in multi-context mode.

Intrusion Event Record 5.4.x

The fields in the intrusion event record are shaded in the following graphic. The record type is 400 and the block type is 45 in the series 2 set of data blocks. It supersedes block type 42, and is superseded by block type 60. Fields for SSL support and Network Analysis Policy have been added.

You can request 5.4.x intrusion events from eStreamer only by extended request, for which you request event type code 12 and version code 8 in the Stream Request message (see Submitting Extended Requests for information about submitting extended requests).

 

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

 

Header Version (1)

Message Type (4)

 

Message Length

 

Netmap ID

Record Type (400)

 

Record Length

 

eStreamer Server Timestamp (in events, only if bit 23 is set)

 

Reserved for Future Use (in events, only if bit 23 is set)

 

Block Type (45)

 

Block Length

 

Device ID

 

Event ID

 

Event Second

 

Event Microsecond

 

Rule ID (Signature ID)

 

Generator ID

 

Rule Revision

 

Classification ID

 

Priority ID

 

Source IP Address

Source IP Address, continued

Source IP Address, continued

Source IP Address, continued

 

 

 

 

Destination IP Address

Destination IP Address, continued


Destination IP Address, continued

Destination IP Address, continued

 

 

 

 

Source Port or ICMP Type

Destination Port or ICMP Code

 

IP Protocol ID

Impact Flags

Impact

Blocked

 

MPLS Label

 

VLAN ID

Pad

 

Policy UUID

 

Policy UUID, continued

 

Policy UUID, continued

 

Policy UUID, continued

 

User ID

 

Web Application ID

 

Client Application ID

 

Application Protocol ID

 

Access Control Rule ID

 

Access Control Policy UUID

 

Access Control Policy UUID, continued

 

Access Control Policy UUID, continued

 

Access Control Policy UUID, continued

 

Interface Ingress UUID

 

Interface Ingress UUID, continued

 

Interface Ingress UUID, continued

 

Interface Ingress UUID, continued

 

Interface Egress UUID

 

Interface Egress UUID, continued

 

Interface Egress UUID, continued

 

Interface Egress UUID, continued

 

Security Zone Ingress UUID

 

Security Zone Ingress UUID, continued

 

Security Zone Ingress UUID, continued

 

Security Zone Ingress UUID, continued

 

Security Zone Egress UUID

 

Security Zone Egress UUID, continued

 

Security Zone Egress UUID, continued

 

Security Zone Egress UUID, continued

 

Connection Timestamp

 

Connection Instance ID

Connection Counter

 

Source Country

Destination Country

 

IOC Number

Security Context

 

Security Context, continued

 

Security Context, continued

 

Security Context, continued

 

Security Context, continued

SSL Certificate Fingerprint

 

SSL Certificate Fingerprint, continued

 

SSL Certificate Fingerprint, continued

 

SSL Certificate Fingerprint, continued

 

SSL Certificate Fingerprint, continued

 

SSL Certificate Fingerprint, continued

SSL Actual Action

 

SSL Flow Status

Network Analysis Policy UUID

 

Network Analysis Policy UUID, continued

 

Network Analysis Policy UUID, continued

 

Network Analysis Policy UUID, continued

 

Network Analysis Policy UUID, continued

 

The following table describes each intrusion event record data field.

 

Table B-7 Intrusion Event Record 5.4.x Fields

Field
Data Type
Description

Block Type

unint32

Initiates an Intrusion Event data block. This value is always 45.

Block Length

unint32

Total number of bytes in the Intrusion Event data block, including eight bytes for the Intrusion Event block type and length fields, plus the number of bytes of data that follows.

Device ID

unit32

Contains the identification number of the detecting managed device. You can obtain the managed device name by requesting Version 3 or 4 metadata. See Managed Device Record Metadata for more information.

Event ID

uint32

Event identification number.

Event Second

uint32

UNIX timestamp (seconds since 01/01/1970) of the event’s detection.

Event Microsecond

uint32

Microsecond (one millionth of a second) increment of the timestamp of the event’s detection.

Rule ID (Signature ID)

uint32

Rule identification number that corresponds with the event.

Generator ID

uint32

Identification number of the Secure Firewall System preprocessor that generated the event.

Rule Revision

uint32

Rule revision number.

Classification ID

uint32

Identification number of the event classification message.

Priority ID

uint32

Identification number of the priority associated with the event.

Source IP Address

uint8[16]

Source IPv4 or IPv6 address used in the event.

Destination IP Address

uint8[16]

Destination IPv4 or IPv6 address used in the event.

Source Port or ICMP Type

uint16

The source port number if the event protocol type is TCP or UDP, or the ICMP type if the event is caused by ICMP traffic.

Destination Port or ICMP Code

uint16

The destination port number if the event protocol type is TCP or UDP, or the ICMP code if the event is caused by ICMP traffic.

IP Protocol Number

uint8

IANA-specified protocol number. For example:

  • 0 — IP
  • 1 — ICMP
  • 6 — TCP
  • 17 — UDP

Impact Flags

bits[8]

Impact flag value of the event. The low-order eight bits indicate the impact level. Values are:

  • 0x01 (bit 0) — Source or destination host is in a network monitored by the system.
  • 0x02 (bit 1) — Source or destination host exists in the network map.
  • 0x04 (bit 2) — Source or destination host is running a server on the port in the event (if TCP or UDP) or uses the IP protocol.
  • 0x08 (bit 3) — There is a vulnerability mapped to the operating system of the source or destination host in the event.
  • 0x10 (bit 4) — There is a vulnerability mapped to the server detected in the event.
  • 0x20 (bit 5) — The event caused the managed device to drop the session (used only when the device is running in inline, switched, or routed deployment). Corresponds to blocked status in the Secure Firewall System web interface.
  • 0x40 (bit 6) — The rule that generated this event contains rule metadata setting the impact flag to red. The source or destination host is potentially compromised by a virus, trojan, or other piece of malicious software.
  • 0x80 (bit 7) — There is a vulnerability mapped to the client detected in the event. (version 5.0+ only)

The following impact level values map to specific priorities on the Defense Center. An X indicates the value can be 0 or 1:

  • gray (0, unknown): 00X00000
  • red (1, vulnerable): XXXX1XXX, XXX1XXXX, X1XXXXXX, 1XXXXXXX (version 5.0+ only)
  • orange (2, potentially vulnerable): 00X0011X
  • yellow (3, currently not vulnerable): 00X0001X
  • blue (4, unknown target): 00X00001

Impact

uint8

Impact flag value of the event. Values are:

  • 1 — Red (vulnerable)
  • 2 — Orange (potentially vulnerable)
  • 3 — Yellow (currently not vulnerable)
  • 4 — Blue (unknown target)
  • 5 — Gray (unknown impact)

Blocked

uint8

Value indicating whether the event was blocked.

  • 0 — Not blocked
  • 1 — Blocked
  • 2 — Would be blocked (but not permitted by configuration)

MPLS Label

uint32

MPLS label.

VLAN ID

uint16

Indicates the ID of the VLAN where the packet originated.

Pad

uint16

Reserved for future use.

Policy UUID

uint8[16]

A policy ID number that acts as a unique identifier for the intrusion policy.

User ID

uint32

The internal identification number for the user, if applicable.

Web Application ID

uint32

The internal identification number for the web application, if applicable.

Client Application ID

uint32

The internal identification number for the client application, if applicable.

Application Protocol ID

uint32

The internal identification number for the application protocol, if applicable.

Access Control Rule ID

uint32

A rule ID number that acts as a unique identifier for the access control rule.

Access Control Policy UUID

uint8[16]

A policy ID number that acts as a unique identifier for the access control policy.

Ingress Interface UUID

uint8[16]

An interface ID number that acts as a unique identifier for the ingress interface.

Egress Interface UUID

uint8[16]

An interface ID number that acts as a unique identifier for the egress interface.

Ingress Security Zone UUID

uint8[16]

A zone ID number that acts as a unique identifier for the ingress security zone.

Egress Security Zone UUID

uint8[16]

A zone ID number that acts as a unique identifier for the egress security zone.

Connection Timestamp

uint32

UNIX timestamp (seconds since 01/01/1970) of the connection event associated with the intrusion event.

Connection Instance ID

uint16

Numerical ID of the Snort instance on the managed device that generated the connection event.

Connection Counter

uint16

Value used to distinguish between connection events that happen during the same second.

Source Country

uint16

Code for the country of the source host.

Destination Country

uint 16

Code for the country of the destination host.

IOC Number

uint16

ID number of the compromise associated with this event.

Security Context

uint8[16]

ID number for the security context (virtual firewall) that the traffic passed through. Note that the system only populates this field for ASA FirePOWER devices in multi-context mode.

SSL Certificate Fingerprint

uint8[20]

SHA1 hash of the SSL Server certificate.

SSL Actual Action

uint16

The action performed on the connection based on the SSL Rule. This may differ from the expected action, as the action as specified in the rule may be impossible. Possible values include:

  • 0 — 'Unknown'
  • 1 — 'Do Not Decrypt'
  • 2 — 'Block'
  • 3 — 'Block With Reset'
  • 4 — 'Decrypt (Known Key)'
  • 5 — 'Decrypt (Replace Key)'
  • 6 — 'Decrypt (Resign)'

SSL Flow Status

uint16

Status of the SSL Flow. These values describe the reason behind the action taken or the error message seen. Possible values include:

  • 0 — 'Unknown'
  • 1 — 'No Match'
  • 2 — 'Success'
  • 3 — 'Uncached Session'
  • 4 — 'Unknown Cipher Suite'
  • 5 — 'Unsupported Cipher Suite'
  • 6 — 'Unsupported SSL Version'
  • 7 — 'SSL Compression Used'
  • 8 — 'Session Undecryptable in Passive Mode'
  • 9 — 'Handshake Error'
  • 10 — 'Decryption Error'
  • 11 — 'Pending Server Name Category Lookup'
  • 12 — 'Pending Common Name Category Lookup'
  • 13 — 'Internal Error'
  • 14 — 'Network Parameters Unavailable'
  • 15 — 'Invalid Server Certificate Handle'
  • 16 — 'Server Certificate Fingerprint Unavailable'
  • 17 — 'Cannot Cache Subject DN'
  • 18 — 'Cannot Cache Issuer DN'
  • 19 — 'Unknown SSL Version'
  • 20 — 'External Certificate List Unavailable'
  • 21 — 'External Certificate Fingerprint Unavailable'
  • 22 — 'Internal Certificate List Invalid'
  • 23 — 'Internal Certificate List Unavailable'
  • 24 — 'Internal Certificate Unavailable'
  • 25 — 'Internal Certificate Fingerprint Unavailable'
  • 26 — 'Server Certificate Validation Unavailable'
  • 27 — 'Server Certificate Validation Failure'
  • 28 — 'Invalid Action'

Network Analysis Policy UUID

uint8[16]

The UUID of the Network Analysis Policy that created the intrusion event.

Intrusion Event Record 6.x

The fields in the intrusion event record are shaded in the following graphic. The record type is 400 and the block type is 60 in the series 2 set of data blocks. It supersedes block type 45, and is superseded by block type 81 in 7.0. An HTTP Response field has been added.

You can request 6.x intrusion events from eStreamer only by extended request, for which you request event type code 12 and version code 9 in the Stream Request message (see Submitting Extended Requests for information about submitting extended requests).

 

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

 

Header Version (1)

Message Type (4)

 

Message Length

 

Netmap ID

Record Type (400)

 

Record Length

 

eStreamer Server Timestamp (in events, only if bit 23 is set)

 

Reserved for Future Use (in events, only if bit 23 is set)

 

Block Type (60)

 

Block Length

 

Device ID

 

Event ID

 

Event Second

 

Event Microsecond

 

Rule ID (Signature ID)

 

Generator ID

 

Rule Revision

 

Classification ID

 

Priority ID

 

Source IP Address

Source IP Address, continued

Source IP Address, continued

Source IP Address, continued

 

 

 

 

Destination IP Address

Destination IP Address, continued


Destination IP Address, continued

Destination IP Address, continued

 

 

 

 

Source Port or ICMP Type

Destination Port or ICMP Code

 

IP Protocol ID

Impact Flags

Impact

Blocked

 

MPLS Label

 

VLAN ID

Pad

 

Policy UUID

 

Policy UUID, continued

 

Policy UUID, continued

 

Policy UUID, continued

 

User ID

 

Web Application ID

 

Client Application ID

 

Application Protocol ID

 

Access Control Rule ID

 

Access Control Policy UUID

 

Access Control Policy UUID, continued

 

Access Control Policy UUID, continued

 

Access Control Policy UUID, continued

 

Interface Ingress UUID

 

Interface Ingress UUID, continued

 

Interface Ingress UUID, continued

 

Interface Ingress UUID, continued

 

Interface Egress UUID

 

Interface Egress UUID, continued

 

Interface Egress UUID, continued

 

Interface Egress UUID, continued

 

Security Zone Ingress UUID

 

Security Zone Ingress UUID, continued

 

Security Zone Ingress UUID, continued

 

Security Zone Ingress UUID, continued

 

Security Zone Egress UUID

 

Security Zone Egress UUID, continued

 

Security Zone Egress UUID, continued

 

Security Zone Egress UUID, continued

 

Connection Timestamp

 

Connection Instance ID

Connection Counter

 

Source Country

Destination Country

 

IOC Number

Security Context

 

Security Context, continued

 

Security Context, continued

 

Security Context, continued

 

Security Context, continued

SSL Certificate Fingerprint

 

SSL Certificate Fingerprint, continued

 

SSL Certificate Fingerprint, continued

 

SSL Certificate Fingerprint, continued

 

SSL Certificate Fingerprint, continued

 

SSL Certificate Fingerprint, continued

SSL Actual Action

 

SSL Flow Status

Network Analysis Policy UUID

 

Network Analysis Policy UUID, continued

 

Network Analysis Policy UUID, continued

 

Network Analysis Policy UUID, continued

 

Network Analysis Policy UUID, continued

HTTP Response

 

HTTP Response, continued

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

The following table describes each intrusion event record data field.

 

Table B-8 Intrusion Event Record 6.x Fields

Field
Data Type
Description

Block Type

unint32

Initiates an Intrusion Event data block. This value is always 60.

Block Length

unint32

Total number of bytes in the Intrusion Event data block, including eight bytes for the Intrusion Event block type and length fields, plus the number of bytes of data that follows.

Device ID

unit32

Contains the identification number of the detecting managed device. You can obtain the managed device name by requesting Version 3 or 4 metadata. See Managed Device Record Metadata for more information.

Event ID

uint32

Event identification number.

Event Second

uint32

UNIX timestamp (seconds since 01/01/1970) of the event’s detection.

Event Microsecond

uint32

Microsecond (one millionth of a second) increment of the timestamp of the event’s detection.

Rule ID (Signature ID)

uint32

Rule identification number that corresponds with the event.

Generator ID

uint32

Identification number of the Secure Firewall System preprocessor that generated the event.

Rule Revision

uint32

Rule revision number.

Classification ID

uint32

Identification number of the event classification message.

Priority ID

uint32

Identification number of the priority associated with the event.

Source IP Address

uint8[16]

Source IPv4 or IPv6 address used in the event.

Destination IP Address

uint8[16]

Destination IPv4 or IPv6 address used in the event.

Source Port or ICMP Type

uint16

The source port number if the event protocol type is TCP or UDP, or the ICMP type if the event is caused by ICMP traffic.

Destination Port or ICMP Code

uint16

The destination port number if the event protocol type is TCP or UDP, or the ICMP code if the event is caused by ICMP traffic.

IP Protocol ID

uint8

IANA-specified protocol number. For example:

  • 0 — IP
  • 1 — ICMP
  • 6 — TCP
  • 17 — UDP

Impact Flags

bits[8]

Impact flag value of the event. The low-order eight bits indicate the impact level. Values are:

  • 0x01 (bit 0) — Source or destination host is in a network monitored by the system.
  • 0x02 (bit 1) — Source or destination host exists in the network map.
  • 0x04 (bit 2) — Source or destination host is running a server on the port in the event (if TCP or UDP) or uses the IP protocol.
  • 0x08 (bit 3) — There is a vulnerability mapped to the operating system of the source or destination host in the event.
  • 0x10 (bit 4) — There is a vulnerability mapped to the server detected in the event.
  • 0x20 (bit 5) — The event caused the managed device to drop the session (used only when the device is running in inline, switched, or routed deployment). Corresponds to blocked status in the Secure Firewall System web interface.
  • 0x40 (bit 6) — The rule that generated this event contains rule metadata setting the impact flag to red. The source or destination host is potentially compromised by a virus, trojan, or other piece of malicious software.
  • 0x80 (bit 7) — There is a vulnerability mapped to the client detected in the event. (version 5.0+ only)

The following impact level values map to specific priorities on the Management Center. An X indicates the value can be 0 or 1:

  • gray (0, unknown): 00X00000
  • red (1, vulnerable): XXXX1XXX, XXX1XXXX, X1XXXXXX, 1XXXXXXX (version 5.0+ only)
  • orange (2, potentially vulnerable): 00X0011X
  • yellow (3, currently not vulnerable): 00X0001X
  • blue (4, unknown target): 00X00001

Impact

uint8

Impact flag value of the event. Values are:

  • 1 — Red (vulnerable)
  • 2 — Orange (potentially vulnerable)
  • 3 — Yellow (currently not vulnerable)
  • 4 — Blue (unknown target)
  • 5 — Gray (unknown impact)

Blocked

uint8

Value indicating whether the event was blocked.

  • 0 — Not blocked
  • 1 — Blocked
  • 2 — Would be blocked (but not permitted by configuration)

MPLS Label

uint32

MPLS label.

VLAN ID

uint16

Indicates the ID of the VLAN where the packet originated.

Pad

uint16

Reserved for future use.

Policy UUID

uint8[16]

A policy ID number that acts as a unique identifier for the intrusion policy.

User ID

uint32

The internal identification number for the user, if applicable.

Web Application ID

uint32

The internal identification number for the web application, if applicable.

Client Application ID

uint32

The internal identification number for the client application, if applicable.

Application Protocol ID

uint32

The internal identification number for the application protocol, if applicable.

Access Control Rule ID

uint32

A rule ID number that acts as a unique identifier for the access control rule.

Access Control Policy UUID

uint8[16]

A policy ID number that acts as a unique identifier for the access control policy.

Interface Ingress UUID

uint8[16]

An interface ID number that acts as a unique identifier for the ingress interface.

Interface Egress UUID

uint8[16]

An interface ID number that acts as a unique identifier for the egress interface.

Security Zone Ingress UUID

uint8[16]

A zone ID number that acts as a unique identifier for the ingress security zone.

Security Zone Egress UUID

uint8[16]

A zone ID number that acts as a unique identifier for the egress security zone.

Connection Timestamp

uint32

UNIX timestamp (seconds since 01/01/1970) of the connection event associated with the intrusion event.

Connection Instance ID

uint16

Numerical ID of the Snort instance on the managed device that generated the connection event.

Connection Counter

uint16

Value used to distinguish between connection events that happen during the same second.

Source Country

uint16

Code for the country of the source host.

Destination Country

uint 16

Code for the country of the destination host.

IOC Number

uint16

ID number of the compromise associated with this event.

Security Context

uint8[16]

ID number for the security context (virtual firewall) that the traffic passed through. Note that the system only populates this field for ASA FirePOWER devices in multi-context mode.

SSL Certificate Fingerprint

uint8[20]

SHA1 hash of the SSL Server certificate.

SSL Actual Action

uint16

The action performed on the connection based on the SSL Rule. This may differ from the expected action, as the action as specified in the rule may be impossible. Possible values include:

  • 0 — 'Unknown'
  • 1 — 'Do Not Decrypt'
  • 2 — 'Block'
  • 3 — 'Block With Reset'
  • 4 — 'Decrypt (Known Key)'
  • 5 — 'Decrypt (Replace Key)'
  • 6 — 'Decrypt (Resign)'

SSL Flow Status

uint16

Status of the SSL Flow. These values describe the reason behind the action taken or the error message seen. Possible values include:

  • 0 — 'Unknown'
  • 1 — 'No Match'
  • 2 — 'Success'
  • 3 — 'Uncached Session'
  • 4 — 'Unknown Cipher Suite'
  • 5 — 'Unsupported Cipher Suite'
  • 6 — 'Unsupported SSL Version'
  • 7 — 'SSL Compression Used'
  • 8 — 'Session Undecryptable in Passive Mode'
  • 9 — 'Handshake Error'
  • 10 — 'Decryption Error'
  • 11 — 'Pending Server Name Category Lookup'
  • 12 — 'Pending Common Name Category Lookup'
  • 13 — 'Internal Error'
  • 14 — 'Network Parameters Unavailable'
  • 15 — 'Invalid Server Certificate Handle'
  • 16 — 'Server Certificate Fingerprint Unavailable'
  • 17 — 'Cannot Cache Subject DN'
  • 18 — 'Cannot Cache Issuer DN'
  • 19 — 'Unknown SSL Version'
  • 20 — 'External Certificate List Unavailable'
  • 21 — 'External Certificate Fingerprint Unavailable'
  • 22 — 'Internal Certificate List Invalid'
  • 23 — 'Internal Certificate List Unavailable'
  • 24 — 'Internal Certificate Unavailable'
  • 25 — 'Internal Certificate Fingerprint Unavailable'
  • 26 — 'Server Certificate Validation Unavailable'
  • 27 — 'Server Certificate Validation Failure'
  • 28 — 'Invalid Action'

Network Analysis Policy UUID

uint8[16]

The UUID of the Network Analysis Policy that created the intrusion event.

HTTP Response

uint32

Response code of the HTTP Request.

Intrusion Event Record 7.0

The fields in the intrusion event record are shaded in the following graphic. The record type is 400 and the block type is 81 in the series 2 set of data blocks. It supersedes block type 60, and is superseded by block type 85. Inline Result Reason, Ingress and Egress Virtual Route Forwarding, and Snort Version fields have been added. The Blocked field has been renamed Inline Result.

You can request 7.0 intrusion events from eStreamer only by extended request, for which you request event type code 12 and version code 10in the Stream Request message (see Submitting Extended Requests for information about submitting extended requests).

 

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

 

Header Version (1)

Message Type (4)

 

Message Length

 

Netmap ID

Record Type (400)

 

Record Length

 

eStreamer Server Timestamp (in events, only if bit 23 is set)

 

Reserved for Future Use (in events, only if bit 23 is set)

 

Block Type (81)

 

Block Length

 

Device ID

 

Event ID

 

Event Second

 

Event Microsecond

 

Rule ID (Signature ID)

 

Generator ID

 

Rule Revision

 

Classification ID

 

Priority ID

 

Source IP Address

Source IP Address, continued

Source IP Address, continued

Source IP Address, continued

 

 

 

 

Destination IP Address

Destination IP Address, continued


Destination IP Address, continued

Destination IP Address, continued

 

 

 

 

Source Port or ICMP Type

Destination Port or ICMP Code

 

IP Protocol ID

Impact Flags

Impact

Inline Result

 

Inline Result Reason

MPLS Label

 

MPLS Label, cont.

VLAN ID

Pad

 

Pad, Cont.

Policy UUID

 

Policy UUID, continued

 

Policy UUID, continued

 

Policy UUID, continued

 

Policy UUID, continued

User ID

 

User ID, continued

Web Application ID

 

Web Application ID, continued

Client Application ID

 

Client Application ID

App. Prot. ID

 

Application Protocol ID, continued

Access Ctrl Rule ID

 

Access Control Rule ID, continued

Acc. Ctrl Policy UUID

 

Access Control Policy UUID, continued

 

Access Control Policy UUID, continued

 

Access Control Policy UUID, continued

 

Access Control Policy UUID, continued

Int. Ingress UUID

 

Interface Ingress UUID, continued

 

Interface Ingress UUID, continued

 

Interface Ingress UUID, continued

 

Interface Ingress UUID, continued

Int. Egress UUID

 

Interface Egress UUID, continued

 

Interface Egress UUID, continued

 

Interface Egress UUID, continued

 

Interface Egress UUID, continued

Sec. Zone Ing. UUID

 

Security Zone Ingress UUID, continued

 

Security Zone Ingress UUID, continued

 

Security Zone Ingress UUID, continued

 

Security Zone Ingress UUID, continued

Sec. Zone Egr. UUID

 

Security Zone Egress UUID, continued

 

Security Zone Egress UUID, continued

 

Security Zone Egress UUID, continued

 

Security Zone Egress UUID, continued

Cxn Timestamp

 

Connection Timestamp, continued

Connection Inst. ID

 

Connection Inst. ID

Connection Counter

Source Country

 

Source Country

Destination Country

IOC Number

 

IOC Number

Security Context

 

Security Context, continued

 

Security Context, continued

 

Security Context, continued

 

Sec. Context, cont.

SSL Certificate Fingerprint

 

SSL Certificate Fingerprint, continued

 

SSL Certificate Fingerprint, continued

 

SSL Certificate Fingerprint, continued

 

SSL Certificate Fingerprint, continued

 

SSL Cert. Fngpt, cont.

SSL Actual Action

SSL Flow Status

 

SSL Flow Stat., cont.

Network Analysis Policy UUID

 

Network Analysis Policy UUID, continued

 

Network Analysis Policy UUID, continued

 

Network Analysis Policy UUID, continued

 

Net A. P. UUID, cont.

HTTP Response

Ingress VRF

HTTP Resp,, cont.

String Block Type (0)

String Block Type (0)

String Block Length

String Block Length

Ingress VRF Name

Egress VRF

String Block Type (0)

String Block Length

Egress VRF Name

 

Snort Version

 

The following table describes each intrusion event record data field.

 

Table B-9 Intrusion Event Record 7.0 Fields

Field
Data Type
Description

Block Type

unint32

Initiates an Intrusion Event data block. This value is always 81.

Block Length

unint32

Total number of bytes in the Intrusion Event data block, including eight bytes for the Intrusion Event block type and length fields, plus the number of bytes of data that follows.

Device ID

unit32

Contains the identification number of the detecting managed device. You can obtain the managed device name by requesting Version 3 or 4 metadata. See Managed Device Record Metadata for more information.

Event ID

uint32

Event identification number.

Event Second

uint32

UNIX timestamp (seconds since 01/01/1970) of the event’s detection.

Event Microsecond

uint32

Microsecond (one millionth of a second) increment of the timestamp of the event’s detection.

Rule ID (Signature ID)

uint32

Rule identification number that corresponds with the event.

Generator ID

uint32

Identification number of the Secure Firewall System preprocessor that generated the event.

Rule Revision

uint32

Rule revision number.

Classification ID

uint32

Identification number of the event classification message.

Priority ID

uint32

Identification number of the priority associated with the event.

Source IP Address

uint8[16]

Source IPv4 or IPv6 address used in the event.

Destination IP Address

uint8[16]

Destination IPv4 or IPv6 address used in the event.

Source Port or ICMP Type

uint16

The source port number if the event protocol type is TCP or UDP, or the ICMP type if the event is caused by ICMP traffic.

Destination Port or ICMP Code

uint16

The destination port number if the event protocol type is TCP or UDP, or the ICMP code if the event is caused by ICMP traffic.

IP Protocol ID

uint8

IANA-specified protocol number. For example:

  • 0 — IP
  • 1 — ICMP
  • 6 — TCP
  • 17 — UDP

Impact Flags

bits[8]

Impact flag value of the event. The low-order eight bits indicate the impact level. Values are:

  • 0x01 (bit 0) — Source or destination host is in a network monitored by the system.
  • 0x02 (bit 1) — Source or destination host exists in the network map.
  • 0x04 (bit 2) — Source or destination host is running a server on the port in the event (if TCP or UDP) or uses the IP protocol.
  • 0x08 (bit 3) — There is a vulnerability mapped to the operating system of the source or destination host in the event.
  • 0x10 (bit 4) — There is a vulnerability mapped to the server detected in the event.
  • 0x20 (bit 5) — The event caused the managed device to drop the session (used only when the device is running in inline, switched, or routed deployment). Corresponds to blocked status in the Secure Firewall System web interface.
  • 0x40 (bit 6) — The rule that generated this event contains rule metadata setting the impact flag to red. The source or destination host is potentially compromised by a virus, trojan, or other piece of malicious software.
  • 0x80 (bit 7) — There is a vulnerability mapped to the client detected in the event. (version 5.0+ only)

The following impact level values map to specific priorities on the Management Center. An X indicates the value can be 0 or 1:

  • gray (0, unknown): 00X00000
  • red (1, vulnerable): XXXX1XXX, XXX1XXXX, X1XXXXXX, 1XXXXXXX (version 5.0+ only)
  • orange (2, potentially vulnerable): 00X0011X
  • yellow (3, currently not vulnerable): 00X0001X
  • blue (4, unknown target): 00X00001

Impact

uint8

Impact flag value of the event. Values are:

  • 1 — Red (vulnerable)
  • 2 — Orange (potentially vulnerable)
  • 3 — Yellow (currently not vulnerable)
  • 4 — Blue (unknown target)
  • 5 — Gray (unknown impact)

Inline Result

uint8

Value indicating the inline result.

  • 0 — Pass
  • 1 — Dropped
  • 2 — Would be dropped (but not permitted by configuration)
  • 3 — Partially dropped

Inline Result Reason

uint8

Value indicating the inline result reason.

  • 1 — Interface in Passive or Tap mode
  • 2 — Intrusion Policy in “Detection” inspection mode
  • 3 — Network Analysis Policy in “Detection” inspection mode
  • 4 — Connection timed out
  • 5 — Connection Closed (internal use)
  • 6 — Connection Closed (internal use)
  • 7 — Connection Closed (internal use)

MPLS Label

uint32

MPLS label.

VLAN ID

uint16

Indicates the ID of the VLAN where the packet originated.

Pad

uint16

Reserved for future use.

Policy UUID

uint8[16]

A policy ID number that acts as a unique identifier for the intrusion policy.

User ID

uint32

The internal identification number for the user, if applicable.

Web Application ID

uint32

The internal identification number for the web application, if applicable.

Client Application ID

uint32

The internal identification number for the client application, if applicable.

Application Protocol ID

uint32

The internal identification number for the application protocol, if applicable.

Access Control Rule ID

uint32

A rule ID number that acts as a unique identifier for the access control rule.

Access Control Policy UUID

uint8[16]

A policy ID number that acts as a unique identifier for the access control policy.

Interface Ingress UUID

uint8[16]

An interface ID number that acts as a unique identifier for the ingress interface.

Interface Egress UUID

uint8[16]

An interface ID number that acts as a unique identifier for the egress interface.

Security Zone Ingress UUID

uint8[16]

A zone ID number that acts as a unique identifier for the ingress security zone.

Security Zone Egress UUID

uint8[16]

A zone ID number that acts as a unique identifier for the egress security zone.

Connection Timestamp

uint32

UNIX timestamp (seconds since 01/01/1970) of the connection event associated with the intrusion event.

Connection Instance ID

uint16

Numerical ID of the Snort instance on the managed device that generated the connection event.

Connection Counter

uint16

Value used to distinguish between connection events that happen during the same second.

Source Country

uint16

Code for the country of the source host.

Destination Country

uint 16

Code for the country of the destination host.

IOC Number

uint16

ID number of the compromise associated with this event.

Security Context

uint8[16]

ID number for the security context (virtual firewall) that the traffic passed through. Note that the system only populates this field for ASA FirePOWER devices in multi-context mode.

SSL Certificate Fingerprint

uint8[20]

SHA1 hash of the SSL Server certificate.

SSL Actual Action

uint16

The action performed on the connection based on the SSL Rule. This may differ from the expected action, as the action as specified in the rule may be impossible. Possible values include:

  • 0 — 'Unknown'
  • 1 — 'Do Not Decrypt'
  • 2 — 'Block'
  • 3 — 'Block With Reset'
  • 4 — 'Decrypt (Known Key)'
  • 5 — 'Decrypt (Replace Key)'
  • 6 — 'Decrypt (Resign)'

SSL Flow Status

uint16

Status of the SSL Flow. These values describe the reason behind the action taken or the error message seen. Possible values include:

  • 0 — 'Unknown'
  • 1 — 'No Match'
  • 2 — 'Success'
  • 3 — 'Uncached Session'
  • 4 — 'Unknown Cipher Suite'
  • 5 — 'Unsupported Cipher Suite'
  • 6 — 'Unsupported SSL Version'
  • 7 — 'SSL Compression Used'
  • 8 — 'Session Undecryptable in Passive Mode'
  • 9 — 'Handshake Error'
  • 10 — 'Decryption Error'
  • 11 — 'Pending Server Name Category Lookup'
  • 12 — 'Pending Common Name Category Lookup'
  • 13 — 'Internal Error'
  • 14 — 'Network Parameters Unavailable'
  • 15 — 'Invalid Server Certificate Handle'
  • 16 — 'Server Certificate Fingerprint Unavailable'
  • 17 — 'Cannot Cache Subject DN'
  • 18 — 'Cannot Cache Issuer DN'
  • 19 — 'Unknown SSL Version'
  • 20 — 'External Certificate List Unavailable'
  • 21 — 'External Certificate Fingerprint Unavailable'
  • 22 — 'Internal Certificate List Invalid'
  • 23 — 'Internal Certificate List Unavailable'
  • 24 — 'Internal Certificate Unavailable'
  • 25 — 'Internal Certificate Fingerprint Unavailable'
  • 26 — 'Server Certificate Validation Unavailable'
  • 27 — 'Server Certificate Validation Failure'
  • 28 — 'Invalid Action'

Network Analysis Policy UUID

uint8[16]

The UUID of the Network Analysis Policy that created the intrusion event.

HTTP Response

uint32

Response code of the HTTP Request.

String Block Type

uint32

Initiates a String data block containing the name of the ingress VRF. This value is always 0.

String Block Length

uint32

The number of bytes included in the name String data block, including eight bytes for the block type and header fields plus the number of bytes in the Ingress VRF name field.

Ingress VRF Name

string

The virtual router through which traffic entered the network.

String Block Type

uint32

Initiates a String data block containing the name of the egress VRF. This value is always 0.

String Block Length

uint32

The number of bytes included in the name String data block, including eight bytes for the block type and header fields plus the number of bytes in the Egress VRF name field.

Egress VRF Name

string

The name of the virtual router through which traffic exited the network.

Snort Version

uint8

Snort version number.

Intrusion Impact Alert Data

The Intrusion Impact Alert event contains information about impact events. It is transmitted when an intrusion event is compared to the system network map data and the impact is determined. It uses the standard record header with a record type of 9, followed by an Intrusion Impact Alert data block with a data block type of 20 in the series 1 group of blocks. (The Impact Alert data block is a type of series 1 data block. For more information about series 1 data blocks, see Understanding Discovery (Series 1) Blocks.)

You can request that eStreamer only transmit intrusion impact events by setting bit 5 in the Flags field of the request message. See Event Stream Request Message Format for more information about request messages. Version 1 of these alerts only handles IPv4. Version 2, introduced in 5.3, handles IPv6 events in addition to IPv4.

 

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

 

Header Version (1)

Message Type (4)

 

Message Length

 

Netmap ID

Record Type (9)

 

Record Length

 

Intrusion Impact Alert Block Type (20)

 

Intrusion Impact Alert Block Length

 

Event ID

 

Device ID

 

Event Second

 

Impact

 

Source IP Address

 

Destination IP Address

Impact
Description

String Block Type (0)

String Block Length

Description...

The following table describes each data field in an impact event.

 

Table B-10 Impact Event Data Fields

Field
Data Type
Description

Intrusion Impact Alert Block Type

uint32

Indicates that an intrusion impact alert data block follows. This field will always have a value of 20. See Intrusion Event and Metadata Record Types.

Intrusion Impact Alert Block Length

uint32

Indicates the length of the intrusion impact alert data block, including all data that follows and 8 bytes for the intrusion impact alert block type and length.

Event ID

uint32

Indicates the event identification number.

Device ID

uint32

Indicates the managed device identification number.

Event Second

uint32

Indicates the second (from 01/01/1970) that the event was detected.

Impact

bits[8]

Impact flag value of the event. The low-order eight bits indicate the impact level. Values are:

  • 0x01 (bit 0) — Source or destination host is in a network monitored by the system.
  • 0x02 (bit 1) — Source or destination host exists in the network map.
  • 0x04 (bit 2) — Source or destination host is running a server on the port in the event (if TCP or UDP) or uses the IP protocol.
  • 0x08 (bit 3) — There is a vulnerability mapped to the operating system of the source or destination host in the event.
  • 0x10 (bit 4) — There is a vulnerability mapped to the server detected in the event.
  • 0x20 (bit 5) — The event caused the managed device to drop the session (used only when the device is running in inline, switched, or routed deployment). Corresponds to blocked status in the Secure Firewall System web interface.
  • 0x40 (bit 6) — The rule that generated this event contains rule metadata setting the impact flag to red. The source or destination host is potentially compromised by a virus, trojan, or other piece of malicious software.
  • 0x80 (bit 7) — There is a vulnerability mapped to the client detected in the event. (version 5.0+ only)

The following impact level values map to specific priorities on the Defense Center. An X indicates the value can be 0 or 1 :

  • (0, unknown): 00X00000
  • red (1, vulnerable): XXXX1XXX, XXX1XXXX, X1XXXXXX, 1XXXXXXX (version 5.0+ only)
  • orange (2, potentially vulnerable): 00X0011X
  • yellow (3, currently not vulnerable): 00X0001X
  • blue (4, unknown target): 00X00001

Source IP Address

uint8[4]

IP address of the host associated with the impact event, in IP address octets.

Destination IP Address

uint8[4]

IP address of the destination IP address associated with the impact event (if applicable), in IP address octets. This value is 0 if there is no destination IP address.

String Block Type

uint32

Initiates a string data block that contains the impact name. This value is always set to 0. For more information about string blocks, see String Data Block.

String Block Length

uint32

Number of bytes in the event description string block. This includes the four bytes for the string block type, the four bytes for the string block length, and the number of bytes in the description.

Description

string

Description of the impact event.

Intrusion Event Extra Data Record

The eStreamer service transmits the event extra data associated with an intrusion event in the Intrusion Event Extra Data record. The record type is always 110.

This record is deprecated in version 7.1. While it can still be requested no records will be generated.

The event extra data appears in an encapsulated Event Extra Data data block, which always has a data block type value of 4. (The Event Extra Data data block is a series 2 data block. For more information about series 2 data blocks, see Understanding Series 2 Data Blocks.)

The supported types of extra data include IPv6 source and destination addresses, as well as the originating IP addresses (v4 or v6) of clients connecting to a web server through an HTTP proxy or load balancer. The graphic below shows the format of the Intrusion Event Extra Data record.

If bit 27 is set in the Request Flags field of the request message, you receive the event extra data for each intrusion event. If you set bit 20, you also receive the event extra data metadata described in Intrusion Event Extra Data Metadata. If you enable bit 23, eStreamer will include the extended event header. See Request Flags for information on setting request flags.

 

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

 

Header Version (1)

Message Type (4)

 

Message Length

 

Netmap ID

Record Type (110)

 

Record Length

 

eStreamer Server Timestamp (in events, only if bit 23 is set)

 

Reserved for Future Use (in events, only if bit 23 is set)

 

Event Extra Data Data Block Type (4)

 

Event Extra Data Data Block Length

 

Device ID

 

Event ID

 

Event Second

 

Type

 

BLOB Block Type (1)

 

BLOB Length

 

Event Extra Data

Note that the Event Extra Data block structure includes a BLOB block type, which is one of several variable length data structures introduced in Version 4.10 of the Secure Firewall System.

The following table describes the fields in the Intrusion Event Extra Data record.

 

Table B-11 Intrusion Event Extra Data Data Block Fields

Field
Data Type
Description

Event Extra Data Data Block Type

uint32

Initiates an Event Extra Data data block. This value is always 4. The block type is a series 2 block; for information see Understanding Series 2 Data Blocks.

Event Extra Data Data Block Length

uint32

Length of the data block. Includes the number of bytes of data plus the 8 bytes in the two data block header fields.

Device ID

uint32

The managed device identification number.

Event ID

uint32

The event identification number.

Event Second

uint32

UNIX timestamp of the event (seconds since 01/01/1970).

Type

uint32

Identifier for the type of extra data; for example:

  • 2 — XFF client (IPv6)
  • 9 — HTTP URI

BLOB Block Type

uint32

Initiates a BLOB data block containing extra data. This value is always 1. The block type is a series 2 block.

Length

uint32

Total number of bytes in the BLOB data block.

Extra Data

variable

The content of the extra data. The data type is indicated in the Type field.

Intrusion Event Extra Data Metadata

The eStreamer service transmits the event extra data metadata associated with intrusion event extra data records in the Intrusion Event Extra Data Metadata record. The record type is always 111.

This record is deprecated in version 7.1. While it can still be requested no records will be generated.

The event extra data metadata appears in an encapsulated Event Extra Data Metadata data block, which always has a data block type value of 5. The Event Extra Data data block is a series 2 data block.

If bit 20 is set in the Request Flags field of a request message, you receive the event extra data metadata. If you want to receive both intrusion events and event extra data metadata, you must set bit 2 as well. See Request Flags. If you enable bit 23, an extended event header is included in the record.

 

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

 

Header Version (1)

Message Type (4)

 

Message Length

 

Netmap ID

Record Type (111)

 

Record Length

 

eStreamer Server Timestamp (in events, only if bit 23 is set)

 

Reserved for Future Use (in events, only if bit 23 is set)

 

Event Extra Data Metadata Data Block Type (5)

 

Data Block Length

 

Type

 

String Block Type (0)

 

String Block Length

 

Name...

 

String Block Type (0)

 

String Block Length

 

Encoding

Note that the block structure includes encapsulated String block types, one of several series 2 variable length data structures introduced in Version 4.10 of the Secure Firewall System.

The following table describes the fields in the Event Extra Data Metadata record.

 

Table B-12 Event Extra Data Metadata Data Block Fields

Field
Data Type
Description

Event Extra Data Metadata Data Block Type

uint32

Initiates an Event Extra Data Metadata data block. This value is always 5. This block type is a series 2 block.

Event Extra Data Metadata Data Block Length

uint32

Length of the data block. Includes the number of bytes of data plus the 8 bytes in the two data block header fields.

Type

uint32

The type of extra data. Matches the Type field in the associated Event Extra Data record. This field is the unique key for this record.

String Block Type

uint32

Initiates a String data block for the client application version. This value is always 0. This block type is a series 2 block.

String Block Length

uint32

Number of bytes in the client application version String data block, including eight bytes for the string block type and length fields, plus the number of bytes in the version string.

Name

string

Name of the type of event extra data, for example, XFF client (IPv6), and HTTP URI.

String Block Type

uint32

Initiates a string data block for the client application URL. This value is always 0. This block type is a series 2 block.

String Block Length

uint32

Number of bytes in the client application URL String data block, including eight bytes for the string block type and length fields, plus the number of bytes in the URL string.

Encoding

string

Encoding used for the event extra data, for example, IPv4, IPv6, or string.

Legacy Malware Event Data Structures

Malware Event Data Block 5.1

The eStreamer service uses the malware event data block to store information on malware events. These events contain information on malware detected or quarantined within a cloud, the detection method, and hosts and users affected by the malware. The malware event data block has a block type of 16 in the series 2 group of blocks. You request the event as part of the malware event record by setting the malware event flag—bit 30 in the request flags field—in the request message with an event version of 1 and an event code of 101.

The following graphic shows the structure of the malware event data block:

 

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

 

Malware Event Block Type (16)

 

Malware Event Block Length

 

Agent UUID

Agent UUID, continued

Agent UUID, continued

 

Agent UUID, continued

 

Cloud UUID

 

Cloud UUID, continued

 

Cloud UUID, continued

 

Cloud UUID, continued

 

Timestamp

 

Event Type ID

 

Event Subtype ID

Host IP Address

Detection Name

Host IP Address, cont.

Detector ID

String Block Type (0)

String Block Type (0), cont.

String Block Length

String Block Length, cont.

Detection Name...

User

String Block Type (0)

String Block Length

User...

File Name

String Block Type (0)

String Block Length

File Name...

File Path

String Block Type (0)

String Block Length

File Path...

File SHA

Hash

String Block Type (0)

String Block Length

File SHA Hash...

 

File Size

 

File Type

File Timestamp

Parent File

Name

File Timestamp, cont.

String Block Type (0)

String Block Type (0), cont.

String Block Length

String Block Length, cont.

Parent File Name...

Parent File

SHA Hash

String Block Type (0)

String Block Length

Parent File SHA Hash...

Event

Description

String Block Type (0)

String Block Length

Event Description...

The following table describes the fields in the malware event data block.

 

Table B-13 Malware Event Data Block Fields

Field
Data Type
Description

Malware Event Block Type

uint32

Initiates a malware event data block. This value is always 16.

Malware Event Block Length

uint32

Total number of bytes in the malware event data block, including eight bytes for the malware event block type and length fields, plus the number of bytes of data that follows.

Agent UUID

uint8[16]

The internal unique ID of the AMP for Endpoints agent reporting the malware event.

Cloud UUID

uint8[16]

The internal unique ID of the malware awareness network from which the malware event originated.

Timestamp

uint32

The malware event generation timestamp.

Event Type ID

uint32

The internal ID of the malware event type.

Event Subtype ID

uint8

The internal ID of the action that led to malware detection.

Host IP Address

uint32

The host IP address associated with the malware event.

Detector ID

uint8

The internal ID of the detection technology that detected the malware.

String Block Type

uint32

Initiates a String data block containing the detection name. This value is always 0.

String Block Length

uint32

The number of bytes included in the Detection Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the Detection Name field.

Detection Name

string

The name of the detected or quarantined malware.

String Block Type

uint32

Initiates a String data block containing the username. This value is always 0.

String Block Length

uint32

The number of bytes included in the User String data block, including eight bytes for the block type and header fields plus the number of bytes in the User field.

User

string

The user of the computer where the Cisco Agent is installed and where the malware event occurred. Note that these users are not tied to user discovery.

String Block Type

uint32

Initiates a String data block containing the file name. This value is always 0.

String Block Length

uint32

The number of bytes included in the File Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the File Name field.

File Name

string

The name of the detected or quarantined file.

String Block Type

uint32

Initiates a String data block containing the file path. This value is always 0.

String Block Length

uint32

The number of bytes included in the File Path String data block, including eight bytes for the block type and header fields plus the number of bytes in the File Path field.

File Path

string

The file path, not including the file name, of the detected or quarantined file.

String Block Type

uint32

Initiates a String data block containing the file SHA hash. This value is always 0.

String Block Length

uint32

The number of bytes included in the File SHA Hash String data block, including eight bytes for the block type and header fields plus the number of bytes in the File SHA Hash field.

File SHA Hash

string

The SHA-256 hash value of the detected or quarantined file.

File Size

uint32

The size in bytes of the detected or quarantined file.

File Type

uint8

The file type of the detected or quarantined file.

File Timestamp

uint32

The creation timestamp of the detected or quarantined file.

String Block Type

uint32

Initiates a String data block containing the parent file name. This value is always 0.

String Block Length

uint32

The number of bytes included in the Parent File Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the Parent File Name field.

Parent File Name

string

The name of the file accessing the detected or quarantined file when detection occurred.

String Block Type

uint32

Initiates a String data block containing the parent file SHA hash. This value is always 0.

String Block Length

uint32

The number of bytes included in the Parent File SHA Hash String data block, including eight bytes for the block type and header fields plus the number of bytes in the Parent File SHA Hash field.

Parent File SHA Hash

string

The SHA-256 hash value of the parent file accessing the detected or quarantined file when detection occurred.

String Block Type

uint32

Initiates a String data block containing the event description. This value is always 0.

String Block Length

uint32

The number of bytes included in the Event Description String data block, including eight bytes for the block type and header fields plus the number of bytes in the Event Description field.

Event Description

string

The additional event information associated with the event type.

Malware Event Data Block 5.1.1.x

The eStreamer service uses the malware event data block to store information on malware events. These events contain information on malware detected or quarantined within a cloud, the detection method, and hosts and users affected by the malware. The malware event data block has a block type of 24 in the series 2 group of blocks. You request the event as part of the malware event record by setting the malware event flag—bit 30 in the request flags field—in the request message with an event version of 2 and an event code of 101.

The following graphic shows the structure of the malware event data block:

 

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

 

Malware Event Block Type (24)

 

Malware Event Block Length

 

Agent UUID

Agent UUID, continued

Agent UUID, continued

 

Agent UUID, continued

 

Cloud UUID

 

Cloud UUID, continued

 

Cloud UUID, continued

 

Cloud UUID, continued

 

Malware Event Timestamp

 

Event Type ID

 

Event Subtype ID

Host IP Address

Detection Name

Host IP Address, cont.

Detector ID

String Block Type (0)

String Block Type (0), cont.

String Block Length

String Block Length, cont.

Detection Name...

User

String Block Type (0)

String Block Length

User...

File Name

String Block Type (0)

String Block Length

File Name...

File Path

String Block Type (0)

String Block Length

File Path...

File SHA

Hash

String Block Type (0)

String Block Length

File SHA Hash...

 

File Size

 

File Type

File Timestamp

Parent File

Name

File Timestamp, cont.

String Block Type (0)

String Block Type (0), cont.

String Block Length

String Block Length, cont.

Parent File Name...

Parent File

SHA Hash

String Block Type (0)

String Block Length

Parent File SHA Hash...

Event

Description

String Block Type (0)

String Block Length

Event Description...

 

Device ID

 

Connection Instance

Connection Counter

 

Connection Event Timestamp

 

Direction

Source IP Address

 

Source IP Address, continued

Source IP Address, continued

Source IP Address, continued

 

 

 

Source IP, cont.

Destination IP Address

 

Destination IP Address, continued

Destination IP Address, continued

Destination IP Address, continued

 

 

 

Destination IP, cont

Application ID

 

App. ID, cont.

User ID

 

User ID, cont.

Access Control Policy UUID

 

Access Control Policy UUID, continued

Access Control Policy UUID, continued

Access Control Policy UUID, continued

 

 

URI

AC Pol UUID, cont.

Disposition

Retro. Disposition

Str. Block Type (0)

String Block Type (0), continued

String Block Length

String Block Length, continued

URI...

 

Source Port

Destination Port

The following table describes the fields in the malware event data block.

 

Table B-14 Malware Event Data Block for 5.1.1.x Fields

Field
Data Type
Description

Malware Event Block Type

uint32

Initiates a malware event data block. This value is always 24.

Malware Event Block Length

uint32

Total number of bytes in the malware event data block, including eight bytes for the malware event block type and length fields, plus the number of bytes of data that follows.

Agent UUID

uint8[16]

The internal unique ID of the AMP for Endpoints agent reporting the malware event.

Cloud UUID

uint8[16]

The internal unique ID of the malware awareness network from which the malware event originated.

Malware Event Timestamp

uint32

The malware event generation timestamp.

Event Type ID

uint32

The internal ID of the malware event type.

Event Subtype ID

uint8

The internal ID of the action that led to malware detection.

Host IP Address

uint32

The host IP address associated with the malware event.

Detector ID

uint8

The internal ID of the detection technology that detected the malware.

String Block Type

uint32

Initiates a String data block containing the detection name. This value is always 0.

String Block Length

uint32

The number of bytes included in the Detection Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the Detection Name field.

Detection Name

string

The name of the detected or quarantined malware.

String Block Type

uint32

Initiates a String data block containing the username. This value is always 0.

String Block Length

uint32

The number of bytes included in the User String data block, including eight bytes for the block type and header fields plus the number of bytes in the User field.

User

string

The user of the computer where the Cisco Agent is installed and where the malware event occurred. Note that these users are not tied to user discovery.

String Block Type

uint32

Initiates a String data block containing the file name. This value is always 0.

String Block Length

uint32

The number of bytes included in the File Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the File Name field.

File Name

string

The name of the detected or quarantined file.

String Block Type

uint32

Initiates a String data block containing the file path. This value is always 0.

String Block Length

uint32

The number of bytes included in the File Path String data block, including eight bytes for the block type and header fields plus the number of bytes in the File Path field.

File Path

string

The file path, not including the file name, of the detected or quarantined file.

String Block Type

uint32

Initiates a String data block containing the file SHA hash. This value is always 0.

String Block Length

uint32

The number of bytes included in the File SHA Hash String data block, including eight bytes for the block type and header fields plus the number of bytes in the File SHA Hash field.

File SHA Hash

string

The rendered string of the SHA-256 hash value of the detected or quarantined file.

File Size

uint32

The size in bytes of the detected or quarantined file.

File Type

uint8

The file type of the detected or quarantined file.

File Timestamp

uint32

UNIX timestamp (seconds since 01/01/1970) of the creation of the detected or quarantined file.

String Block Type

uint32

Initiates a String data block containing the parent file name. This value is always 0.

String Block Length

uint32

The number of bytes included in the Parent File Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the Parent File Name field.

Parent File Name

string

The name of the file accessing the detected or quarantined file when detection occurred.

String Block Type

uint32

Initiates a String data block containing the parent file SHA hash. This value is always 0.

String Block Length

uint32

The number of bytes included in the Parent File SHA Hash String data block, including eight bytes for the block type and header fields plus the number of bytes in the Parent File SHA Hash field.

Parent File SHA Hash

string

The SHA-256 hash value of the parent file accessing the detected or quarantined file when detection occurred.

String Block Type

uint32

Initiates a String data block containing the event description. This value is always 0.

String Block Length

uint32

The number of bytes included in the Event Description String data block, including eight bytes for the block type and header fields plus the number of bytes in the Event Description field.

Event Description

string

The additional event information associated with the event type.

Device ID

uint32

ID for the device that generated the event.

Connection Instance

uint16

Snort instance on the device that generated the event. Used to link the event with a connection or IDS event.

Connection Counter

uint16

Value used to distinguish between connection events that happen during the same second.

Connection Event Timestamp

uint32

Timestamp of the connection event.

Direction

uint8

Indicates whether the file was uploaded or downloaded. Can have the following values:

  • 1 — Download
  • 2 — Upload

Currently the value depends on the protocol (for example, if the connection is HTTP it is a download).

Source IP Address

uint8[16]

IPv4 or IPv6 address for the source of the connection.

Destination IP Address

uint8[16]

IPv4 or IPv6 address for the destination of the connection.

Application ID

uint32

ID number that maps to the application using the file transfer.

User ID

uint32

Identification number for the user logged into the destination host, as identified by the system.

Access Control Policy UUID

uint8[16]

Identification number that acts as a unique identifier for the access control policy that triggered the event.

Disposition

uint8

The malware status of the file. Possible values include:

  • 1 — CLEAN — The file is clean and does not contain malware.
  • 2 — UNKNOWN — It is unknown whether the file contains malware.
  • 3 — MALWARE — The file contains malware.
  • 4 — CACHE_MISS — The software was unable to send a request to the Cisco cloud for a disposition.
  • 5 — NO_CLOUD_RESP — The Cisco cloud services did not respond to the request.

Retrospective Disposition

uint8

Disposition of the file if the disposition is updated. If the disposition is not updated, this field contains the same value as the Disposition field. The possible values are the same as the Disposition field.

String Block Type

uint32

Initiates a String data block containing the URI. This value is always 0.

String Block Length

uint32

The number of bytes included in the URI data block, including eight bytes for the block type and header fields plus the number of bytes in the URI field.

URI

string

URI of the connection.

Source Port

uint16

Port number for the source of the connection.

Destination Port

uint16

Port number for the destination of the connection.

Malware Event Data Block 5.2.x

The eStreamer service uses the malware event data block to store information on malware events. These events contain information on malware detected or quarantined within a cloud, the detection method, and hosts and users affected by the malware. The malware event data block has a block type of 33 in the series 2 group of blocks. You request the event as part of the malware event record by setting the malware event flag—bit 30 in the request flags field—in the request message with an event version of 3 and an event code of 101.

The following graphic shows the structure of the malware event data block:

 

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

 

Malware Event Block Type (33)

 

Malware Event Block Length

 

Agent UUID

Agent UUID, continued

Agent UUID, continued

 

Agent UUID, continued

 

Cloud UUID

 

Cloud UUID, continued

 

Cloud UUID, continued

 

Cloud UUID, continued

 

Malware Event Timestamp

 

Event Type ID

Detection Name

Event Subtype ID

Detector ID

String Block Type (0)

String Block Type (0), cont.

String Block Length

String Block Length, cont.

Detection Name...

User

String Block Type (0)

String Block Length

User...

File Name

String Block Type (0)

String Block Length

File Name...

File Path

String Block Type (0)

String Block Length

File Path...

File SHA

Hash

String Block Type (0)

String Block Length

File SHA Hash...

 

File Size

 

File Type

 

File Timestamp

Parent File

Name

String Block Type (0)

String Block Length

Parent File Name...

Parent File

SHA Hash

String Block Type (0)

String Block Length

Parent File SHA Hash...

Event

Description

String Block Type (0)

String Block Length

Event Description...

 

Device ID

 

Connection Instance

Connection Counter

 

Connection Event Timestamp

 

Direction

Source IP Address

 

Source IP Address, continued

Source IP Address, continued

Source IP Address, continued

 

 

 

Source IP, cont.

Destination IP Address

 

Destination IP Address, continued

Destination IP Address, continued

Destination IP Address, continued

 

 

 

Destination IP, cont

Application ID

 

App. ID, cont.

User ID

 

User ID, cont.

Access Control Policy UUID

 

Access Control Policy UUID, continued

Access Control Policy UUID, continued

Access Control Policy UUID, continued

 

 

URI

AC Pol UUID, cont.

Disposition

Retro. Disposition

Str. Block Type (0)

String Block Type (0), continued

String Block Length

String Block Length, continued

URI...

 

Source Port

Destination Port

 

Source Country

Destination Country

 

Web Application ID

 

Client Application ID

 

Action

Protocol

 

The following table describes the fields in the malware event data block.

 

Table B-15 Malware Event Data Block for 5.2.x Fields

Field
Data Type
Description

Malware Event Block Type

uint32

Initiates a malware event data block. This value is always 33.

Malware Event Block Length

uint32

Total number of bytes in the malware event data block, including eight bytes for the malware event block type and length fields, plus the number of bytes of data that follows.

Agent UUID

uint8[16]

The internal unique ID of the AMP for Endpoints agent reporting the malware event.

Cloud UUID

uint8[16]

The internal unique ID of the malware awareness network from which the malware event originated.

Malware Event Timestamp

uint32

The malware event generation timestamp.

Event Type ID

uint32

The internal ID of the malware event type.

Event Subtype ID

uint8

The internal ID of the action that led to malware detection.

Detector ID

uint8

The internal ID of the detection technology that detected the malware.

String Block Type

uint32

Initiates a String data block containing the detection name. This value is always 0.

String Block Length

uint32

The number of bytes included in the Detection Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the Detection Name field.

Detection Name

string

The name of the detected or quarantined malware.

String Block Type

uint32

Initiates a String data block containing the username. This value is always 0.

String Block Length

uint32

The number of bytes included in the User String data block, including eight bytes for the block type and header fields plus the number of bytes in the User field.

User

string

The user of the computer where the Cisco Agent is installed and where the malware event occurred. Note that these users are not tied to user discovery.

String Block Type

uint32

Initiates a String data block containing the file name. This value is always 0.

String Block Length

uint32

The number of bytes included in the File Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the File Name field.

File Name

string

The name of the detected or quarantined file.

String Block Type

uint32

Initiates a String data block containing the file path. This value is always 0.

String Block Length

uint32

The number of bytes included in the File Path String data block, including eight bytes for the block type and header fields plus the number of bytes in the File Path field.

File Path

string

The file path, not including the file name, of the detected or quarantined file.

String Block Type

uint32

Initiates a String data block containing the file SHA hash. This value is always 0.

String Block Length

uint32

The number of bytes included in the File SHA Hash String data block, including eight bytes for the block type and header fields plus the number of bytes in the File SHA Hash field.

File SHA Hash

string

The rendered string of the SHA-256 hash value of the detected or quarantined file.

File Size

uint32

The size in bytes of the detected or quarantined file.

File Type

uint8

The file type of the detected or quarantined file.

File Timestamp

uint32

UNIX timestamp (seconds since 01/01/1970) of the creation of the detected or quarantined file.

String Block Type

uint32

Initiates a String data block containing the parent file name. This value is always 0.

String Block Length

uint32

The number of bytes included in the Parent File Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the Parent File Name field.

Parent File Name

string

The name of the file accessing the detected or quarantined file when detection occurred.

String Block Type

uint32

Initiates a String data block containing the parent file SHA hash. This value is always 0.

String Block Length

uint32

The number of bytes included in the Parent File SHA Hash String data block, including eight bytes for the block type and header fields plus the number of bytes in the Parent File SHA Hash field.

Parent File SHA Hash

string

The SHA-256 hash value of the parent file accessing the detected or quarantined file when detection occurred.

String Block Type

uint32

Initiates a String data block containing the event description. This value is always 0.

String Block Length

uint32

The number of bytes included in the Event Description String data block, including eight bytes for the block type and header fields plus the number of bytes in the Event Description field.

Event Description

string

The additional event information associated with the event type.

Device ID

uint32

ID for the device that generated the event.

Connection Instance

uint16

Snort instance on the device that generated the event. Used to link the event with a connection or IDS event.

Connection Counter

uint16

Value used to distinguish between connection events that happen during the same second.

Connection Event Timestamp

uint32

Timestamp of the connection event.

Direction

uint8

Indicates whether the file was uploaded or downloaded. Can have the following values:

  • 1 — Download
  • 2 — Upload

Currently the value depends on the protocol (for example, if the connection is HTTP it is a download).

Source IP Address

uint8[16]

IPv4 or IPv6 address for the source of the connection.

Destination IP Address

uint8[16]

IPv4 or IPv6 address for the destination of the connection.

Application ID

uint32

ID number that maps to the application using the file transfer.

User ID

uint32

Identification number for the user logged into the destination host, as identified by the system.

Access Control Policy UUID

uint8[16]

Identification number that acts as a unique identifier for the access control policy that triggered the event.

Disposition

uint8

The malware status of the file. Possible values include:

  • 1 — CLEAN — The file is clean and does not contain malware.
  • 2 — NEUTRAL — It is unknown whether the file contains malware.
  • 3 — MALWARE — The file contains malware.
  • 4 — CACHE_MISS — The software was unable to send a request to the Cisco cloud for a disposition, or the Cisco cloud services did not respond to the request.

Retrospective Disposition

uint8

Disposition of the file if the disposition is updated. If the disposition is not updated, this field contains the same value as the Disposition field. The possible values are the same as the Disposition field.

String Block Type

uint32

Initiates a String data block containing the URI. This value is always 0.

String Block Length

uint32

The number of bytes included in the URI data block, including eight bytes for the block type and header fields plus the number of bytes in the URI field.

URI

string

URI of the connection.

Source Port

uint16

Port number for the source of the connection.

Destination Port

uint16

Port number for the destination of the connection.

Source Country

uint16

Code for the country of the source host.

Destination Country

uint 16

Code for the country of the destination host.

Web Application ID

uint32

The internal identification number of the detected web application, if applicable.

Client Application ID

uint32

The internal identification number of the detected client application, if applicable.

Action

uint8

The action taken on the file based on the file type. Can have the following values:

  • 1 — Detect
  • 2 — Block
  • 3 — Malware Cloud Lookup
  • 4 — Malware Block
  • 5 — Malware Allow List

Protocol

uint8

IANA protocol number specified by the user. For example:

  • 1 — ICMP
  • 4 — IP
  • 6 — TCP
  • 17 — UDP

This is currently only TCP.

Malware Event Data Block 5.3

The eStreamer service uses the malware event data block to store information on malware events. These events contain information on malware detected or quarantined within a cloud, the detection method, and hosts and users affected by the malware. The malware event data block has a block type of 35 in the series 2 group of blocks. You request the event as part of the malware event record by setting the malware event flag—bit 30 in the request flags field—in the request message with an event version of 4 and an event code of 101.

The following graphic shows the structure of the malware event data block:

 

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

 

Malware Event Block Type (35)

 

Malware Event Block Length

 

Agent UUID

Agent UUID, continued

Agent UUID, continued

 

Agent UUID, continued

 

Cloud UUID

 

Cloud UUID, continued

 

Cloud UUID, continued

 

Cloud UUID, continued

 

Malware Event Timestamp

 

Event Type ID

 

Event Subtype ID

Detection Name

Detector ID

String Block Type (0)

String Block Type (0), cont.

String Block Length

String Block Length, cont.

Detection Name...

User

String Block Type (0)

String Block Length

User...

File Name

String Block Type (0)

String Block Length

File Name...

File Path

String Block Type (0)

String Block Length

File Path...

File SHA

Hash

String Block Type (0)

String Block Length

File SHA Hash...

 

File Size

 

File Type

 

File Timestamp

Parent File

Name

String Block Type (0)

String Block Length

Parent File Name...

Parent File

SHA Hash

String Block Type (0)

String Block Length

Parent File SHA Hash...

Event

Description

String Block Type (0)

String Block Length

Event Description...

 

Device ID

 

Connection Instance

Connection Counter

 

Connection Event Timestamp

 

Direction

Source IP Address

 

Source IP Address, continued

Source IP Address, continued

Source IP Address, continued

 

 

 

Source IP, cont.

Destination IP Address

 

Destination IP Address, continued

Destination IP Address, continued

Destination IP Address, continued

 

 

 

Destination IP, cont

Application ID

 

App. ID, cont.

User ID

 

User ID, cont.

Access Control Policy UUID

 

Access Control Policy UUID, continued

Access Control Policy UUID, continued

Access Control Policy UUID, continued

 

 

URI

AC Pol UUID, cont.

Disposition

Retro. Disposition

Str. Block Type (0)

String Block Type (0), continued

String Block Length

String Block Length, continued

URI...

 

Source Port

Destination Port

 

Source Country

Destination Country

 

Web Application ID

 

Client Application ID

 

Action

Protocol

Threat Score

IOC Number

 

IOC Number, cont.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

The following table describes the fields in the malware event data block.

 

Table B-16 Malware Event Data Block for 5.3 Fields

Field
Data Type
Description

Malware Event Block Type

uint32

Initiates a malware event data block. This value is always 35.

Malware Event Block Length

uint32

Total number of bytes in the malware event data block, including eight bytes for the malware event block type and length fields, plus the number of bytes of data that follows.

Agent UUID

uint8[16]

The internal unique ID of the AMP for Endpoints agent reporting the malware event.

Cloud UUID

uint8[16]

The internal unique ID of the malware awareness network from which the malware event originated.

Malware Event Timestamp

uint32

The malware event generation timestamp.

Event Type ID

uint32

The internal ID of the malware event type.

Event Subtype ID

uint32

The internal ID of the action that led to malware detection.

Detector ID

uint8

The internal ID of the detection technology that detected the malware.

String Block Type

uint32

Initiates a String data block containing the detection name. This value is always 0.

String Block Length

uint32

The number of bytes included in the Detection Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the Detection Name field.

Detection Name

string

The name of the detected or quarantined malware.

String Block Type

uint32

Initiates a String data block containing the username. This value is always 0.

String Block Length

uint32

The number of bytes included in the User String data block, including eight bytes for the block type and header fields plus the number of bytes in the User field.

User

string

The user of the computer where the Cisco Agent is installed and where the malware event occurred. Note that these users are not tied to user discovery.

String Block Type

uint32

Initiates a String data block containing the file name. This value is always 0.

String Block Length

uint32

The number of bytes included in the File Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the File Name field.

File Name

string

The name of the detected or quarantined file.

String Block Type

uint32

Initiates a String data block containing the file path. This value is always 0.

String Block Length

uint32

The number of bytes included in the File Path String data block, including eight bytes for the block type and header fields plus the number of bytes in the File Path field.

File Path

string

The file path, not including the file name, of the detected or quarantined file.

String Block Type

uint32

Initiates a String data block containing the file SHA hash. This value is always 0.

String Block Length

uint32

The number of bytes included in the File SHA Hash String data block, including eight bytes for the block type and header fields plus the number of bytes in the File SHA Hash field.

File SHA Hash

string

The rendered string of the SHA-256 hash value of the detected or quarantined file.

File Size

uint32

The size in bytes of the detected or quarantined file.

File Type

uint8

The file type of the detected or quarantined file. The meaning of this field is transmitted in the metadata with this event. See AMP for Endpoints File Type Metadata for more information.

File Timestamp

uint32

UNIX timestamp (seconds since 01/01/1970) of the creation of the detected or quarantined file.

String Block Type

uint32

Initiates a String data block containing the parent file name. This value is always 0.

String Block Length

uint32

The number of bytes included in the Parent File Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the Parent File Name field.

Parent File Name

string

The name of the file accessing the detected or quarantined file when detection occurred.

String Block Type

uint32

Initiates a String data block containing the parent file SHA hash. This value is always 0.

String Block Length

uint32

The number of bytes included in the Parent File SHA Hash String data block, including eight bytes for the block type and header fields plus the number of bytes in the Parent File SHA Hash field.

Parent File SHA Hash

string

The SHA-256 hash value of the parent file accessing the detected or quarantined file when detection occurred.

String Block Type

uint32

Initiates a String data block containing the event description. This value is always 0.

String Block Length

uint32

The number of bytes included in the Event Description String data block, including eight bytes for the block type and header fields plus the number of bytes in the Event Description field.

Event Description

string

The additional event information associated with the event type.

Device ID

uint32

ID for the device that generated the event.

Connection Instance

uint16

Snort instance on the device that generated the event. Used to link the event with a connection or IDS event.

Connection Counter

uint16

Value used to distinguish between connection events that happen during the same second.

Connection Event Timestamp

uint32

Timestamp of the connection event.

Direction

uint8

Indicates whether the file was uploaded or downloaded. Can have the following values:

  • 1 — Download
  • 2 — Upload

Currently the value depends on the protocol (for example, if the connection is HTTP it is a download).

Source IP Address

uint8[16]

IPv4 or IPv6 address for the source of the connection.

Destination IP Address

uint8[16]

IPv4 or IPv6 address for the destination of the connection.

Application ID

uint32

ID number that maps to the application using the file transfer.

User ID

uint32

Identification number for the user logged into the destination host, as identified by the system.

Access Control Policy UUID

uint8[16]

Identification number that acts as a unique identifier for the access control policy that triggered the event.

Disposition

uint8

The malware status of the file. Possible values include:

  • 1 — CLEAN The file is clean and does not contain malware.
  • 2 — UNKNOWN It is unknown whether the file contains malware.
  • 3 — MALWARE The file contains malware.
  • 4 — UNAVAILABLE The software was unable to send a request to the Cisco cloud for a disposition, or the Cisco cloud services did not respond to the request.
  • 5 — CUSTOM SIGNATURE The file matches a user-defined hash, and is treated in a fashion designated by the user.

Retrospective Disposition

uint8

Disposition of the file if the disposition is updated. If the disposition is not updated, this field contains the same value as the Disposition field. The possible values are the same as the Disposition field.

String Block Type

uint32

Initiates a String data block containing the URI. This value is always 0.

String Block Length

uint32

The number of bytes included in the URI data block, including eight bytes for the block type and header fields plus the number of bytes in the URI field.

URI

string

URI of the connection.

Source Port

uint16

Port number for the source of the connection.

Destination Port

uint16

Port number for the destination of the connection.

Source Country

uint16

Code for the country of the source host.

Destination Country

uint 16

Code for the country of the destination host.

Web Application ID

uint32

The internal identification number of the detected web application, if applicable.

Client Application ID

uint32

The internal identification number of the detected client application, if applicable.

Action

uint8

The action taken on the file based on the file type. Can have the following values:

  • 1 — Detect
  • 2 — Block
  • 3 — Malware Cloud Lookup
  • 4 — Malware Block
  • 5 — Malware Allow List

Protocol

uint8

IANA protocol number specified by the user. For example:

  • 1 — ICMP
  • 4 — IP
  • 6 — TCP
  • 17 — UDP

This is currently only TCP.

Threat Score

uint8

A numeric value from 0 to 100 based on the potentially malicious behaviors observed during dynamic analysis.

IOC Number

uint16

ID Number of the compromise associated with this event.

Malware Event Data Block 5.3.1

The eStreamer service uses the malware event data block to store information on malware events. These events contain information on malware detected or quarantined within a cloud, the detection method, and hosts and users affected by the malware. The malware event data block has a block type of 44 in the series 2 group of blocks. It supersedes block 35. You request the event as part of the malware event record by setting the malware event flag—bit 30 in the request flags field—in the request message with an event version of 5 and an event code of 101.

The following graphic shows the structure of the malware event data block:

 

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

 

Malware Event Block Type (44)

 

Malware Event Block Length

 

Agent UUID

Agent UUID, continued

Agent UUID, continued

 

Agent UUID, continued

 

Cloud UUID

 

Cloud UUID, continued

 

Cloud UUID, continued

 

Cloud UUID, continued

 

Malware Event Timestamp

 

Event Type ID

 

Event Subtype ID

Detection Name

Detector ID

String Block Type (0)

String Block Type (0), cont.

String Block Length

String Block Length, cont.

Detection Name...

User

String Block Type (0)

String Block Length

User...

File Name

String Block Type (0)

String Block Length

File Name...

File Path

String Block Type (0)

String Block Length

File Path...

File SHA

Hash

String Block Type (0)

String Block Length

File SHA Hash...

 

File Size

 

File Type

 

File Timestamp

Parent File

Name

String Block Type (0)

String Block Length

Parent File Name...

Parent File

SHA Hash

String Block Type (0)

String Block Length

Parent File SHA Hash...

Event

Description

String Block Type (0)

String Block Length

Event Description...

 

Device ID

 

Connection Instance

Connection Counter

 

Connection Event Timestamp

 

Direction

Source IP Address

 

Source IP Address, continued

Source IP Address, continued

Source IP Address, continued

 

 

 

Source IP, cont.

Destination IP Address

 

Destination IP Address, continued

Destination IP Address, continued

Destination IP Address, continued

 

 

 

Destination IP, cont

Application ID

 

App. ID, cont.

User ID

 

User ID, cont.

Access Control Policy UUID

 

Access Control Policy UUID, continued

Access Control Policy UUID, continued

Access Control Policy UUID, continued

 

 

URI

AC Pol UUID, cont.

Disposition

Retro. Disposition

Str. Block Type (0)

String Block Type (0), continued

String Block Length

String Block Length, continued

URI...

 

Source Port

Destination Port

 

Source Country

Destination Country

 

Web Application ID

 

Client Application ID

 

Action

Protocol

Threat Score

IOC Number

 

IOC Number, cont.

Security Context

 

Security Context, continued

 

Security Context, continued

 

Security Context, continued

 

Security Cont., cont.

 

The following table describes the fields in the malware event data block.

 

Table B-17 Malware Event Data Block for 5.3.1 Fields

Field
Data Type
Description

Malware Event Block Type

uint32

Initiates a malware event data block. This value is always 44.

Malware Event Block Length

uint32

Total number of bytes in the malware event data block, including eight bytes for the malware event block type and length fields, plus the number of bytes of data that follows.

Agent UUID

uint8[16]

The internal unique ID of the AMP for Endpoints agent reporting the malware event.

Cloud UUID

uint8[16]

The internal unique ID of the Cisco Advanced Malware Protection cloud from which the malware event originated.

Malware Event Timestamp

uint32

The malware event generation timestamp.

Event Type ID

uint32

The internal ID of the malware event type.

Event Subtype ID

uint32

The internal ID of the action that led to malware detection.

Detector ID

uint8

The internal ID of the detection technology that detected the malware.

String Block Type

uint32

Initiates a String data block containing the detection name. This value is always 0.

String Block Length

uint32

The number of bytes included in the Detection Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the Detection Name field.

Detection Name

string

The name of the detected or quarantined malware.

String Block Type

uint32

Initiates a String data block containing the username. This value is always 0.

String Block Length

uint32

The number of bytes included in the User String data block, including eight bytes for the block type and header fields plus the number of bytes in the User field.

User

string

The user of the computer where the Cisco Agent is installed and where the malware event occurred. Note that these users are not tied to user discovery.

String Block Type

uint32

Initiates a String data block containing the file name. This value is always 0.

String Block Length

uint32

The number of bytes included in the File Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the File Name field.

File Name

string

The name of the detected or quarantined file.

String Block Type

uint32

Initiates a String data block containing the file path. This value is always 0.

String Block Length

uint32

The number of bytes included in the File Path String data block, including eight bytes for the block type and header fields plus the number of bytes in the File Path field.

File Path

string

The file path, not including the file name, of the detected or quarantined file.

String Block Type

uint32

Initiates a String data block containing the file SHA hash. This value is always 0.

String Block Length

uint32

The number of bytes included in the File SHA Hash String data block, including eight bytes for the block type and header fields plus the number of bytes in the File SHA Hash field.

File SHA Hash

string

The rendered string of the SHA-256 hash value of the detected or quarantined file.

File Size

uint32

The size in bytes of the detected or quarantined file.

File Type

uint8

The file type of the detected or quarantined file. The meaning of this field is transmitted in the metadata with this event. See AMP for Endpoints File Type Metadata for more information.

File Timestamp

uint32

UNIX timestamp (seconds since 01/01/1970) of the creation of the detected or quarantined file.

String Block Type

uint32

Initiates a String data block containing the parent file name. This value is always 0.

String Block Length

uint32

The number of bytes included in the Parent File Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the Parent File Name field.

Parent File Name

string

The name of the file accessing the detected or quarantined file when detection occurred.

String Block Type

uint32

Initiates a String data block containing the parent file SHA hash. This value is always 0.

String Block Length

uint32

The number of bytes included in the Parent File SHA Hash String data block, including eight bytes for the block type and header fields plus the number of bytes in the Parent File SHA Hash field.

Parent File SHA Hash

string

The SHA-256 hash value of the parent file accessing the detected or quarantined file when detection occurred.

String Block Type

uint32

Initiates a String data block containing the event description. This value is always 0.

String Block Length

uint32

The number of bytes included in the Event Description String data block, including eight bytes for the block type and header fields plus the number of bytes in the Event Description field.

Event Description

string

The additional event information associated with the event type.

Device ID

uint32

ID for the device that generated the event.

Connection Instance

uint16

Snort instance on the device that generated the event. Used to link the event with a connection or IDS event.

Connection Counter

uint16

Value used to distinguish between connection events that happen during the same second.

Connection Event Timestamp

uint32

Timestamp of the connection event.

Direction

uint8

Indicates whether the file was uploaded or downloaded. Can have the following values:

  • 1 — Download
  • 2 — Upload

Currently the value depends on the protocol (for example, if the connection is HTTP it is a download).

Source IP Address

uint8[16]

IPv4 or IPv6 address for the source of the connection.

Destination IP Address

uint8[16]

IPv4 or IPv6 address for the destination of the connection.

Application ID

uint32

ID number that maps to the application using the file transfer.

User ID

uint32

Identification number for the user logged into the destination host, as identified by the system.

Access Control Policy UUID

uint8[16]

Identification number that acts as a unique identifier for the access control policy that triggered the event.

Disposition

uint8

The malware status of the file. Possible values include:

  • 1 — CLEAN The file is clean and does not contain malware.
  • 2 — UNKNOWN It is unknown whether the file contains malware.
  • 3 — MALWARE The file contains malware.
  • 4 — UNAVAILABLE The software was unable to send a request to the Cisco cloud for a disposition, or the Cisco cloud services did not respond to the request.
  • 5 — CUSTOM SIGNATURE The file matches a user-defined hash, and is treated in a fashion designated by the user.

Retrospective Disposition

uint8

Disposition of the file if the disposition is updated. If the disposition is not updated, this field contains the same value as the Disposition field. The possible values are the same as the Disposition field.

String Block Type

uint32

Initiates a String data block containing the URI. This value is always 0.

String Block Length

uint32

The number of bytes included in the URI data block, including eight bytes for the block type and header fields plus the number of bytes in the URI field.

URI

string

URI of the connection.

Source Port

uint16

Port number for the source of the connection.

Destination Port

uint16

Port number for the destination of the connection.

Source Country

uint16

Code for the country of the source host.

Destination Country

uint 16

Code for the country of the destination host.

Web Application ID

uint32

The internal identification number of the detected web application, if applicable.

Client Application ID

uint32

The internal identification number of the detected client application, if applicable.

Action

uint8

The action taken on the file based on the file type. Can have the following values:

  • 1 — Detect
  • 2 — Block
  • 3 — Malware Cloud Lookup
  • 4 — Malware Block
  • 5 — Malware Allow List

Protocol

uint8

IANA protocol number specified by the user. For example:

  • 1 — ICMP
  • 4 — IP
  • 6 — TCP
  • 17 — UDP

This is currently only TCP.

Threat Score

uint8

A numeric value from 0 to 100 based on the potentially malicious behaviors observed during dynamic analysis.

IOC Number

uint16

ID number of the compromise associated with this event.

Security Context

uint8(16)

ID number for the security context (virtual firewall) that the traffic passed through. Note that the system only populates this field for ASA FirePOWER devices in multi-context mode.

Malware Event Data Block 5.4.x

The eStreamer service uses the malware event data block to store information on malware events. These events contain information on malware detected or quarantined within a cloud, the detection method, and hosts and users affected by the malware. The malware event data block has a block type of 47 in the series 2 group of blocks. It supersedes block 44 and is superseded by block. Fields for SSL and file archive support have been added.

You request the event as part of the malware event record by setting the malware event flag—bit 30 in the request flags field—in the request message with an event version of 6 and an event code of 101.

The following graphic shows the structure of the malware event data block:

 

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

 

Malware Event Block Type (47)

 

Malware Event Block Length

 

Agent UUID

Agent UUID, continued

Agent UUID, continued

 

Agent UUID, continued

 

Cloud UUID

 

Cloud UUID, continued

 

Cloud UUID, continued

 

Cloud UUID, continued

 

Malware Event Timestamp

 

Event Type ID

 

Event Subtype ID

Detection Name

Detector ID

String Block Type (0)

String Block Type (0), cont.

String Block Length

String Block Length, cont.

Detection Name...

User

String Block Type (0)

String Block Length

User...

File Name

String Block Type (0)

String Block Length

File Name...

File Path

String Block Type (0)

String Block Length

File Path...

File SHA

Hash

String Block Type (0)

String Block Length

File SHA Hash...

 

File Size

 

File Type

 

File Timestamp

Parent File

Name

String Block Type (0)

String Block Length

Parent File Name...

Parent File

SHA Hash

String Block Type (0)

String Block Length

Parent File SHA Hash...

Event

Description

String Block Type (0)

String Block Length

Event Description...

 

Device ID

 

Connection Instance

Connection Counter

 

Connection Event Timestamp

 

Direction

Source IP Address

 

Source IP Address, continued

Source IP Address, continued

Source IP Address, continued

 

 

 

Source IP, cont.

Destination IP Address

 

Destination IP Address, continued

Destination IP Address, continued

Destination IP Address, continued

 

 

 

Destination IP, cont

Application ID

 

App. ID, cont.

User ID

 

User ID, cont.

Access Control Policy UUID

 

Access Control Policy UUID, continued

Access Control Policy UUID, continued

Access Control Policy UUID, continued

 

 

URI

AC Pol UUID, cont.

Disposition

Retro. Disposition

Str. Block Type (0)

String Block Type (0), continued

String Block Length

String Block Length, continued

URI...

 

Source Port

Destination Port

 

Source Country

Destination Country

 

Web Application ID

 

Client Application ID

 

Action

Protocol

Threat Score

IOC Number

 

IOC Number, cont.

Security Context

 

Security Context, continued

 

Security Context, continued

 

Security Context, continued

 

Security Cont., cont.

SSL Certificate Fingerprint

 

SSL Certificate Fingerprint, continued

 

SSL Certificate Fingerprint, continued

 

SSL Certificate Fingerprint, continued

 

SSL Certificate Fingerprint, continued

 

SSL Cert Fpt, cont.

SSL Actual Action

SSL Flow Status

Archive SHA

SSL Flow Stat., cont.

String Block Type (0)

Str. Blk Type, cont.

String Block Type (0)

Str. Length, cont.

Archive SHA...

Archive Name

String Block Type (0)

String Block Length

Archive Name...

 

Archive Depth

 

The following table describes the fields in the malware event data block.

 

Table B-18 Malware Event Data Block for 5.4.x Fields

Field
Data Type
Description

Malware Event Block Type

uint32

Initiates a malware event data block. This value is always 47.

Malware Event Block Length

uint32

Total number of bytes in the malware event data block, including eight bytes for the malware event block type and length fields, plus the number of bytes of data that follows.

Agent UUID

uint8[16]

The internal unique ID of the AMP for Endpoints agent reporting the malware event.

Cloud UUID

uint8[16]

The internal unique ID of the Cisco Advanced Malware Protection cloud from which the malware event originated.

Malware Event Timestamp

uint32

The malware event generation timestamp.

Event Type ID

uint32

The internal ID of the malware event type.

Event Subtype ID

uint32

The internal ID of the action that led to malware detection.

Detector ID

uint8

The internal ID of the detection technology that detected the malware.

String Block Type

uint32

Initiates a String data block containing the detection name. This value is always 0.

String Block Length

uint32

The number of bytes included in the Detection Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the Detection Name field.

Detection Name

string

The name of the detected or quarantined malware.

String Block Type

uint32

Initiates a String data block containing the username. This value is always 0.

String Block Length

uint32

The number of bytes included in the User String data block, including eight bytes for the block type and header fields plus the number of bytes in the User field.

User

string

The user of the computer where the Cisco Agent is installed and where the malware event occurred. Note that these users are not tied to user discovery.

String Block Type

uint32

Initiates a String data block containing the file name. This value is always 0.

String Block Length

uint32

The number of bytes included in the File Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the File Name field.

File Name

string

The name of the detected or quarantined file.

String Block Type

uint32

Initiates a String data block containing the file path. This value is always 0.

String Block Length

uint32

The number of bytes included in the File Path String data block, including eight bytes for the block type and header fields plus the number of bytes in the File Path field.

File Path

string

The file path, not including the file name, of the detected or quarantined file.

String Block Type

uint32

Initiates a String data block containing the file SHA hash. This value is always 0.

String Block Length

uint32

The number of bytes included in the File SHA Hash String data block, including eight bytes for the block type and header fields plus the number of bytes in the File SHA Hash field.

File SHA Hash

string

The rendered string of the SHA-256 hash value of the detected or quarantined file.

File Size

uint32

The size in bytes of the detected or quarantined file.

File Type

uint8

The file type of the detected or quarantined file. The meaning of this field is transmitted in the metadata with this event. See AMP for Endpoints File Type Metadata for more information.

File Timestamp

uint32

UNIX timestamp (seconds since 01/01/1970) of the creation of the detected or quarantined file.

String Block Type

uint32

Initiates a String data block containing the parent file name. This value is always 0.

String Block Length

uint32

The number of bytes included in the Parent File Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the Parent File Name field.

Parent File Name

string

The name of the file accessing the detected or quarantined file when detection occurred.

String Block Type

uint32

Initiates a String data block containing the parent file SHA hash. This value is always 0.

String Block Length

uint32

The number of bytes included in the Parent File SHA Hash String data block, including eight bytes for the block type and header fields plus the number of bytes in the Parent File SHA Hash field.

Parent File SHA Hash

string

The SHA-256 hash value of the parent file accessing the detected or quarantined file when detection occurred.

String Block Type

uint32

Initiates a String data block containing the event description. This value is always 0.

String Block Length

uint32

The number of bytes included in the Event Description String data block, including eight bytes for the block type and header fields plus the number of bytes in the Event Description field.

Event Description

string

The additional event information associated with the event type.

Device ID

uint32

ID for the device that generated the event.

Connection Instance

uint16

Snort instance on the device that generated the event. Used to link the event with a connection or IDS event.

Connection Counter

uint16

Value used to distinguish between connection events that happen during the same second.

Connection Event Timestamp

uint32

Timestamp of the connection event.

Direction

uint8

Indicates whether the file was uploaded or downloaded. Can have the following values:

  • 1 — Download
  • 2 — Upload

Currently the value depends on the protocol (for example, if the connection is HTTP it is a download).

Source IP Address

uint8[16]

IPv4 or IPv6 address for the source of the connection.

Destination IP Address

uint8[16]

IPv4 or IPv6 address for the destination of the connection.

Application ID

uint32

ID number that maps to the application using the file transfer.

User ID

uint32

Identification number for the user logged into the destination host, as identified by the system.

Access Control Policy UUID

uint8[16]

Identification number that acts as a unique identifier for the access control policy that triggered the event.

Disposition

uint8

The malware status of the file. Possible values include:

  • 1 — CLEAN The file is clean and does not contain malware.
  • 2 — UNKNOWN It is unknown whether the file contains malware.
  • 3 — MALWARE The file contains malware.
  • 4 — UNAVAILABLE The software was unable to send a request to the Cisco cloud for a disposition, or the Cisco cloud services did not respond to the request.
  • 5 — CUSTOM SIGNATURE The file matches a user-defined hash, and is treated in a fashion designated by the user.

Retrospective Disposition

uint8

Disposition of the file if the disposition is updated. If the disposition is not updated, this field contains the same value as the Disposition field. The possible values are the same as the Disposition field.

String Block Type

uint32

Initiates a String data block containing the URI. This value is always 0.

String Block Length

uint32

The number of bytes included in the URI data block, including eight bytes for the block type and header fields plus the number of bytes in the URI field.

URI

string

URI of the connection.

Source Port

uint16

Port number for the source of the connection.

Destination Port

uint16

Port number for the destination of the connection.

Source Country

uint16

Code for the country of the source host.

Destination Country

uint 16

Code for the country of the destination host.

Web Application ID

uint32

The internal identification number of the detected web application, if applicable.

Client Application ID

uint32

The internal identification number of the detected client application, if applicable.

Action

uint8

The action taken on the file based on the file type. Can have the following values:

  • 1 — Detect
  • 2 — Block
  • 3 — Malware Cloud Lookup
  • 4 — Malware Block
  • 5 — Malware Allow List
  • 6 — Cloud Lookup Timeout
  • 7 — Custom Detection
  • 8 — Custom Detection Block
  • 9 — Archive Block (Depth Exceeded)
  • 10 — Archive Block (Encrypted)
  • 11 — Archive Block (Failed to Inspect)

Protocol

uint8

IANA protocol number specified by the user. For example:

  • 1 — ICMP
  • 4 — IP
  • 6 — TCP
  • 17 — UDP

This is currently only TCP.

Threat Score

uint8

A numeric value from 0 to 100 based on the potentially malicious behaviors observed during dynamic analysis.

IOC Number

uint16

ID number of the compromise associated with this event.

Security Context

uint8(16)

ID number for the security context (virtual firewall) that the traffic passed through. Note that the system only populates this field for ASA FirePOWER devices in multi-context mode.

SSL Certificate Fingerprint

uint8[20]

SHA1 hash of the SSL Server certificate.

SSL Actual Action

uint16

The action performed on the connection based on the SSL Rule. This may differ from the expected action, as the action as specified in the rule may be impossible. Possible values include:

  • 0 — 'Unknown'
  • 1 — 'Do Not Decrypt'
  • 2 — 'Block'
  • 3 — 'Block With Reset'
  • 4 — 'Decrypt (Known Key)'
  • 5 — 'Decrypt (Replace Key)'
  • 6 — 'Decrypt (Resign)'

SSL Flow Status

uint16

Status of the SSL Flow. These values describe the reason behind the action taken or the error message seen. Possible values include:

  • 0 — 'Unknown'
  • 1 — 'No Match'
  • 2 — 'Success'
  • 3 — 'Uncached Session'
  • 4 — 'Unknown Cipher Suite'
  • 5 — 'Unsupported Cipher Suite'
  • 6 — 'Unsupported SSL Version'
  • 7 — 'SSL Compression Used'
  • 8 — 'Session Undecryptable in Passive Mode'
  • 9 — 'Handshake Error'
  • 10 — 'Decryption Error'
  • 11 — 'Pending Server Name Category Lookup'
  • 12 — 'Pending Common Name Category Lookup'
  • 13 — 'Internal Error'
  • 14 — 'Network Parameters Unavailable'
  • 15 — 'Invalid Server Certificate Handle'
  • 16 — 'Server Certificate Fingerprint Unavailable'
  • 17 — 'Cannot Cache Subject DN'
  • 18 — 'Cannot Cache Issuer DN'
  • 19 — 'Unknown SSL Version'
  • 20 — 'External Certificate List Unavailable'
  • 21 — 'External Certificate Fingerprint Unavailable'
  • 22 — 'Internal Certificate List Invalid'
  • 23 — 'Internal Certificate List Unavailable'
  • 24 — 'Internal Certificate Unavailable'
  • 25 — 'Internal Certificate Fingerprint Unavailable'
  • 26 — 'Server Certificate Validation Unavailable'
  • 27 — 'Server Certificate Validation Failure'
  • 28 — 'Invalid Action'

String Block Type

uint32

Initiates a String data block containing the Archive SHA. This value is always 0.

String Block Length

uint32

The number of bytes included in the Archive SHA String data block, including eight bytes for the block type and header fields plus the number of bytes in the intrusion policy name.

Archive SHA

string

SHA1 hash of the parent archive in which the file is contained.

String Block Type

uint32

Initiates a String data block containing the Archive Name. This value is always 0.

String Block Length

uint32

The number of bytes included in the Archive Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the intrusion policy name.

Archive Name

string

Name of the parent archive.

Archive Depth

uint8

Number of layers in which the file is nested. For example, if a text file is in a zip archive, this has a value of 1.

Malware Event Data Block 6.x

The eStreamer service uses the malware event data block to store information on malware events. These events contain information on malware detected or quarantined within a cloud, the detection method, and hosts and users affected by the malware. The malware event data block has a block type of 62 in the series 2 group of blocks. It supersedes block 47. A field for HTTP response has been added. It is superseded by block 80.

You request the event as part of the malware event record by setting the malware event flag—bit 30 in the request flags field—in the request message with an event version of 7 and an event code of 101.

The following graphic shows the structure of the malware event data block.

 

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

 

Malware Event Block Type (62)

 

Malware Event Block Length

 

Agent UUID

Agent UUID, continued

Agent UUID, continued

 

Agent UUID, continued

 

Cloud UUID

 

Cloud UUID, continued

 

Cloud UUID, continued

 

Cloud UUID, continued

 

Malware Event Timestamp

 

Event Type ID

 

Event Subtype ID

Detection Name

Detector ID

String Block Type (0)

String Block Type (0), cont.

String Block Length

String Block Length, cont.

Detection Name...

User

String Block Type (0)

String Block Length

User...

File Name

String Block Type (0)

String Block Length

File Name...

File Path

String Block Type (0)

String Block Length

File Path...

File SHA

Hash

String Block Type (0)

String Block Length

File SHA Hash...

 

File Size

 

File Type

 

File Timestamp

Parent File

Name

String Block Type (0)

String Block Length

Parent File Name...

Parent File

SHA Hash

String Block Type (0)

String Block Length

Parent File SHA Hash...

Event

Description

String Block Type (0)

String Block Length

Event Description...

 

Device ID

 

Connection Instance

Connection Counter

 

Connection Event Timestamp

 

Direction

Source IP Address

 

Source IP Address, continued

Source IP Address, continued

Source IP Address, continued

 

 

 

Source IP, cont.

Destination IP Address

 

Destination IP Address, continued

Destination IP Address, continued

Destination IP Address, continued

 

 

 

Destination IP, cont

Application ID

 

App. ID, cont.

User ID

 

User ID, cont.

Access Control Policy UUID

 

Access Control Policy UUID, continued

Access Control Policy UUID, continued

Access Control Policy UUID, continued

 

 

URI

AC Pol UUID, cont.

Disposition

Retro. Disposition

Str. Block Type (0)

String Block Type (0), continued

String Block Length

String Block Length, continued

URI...

 

Source Port

Destination Port

 

Source Country

Destination Country

 

Web Application ID

 

Client Application ID

 

Action

Protocol

Threat Score

IOC Number

 

IOC Number, cont.

Security Context

 

Security Context, continued

 

Security Context, continued

 

Security Context, continued

 

Security Cont., cont.

SSL Certificate Fingerprint

 

SSL Certificate Fingerprint, continued

 

SSL Certificate Fingerprint, continued

 

SSL Certificate Fingerprint, continued

 

SSL Certificate Fingerprint, continued

 

SSL Cert Fpt, cont.

SSL Actual Action

SSL Flow Status

Archive SHA

SSL Flow Stat., cont.

String Block Type (0)

Str. Blk Type, cont.

String Block Type (0)

Str. Length, cont.

Archive SHA...

Archive Name

String Block Type (0)

String Block Length

Archive Name...

 

Archive Depth

HTTP Response

 

HTTP Resp., cont.

 

The following table describes the fields in the malware event data block.

 

Table B-19 Malware Event Data Block for 6.x Fields

Field
Data Type
Description

Malware Event Block Type

uint32

Initiates a malware event data block. This value is always 62.

Malware Event Block Length

uint32

Total number of bytes in the malware event data block, including eight bytes for the malware event block type and length fields, plus the number of bytes of data that follows.

Agent UUID

uint8[16]

The internal unique ID of the AMP for Endpoints agent reporting the malware event.

Cloud UUID

uint8[16]

The internal unique ID of the AMP cloud from which the malware event originated.

Malware Event Timestamp

uint32

The malware event generation timestamp.

Event Type ID

uint32

The internal ID of the malware event type.

Event Subtype ID

uint32

The internal ID of the action that led to malware detection.

Detector ID

uint8

The internal ID of the detection technology that detected the malware.

String Block Type

uint32

Initiates a String data block containing the detection name. This value is always 0.

String Block Length

uint32

The number of bytes included in the Detection Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the Detection Name field.

Detection Name

string

The name of the detected or quarantined malware.

String Block Type

uint32

Initiates a String data block containing the username. This value is always 0.

String Block Length

uint32

The number of bytes included in the User String data block, including eight bytes for the block type and header fields plus the number of bytes in the User field.

User

string

The user of the computer where the Cisco Agent is installed and where the malware event occurred. Note that these users are not tied to user discovery.

String Block Type

uint32

Initiates a String data block containing the file name. This value is always 0.

String Block Length

uint32

The number of bytes included in the File Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the File Name field.

File Name

string

The name of the detected or quarantined file.

String Block Type

uint32

Initiates a String data block containing the file path. This value is always 0.

String Block Length

uint32

The number of bytes included in the File Path String data block, including eight bytes for the block type and header fields plus the number of bytes in the File Path field.

File Path

string

The file path, not including the file name, of the detected or quarantined file.

String Block Type

uint32

Initiates a String data block containing the file SHA hash. This value is always 0.

String Block Length

uint32

The number of bytes included in the File SHA Hash String data block, including eight bytes for the block type and header fields plus the number of bytes in the File SHA Hash field.

File SHA Hash

string

The rendered string of the SHA-256 hash value of the detected or quarantined file.

File Size

uint32

The size in bytes of the detected or quarantined file.

File Type

uint32

The file type of the detected or quarantined file. The meaning of this field is transmitted in the metadata with this event. See AMP for Endpoints File Type Metadata for more information.

File Timestamp

uint32

UNIX timestamp (seconds since 01/01/1970) of the creation of the detected or quarantined file.

String Block Type

uint32

Initiates a String data block containing the parent file name. This value is always 0.

String Block Length

uint32

The number of bytes included in the Parent File Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the Parent File Name field.

Parent File Name

string

The name of the file accessing the detected or quarantined file when detection occurred.

String Block Type

uint32

Initiates a String data block containing the parent file SHA hash. This value is always 0.

String Block Length

uint32

The number of bytes included in the Parent File SHA Hash String data block, including eight bytes for the block type and header fields plus the number of bytes in the Parent File SHA Hash field.

Parent File SHA Hash

string

The SHA-256 hash value of the parent file accessing the detected or quarantined file when detection occurred.

String Block Type

uint32

Initiates a String data block containing the event description. This value is always 0.

String Block Length

uint32

The number of bytes included in the Event Description String data block, including eight bytes for the block type and header fields plus the number of bytes in the Event Description field.

Event Description

string

The additional event information associated with the event type.

Device ID

uint32

ID for the device that generated the event.

Connection Instance

uint16

Snort instance on the device that generated the event. Used to link the event with a connection or IDS event.

Connection Counter

uint16

Value used to distinguish between connection events that happen during the same second.

Connection Event Timestamp

uint32

Timestamp of the connection event.

Direction

uint8

Indicates whether the file was uploaded or downloaded. Can have the following values:

  • 1 — Download
  • 2 — Upload

Currently the value depends on the protocol (for example, if the connection is HTTP it is a download).

Source IP Address

uint8[16]

IPv4 or IPv6 address for the source of the connection.

Destination IP Address

uint8[16]

IPv4 or IPv6 address for the destination of the connection.

Application ID

uint32

ID number that maps to the application using the file transfer.

User ID

uint32

Identification number for the user logged into the destination host, as identified by the system.

Access Control Policy UUID

uint8[16]

Identification number that acts as a unique identifier for the access control policy that triggered the event.

Disposition

uint8

The malware status of the file. Possible values include:

  • 1 — CLEAN The file is clean and does not contain malware.
  • 2 — UNKNOWN It is unknown whether the file contains malware.
  • 3 — MALWARE The file contains malware.
  • 4 — UNAVAILABLE The software was unable to send a request to the AMP cloud for a disposition, or the AMP cloud services did not respond to the request.
  • 5 — CUSTOM SIGNATURE The file matches a user-defined hash, and is treated in a fashion designated by the user.

Retrospective Disposition

uint8

Disposition of the file if the disposition is updated. If the disposition is not updated, this field contains the same value as the Disposition field. The possible values are the same as the Disposition field.

String Block Type

uint32

Initiates a String data block containing the URI. This value is always 0.

String Block Length

uint32

The number of bytes included in the URI data block, including eight bytes for the block type and header fields plus the number of bytes in the URI field.

URI

string

URI of the connection.

Source Port

uint16

Port number for the source of the connection.

Destination Port

uint16

Port number for the destination of the connection.

Source Country

uint16

Code for the country of the source host.

Destination Country

uint 16

Code for the country of the destination host.

Web Application ID

uint32

The internal identification number of the detected web application, if applicable.

Client Application ID

uint32

The internal identification number of the detected client application, if applicable.

Action

uint8

The action taken on the file based on the file type. Can have the following values:

  • 1 — Detect
  • 2 — Block
  • 3 — Malware Cloud Lookup
  • 4 — Malware Block
  • 5 — Malware Allow List
  • 6 — Cloud Lookup Timeout
  • 7 — Custom Detection
  • 8 — Custom Detection Block
  • 9 — Archive Block (Depth Exceeded)
  • 10 — Archive Block (Encrypted)
  • 11 — Archive Block (Failed to Inspect)

Protocol

uint8

IANA protocol number specified by the user. For example:

  • 1 — ICMP
  • 4 — IP
  • 6 — TCP
  • 17 — UDP

This is currently only TCP.

Threat Score

uint8

A numeric value from 0 to 100 based on the potentially malicious behaviors observed during dynamic analysis.

IOC Number

uint16

ID number of the compromise associated with this event.

Security Context

uint8(16)

ID number for the security context (virtual firewall) that the traffic passed through. Note that the system only populates this field for ASA FirePOWER devices in multi-context mode.

SSL Certificate Fingerprint

uint8[20]

SHA1 hash of the SSL Server certificate.

SSL Actual Action

uint16

The action performed on the connection based on the SSL Rule. This may differ from the expected action, as the action as specified in the rule may be impossible. Possible values include:

  • 0 — 'Unknown'
  • 1 — 'Do Not Decrypt'
  • 2 — 'Block'
  • 3 — 'Block With Reset'
  • 4 — 'Decrypt (Known Key)'
  • 5 — 'Decrypt (Replace Key)'
  • 6 — 'Decrypt (Resign)'

SSL Flow Status

uint16

Status of the SSL Flow. These values describe the reason behind the action taken or the error message seen. Possible values include:

  • 0 — 'Unknown'
  • 1 — 'No Match'
  • 2 — 'Success'
  • 3 — 'Uncached Session'
  • 4 — 'Unknown Cipher Suite'
  • 5 — 'Unsupported Cipher Suite'
  • 6 — 'Unsupported SSL Version'
  • 7 — 'SSL Compression Used'
  • 8 — 'Session Undecryptable in Passive Mode'
  • 9 — 'Handshake Error'
  • 10 — 'Decryption Error'
  • 11 — 'Pending Server Name Category Lookup'
  • 12 — 'Pending Common Name Category Lookup'
  • 13 — 'Internal Error'
  • 14 — 'Network Parameters Unavailable'
  • 15 — 'Invalid Server Certificate Handle'
  • 16 — 'Server Certificate Fingerprint Unavailable'
  • 17 — 'Cannot Cache Subject DN'
  • 18 — 'Cannot Cache Issuer DN'
  • 19 — 'Unknown SSL Version'
  • 20 — 'External Certificate List Unavailable'
  • 21 — 'External Certificate Fingerprint Unavailable'
  • 22 — 'Internal Certificate List Invalid'
  • 23 — 'Internal Certificate List Unavailable'
  • 24 — 'Internal Certificate Unavailable'
  • 25 — 'Internal Certificate Fingerprint Unavailable'
  • 26 — 'Server Certificate Validation Unavailable'
  • 27 — 'Server Certificate Validation Failure'
  • 28 — 'Invalid Action'

String Block Type

uint32

Initiates a String data block containing the Archive SHA. This value is always 0.

String Block Length

uint32

The number of bytes included in the Archive SHA String data block, including eight bytes for the block type and header fields plus the number of bytes in the intrusion policy name.

Archive SHA

string

SHA1 hash of the parent archive in which the file is contained.

String Block Type

uint32

Initiates a String data block containing the Archive Name. This value is always 0.

String Block Length

uint32

The number of bytes included in the Archive Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the intrusion policy name.

Archive Name

string

Name of the parent archive.

Archive Depth

uint8

Number of layers in which the file is nested. For example, if a text file is in a zip archive, this has a value of 1.

HTTP Response

uint32

Response code of the HTTP Request.

Legacy Discovery Data Structures

Legacy Discovery Event Header

Discovery Event Header 5.0 - 5.1.1.x

Discovery and connection event messages contain a discovery event header. It conveys the type and subtype of the event, the time the event occurred, the device on which the event occurred, and the structure of the event data in the message. This header is followed by the actual host discovery, user, or connection event data. The structures associated with the different event type/subtype values are described in Host Discovery Structures by Event Type.

The event type and event subtype fields of the discovery event header identify the structure of the transmitted event message. Once the structure of the event data block is determined, your program can parse the message appropriately.

The shaded rows in the following diagram illustrate the format of the discovery event header.

 

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

 

Header Version (1)

Message Type (4)

 

Message Length

 

Netmap ID

Record Type

 

Record Length

 

eStreamer Server Timestamp (in events, only if bit 23 is set)

 

Reserved for Future Use (in events, only if bit 23 is set)

Discovery Event Header

Device ID

IP Address

MAC Address

MAC Address, continued

Reserved for future use

Event Second

Event Microsecond

Reserved (Internal)

Event Type

Event Subtype

File Number (Internal Use Only)

File Position (Internal Use Only)

The following table describes the discovery event header.

 

Table B-20 Discovery Event Header Fields

Field
Data Types
Description

Device ID

uint32

ID number of the device that generated the discovery event. You can obtain the metadata for the device by requesting Version 3 and 4 metadata. See Managed Device Record Metadata for more information.

IP Address

uint32

IP address of the host involved in the event.

MAC Address

uint8[6]

MAC address of the host involved in the event.

Reserved for future use

byte[2]

Two bytes of padding with values set to 0.

Event Second

uint32

UNIX timestamp (seconds since 01/01/1970) that the system generated the event.

Event Microsecond

uint32

Microsecond (one millionth of a second) increment that the system generated the event.

Reserved (Internal)

byte

Internal data from Cisco and can be disregarded.

Event Type

uint32

Event type ( 1000 for new events, 1001 for change events, 1002 for user input events, 1050 for full host profile). See Host Discovery Structures by Event Type for a list of available event types.

Event Subtype

uint32

Event subtype. See Host Discovery Structures by Event Type for a list of available event subtypes.

File Number

byte[4]

Serial file number. This field is for Cisco internal use and can be disregarded.

File Position

byte[4]

Event’s position in the serial file. This field is for Cisco internal use and can be disregarded.

Legacy Server Data Blocks

For more information, see the following sections:

Attribute Address Data Block for 5.0 - 5.1.1.x

The Attribute Address data block contains an attribute list item and is used within an Attribute Definition data block. It has a block type of 38.

The following diagram shows the basic structure of an Attribute Address data block:

 

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

 

Attribute Address Block Type (38)

 

Attribute Address Block Length

 

Attribute ID

 

IP Address

 

Bits

The following table describes the fields of the Attribute Address data block.

 

Table B-21 Attribute Address Data Block Fields

Field
Data Type
Description

Attribute Address Block Type

uint32

Initiates an Attribute Address data block. This value is always 38.

Attribute Address Block Length

uint32

Number of bytes in the Attribute Address data block, including eight bytes for the attribute address block type and length, plus the number of bytes in the attribute address data that follows.

Attribute ID

uint32

Identification number of the affected attribute, if applicable.

IP Address

uint8[4]

IP address of the host, if the address was automatically assigned, in IP address octets.

Bits

uint32

Contains the significant bits used to calculate the netmask if an IP address was automatically assigned.

Legacy Client Application Data Blocks

For more information, see the following sections:

User Client Application Data Block for 5.0 - 5.1

The User Client Application data block contains information about the source of the client application data, the identification number for the user who added the data, and the lists of IP address range data blocks. The User Client Application data block has a block type of 59.

The following diagram shows the basic structure of a User Client Application data block:

 

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

 

User Client Application Block Type (59)

 

User Client Application Block Length

IP Address

Ranges

Generic List Block Type (31)

Generic List Block Length

IP Range Specification Data Blocks*

 

Application Protocol ID

 

Client Application ID

Version

String Block Type (0)

String Block Length

Version...

The following table describes the fields of the User Client Application data block.

 

Table B-22 User Client Application Data Block Fields

Field
Number of Bytes
Description

User Client Application Block Type

uint32

Initiates a User Client Application data block. This value is always.

User Client Application Block Length

uint32

Total number of bytes in the User Client Application data block, including eight bytes for the user client application block type and length fields, plus the number of bytes of user client application data that follows.

Generic List Block Type

uint32

Initiates a Generic List data block comprising IP Range Specification data blocks conveying IP address range data. This value is always 31.

Generic List Block Length

uint32

Number of bytes in the Generic List data block, including the list header and all encapsulated IP Range Specification data blocks.

IP Range Specification Data Blocks *

variable

IP Range Specification data blocks containing information about the IP address ranges for the user input. See User Server Data Block Fields for a description of this data block.

Application Protocol ID

uint32

The internal identification number for the application protocol, if applicable.

Client Application ID

uint32

The internal identification number of the detected client application, if applicable.

String Block Type

uint32

Initiates a String data block that contains the client application version. This value is always 0.

String Block Length

uint32

Number of bytes in the client application version String data block, including the string block type and length fields, plus the number of bytes in the version.

Version

string

Client application version.

Legacy Scan Result Data Blocks

For more information, see the following sections:

Scan Result Data Block 5.0 - 5.1.1.x

The Scan Result data block describes a vulnerability and is used within Add Scan Result events (event type 1002, subtype 11). The Scan Result data block has a block type of 102.

The following diagram shows the format of a Scan Result data block:

 

Byte

0

1

2

3

 

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

 

 

Scan Result Block Type (102)

 

 

Scan Result Block Length

 

 

User ID

 

 

Scan Type

 

 

IP Address

 

 

Port

Protocol

 

 

Flag

List Block Type (11)

Scan Vulnerability List

 

List Block Type (11)

List Block Length

Vulnerability

List

List Block Length

Scan Vulnerability Block Type (109)

Scan Vulnerability Block Type (109)

Scan Vulnerability Block Length

Scan Vulnerability Block Length

Vulnerability Data...

 

List Block Type (11)

Generic Scan

Results List

 

List Block Length

Scan Results

List

Generic Scan Results Block Type (108)

Generic Scan Results Block Length

Generic Scan Results...

User

Product List

Generic List Block Type (31)

 

Generic List Block Length

 

User Product Data Blocks*

 

The following table describes the fields of the Scan Result data block.

 

Table B-23 Scan Result Data Block Fields

Field
Data Type
Description

Scan Result Block Type

uint32

Initiates a Scan Result data block. This value is always 102.

Scan Result Block Length

uint32

Number of bytes in the Scan Vulnerability data block, including eight bytes for the scan vulnerability block type and length fields, plus the number of bytes of scan vulnerability data that follows.

User ID

uint32

Contains the user identification number for the user who imported the scan result or ran the scan that produced the scan result.

Scan Type

uint32

Indicates how the results were added to the system.

IP Address

uint32

IP address of the host affected by the vulnerabilities in the result, in IP address octets.

Port

uint16

Port used by the sub-server affected by the vulnerabilities in the results.

Protocol

uint16

IANA protocol number. For example:

  • 1 — ICMP
  • 4 — IP
  • 6 — TCP
  • 17 — UDP

Flag

uint16

Reserved

List Block Type

uint32

Initiates a List data block comprising Scan Vulnerability data blocks conveying transport Scan Vulnerability data. This value is always 11.

List Block Length

uint32

Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus all encapsulated Scan Vulnerability data blocks.

This field is followed by zero or more Scan Vulnerability data blocks.

Scan Vulnerability Block Type

uint32

Initiates a Scan Vulnerability data block describing a vulnerability detected during a scan. This value is always 109.

Scan Vulnerability Block Length

uint32

Number of bytes in the Scan Vulnerability data block, including eight bytes for the scan vulnerability block type and length fields, plus the number of bytes in the scan vulnerability data that follows.

Vulnerability Data

string

Information relating to each vulnerability.

List Block Type

uint32

Initiates a List data block comprising Scan Vulnerability data blocks conveying transport Scan Vulnerability data. This value is always 11.

List Block Length

uint32

Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus all encapsulated Scan Vulnerability data blocks.

This field is followed by zero or more Scan Vulnerability data blocks.

Generic Scan Results Block Type

uint32

Initiates a Generic Scan Results data block describing server and operating system data detected during a scan. This value is always 108.

Generic Scan Results Block Length

uint32

Number of bytes in the Generic Scan Results data block, including eight bytes for the generic scan results block type and length fields, plus the number of bytes in the scan result data that follows.

Generic Scan Results Data

string

Information relating to each scan result.

Generic List Block Type

uint32

Initiates a Generic List data block comprising User Product data blocks conveying host input data from a third party application. This value is always 31.

Generic List Block Length

uint32

Number of bytes in the Generic List data block, including the list header and all encapsulated User Product data blocks.

User Product Data Blocks *

variable

User Product data blocks containing host input data. See User Product Data Block 5.1+ for a description of this data block.

 

User Product Data Block for 5.0.x

The User Product data block conveys host input data imported from a third party application, including third party application string mappings. This data block is used in Connection Statistics Data Block 6.0.x and User Server and Operating System Messages. The User Product data block has a block type of 65 for 4.10.x, and a block type of 118 for 5.0 - 5.0.x. The block types have the same structure.

note.gif

Noteblank.gif An asterisk(*) next to a data block name in the following diagram indicates that multiple instances of the data block may occur.


The following diagram shows the format of the User Product data block:

 

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

 

User Product Data Block Type (65 | 118)

 

User Product Block Length

 

Source ID

 

Source Type

IP Address

Ranges

Generic List Block Type (31)

Generic List Block Length

IP Range Specification Data Blocks*

 

Port

Protocol

 

Drop User Product

Custom

Vendor String

String Block Type (0)

String Block Length

Custom Vendor String...

Custom

Product String

String Block Type (0)

String Block Length

Custom Product String...

Custom

Version String

String Block Type (0)

String Block Length

Custom Version String...

 

Software ID

 

Server ID

 

Vendor ID

 

Product ID

Major Version

String

String Block Type (0)

String Block Length

Major Version String...

Minor Version

String

String Block Type (0)

String Block Length

Minor Version String...

Revision

String

String Block Type (0)

String Block Length

Revision String...

To Major

String

String Block Type (0)

String Block Length

To Major Version String...

To Minor

String

String Block Type (0)

String Block Length

To Minor Version String...

To Revision

String

String Block Type (0)

String Block Length

To Revision String...

Build String

String Block Type (0)

String Block Length

Build String...

Patch String

String Block Type (0)

String Block Length

Patch String...

Extension

String

String Block Type (0)

String Block Length

Extension String...

OS UUID

Operating System UUID

Operating System UUID cont.

Operating System UUID cont.

Operating System UUID cont.

List of Fixes

Generic List Block Type (31)

Generic List Block Length

Fix List Data Blocks*

The following table describes the components of the User Product data block.

 

Table B-24 User Product Data Block Fields for 4.10.x, 5.0-5.0.x

Field
Data Type
Description

User Product Data Block Type

uint32

Initiates a User Product data block. This value is 65 for version 4.10.x and 118 for version 5.0 - 5.0.x.

User Product Block Length

uint32

Total number of bytes in the User Product data block, including eight bytes for the user product block type and length fields, plus the number of bytes in the user product data that follows.

Source ID

uint32

Identification number of the source that imported the data.

Source Type

uint32

The source type of the source that supplied the data.

Generic List Block Type

uint32

Initiates a Generic List data block comprising IP Range Specification data blocks conveying IP address range data. This value is always 31.

Generic List Block Length

uint32

Number of bytes in the Generic List data block, including the list header and all encapsulated IP Range Specification data blocks.

IP Range Specification Data Blocks *

variable

IP Range Specification data blocks containing information about the IP address ranges for the user input. See IP Address Range Data Block for 5.2+ for a description of this data block.

Port

uint16

Port specified by the user.

Protocol

uint16

IANA protocol number specified by the user. For example:

  • 1 — ICMP
  • 4 — IP
  • 6 — TCP
  • 17 — UDP

Drop User Product

uint32

Indicates whether the user OS definition was deleted from the host:

  • 0 — No
  • 1 — Yes

String Block Type

uint32

Initiates a String data block containing the custom vendor name specified in the user input. This value is always 0.

String Block Length

uint32

Number of bytes in the custom vendor String data block, including eight bytes for the block type and length fields, plus the number of bytes in the vendor name.

Custom Vendor Name

string

The custom vendor name specified in the user input.

String Block Type

uint32

Initiates a String data block containing the custom product name specified in the user input. This value is always 0.

String Block Length

uint32

Number of bytes in the custom product String data block, including eight bytes for the block type and length fields, plus the number of bytes in the product name.

Custom Product Name

string

The custom product name specified in the user input.

String Block Type

uint32

Initiates a String data block containing the custom version specified in the user input. This value is always 0.

String Block Length

uint32

Number of bytes in the custom version String data block, including eight bytes for the block type and length fields, plus the number of bytes in the version.

Custom Version

string

The custom version specified in the user input.

Software ID

uint32

The identifier for a specific revision of a server or operating system in the Cisco database.

Server ID

uint32

The Cisco application identifier for the application protocol on the host server specified in user input.

Vendor ID

uint32

The identifier for the vendor of a third party operating system specified when the third party operating system is mapped to a Cisco 3D operating system definition.

Product ID

uint32

The product identification string of a third party operating system string specified when the third party operating system string is mapped to a Cisco 3D operating system definition.

String Block Type

uint32

Initiates a String data block containing the major version number of the Cisco 3D operating system definition that a third party operating system string in the user input is mapped to. This value is always 0.

String Block Length

uint32

Number of bytes in the major String data block, including eight bytes for the block type and length fields, plus the number of bytes in the version.

Major Version

string

Major version of the Cisco 3D operating system definition that a third party operating system string is mapped to.

String Block Type

uint32

Initiates a String data block containing the minor version number of the Cisco 3D operating system definition that a third party operating system string is mapped to. This value is always 0.

String Block Length

uint32

Number of bytes in the minor String data block, including eight bytes for the block type and length fields, plus the number of bytes in the version.

Minor Version

string

Minor version number of the Cisco 3D operating system definition that a third party operating system string in the user input is mapped to.

String Block Type

uint32

Initiates a String data block containing the revision number of the Cisco operating system definition that a third party operating system string in the user input is mapped to. This value is always 0.

String Block Length

uint32

Number of bytes in the revision String data block, including eight bytes for the block type and length fields, plus the number of bytes in the revision number.

Revision

string

Revision number of the Cisco 3D operating system definition that a third party operating system string in the user input is mapped to.

String Block Type

uint32

Initiates a String data block containing the last major version of the Cisco 3D operating system definition that a third party operating system string is mapped to. This value is always 0.

String Block Length

uint32

Number of bytes in the To Major String data block, including eight bytes for the block type and length fields, plus the number of bytes in the version.

To Major

string

Last version number in a range of major version numbers of the Cisco 3D operating system definition that a third party operating system string in the user input is mapped to.

String Block Type

uint32

Initiates a String data block containing the last minor version of the Cisco 3D operating system definition that a third party operating system string is mapped to. This value is always 0.

String Block Length

uint32

Number of bytes in the To Minor String data block, including eight bytes for the block type and length fields, plus the number of bytes in the version.

To Minor

string

Last version number in a range of minor version numbers of the Cisco 3D operating system definition that a third party operating system string in the user input is mapped to.

String Block Type

uint32

Initiates a String data block containing the Last revision number of the Cisco 3D operating system definition that a third party operating system string is mapped to. This value is always 0.

String Block Length

uint32

Number of bytes in the To Revision String data block, including eight bytes for the block type and length fields, plus the number of bytes in the revision number.

To Revision

string

Last revision number in a range of revision numbers of the Cisco 3D operating system definitions that a third party operating system string in the user input is mapped to.

String Block Type

uint32

Initiates a String data block containing the build number of the Cisco 3D operating system that the third party operating system string is mapped. This value is always 0.

String Block Length

uint32

Number of bytes in the build String data block, including eight bytes for the block type and length fields, plus the number of bytes in the build number.

Build

string

Build number of the Cisco 3D operating system that the third party operating system string in the user input is mapped to.

String Block Type

uint32

Initiates a String data block containing the patch number of the Cisco 3D operating system that the third party operating system string is mapped to. This value is always 0.

String Block Length

uint32

Number of bytes in the patch String data block, including eight bytes for the block type and length fields, plus the number of bytes in the patch number.

Patch

string

Patch number of the Cisco 3D operating system that the third party operating system string in the user input is mapped to.

String Block Type

uint32

Initiates a String data block containing the extension number of the Cisco 3D operating system that the third party operating system string is mapped. This value is always 0.

String Block Length

uint32

Number of bytes in the extension String data block, including eight bytes for the block type and length fields, plus the number of bytes in the extension number.

Extension

string

Extension number of the Cisco 3D operating system that the third party operating system string in the user input is mapped to.

UUID

uint8 [x16]

Contains the unique identification number for the operating system.

Generic List Block Type

uint32

Initiates a Generic List data block comprising Fix List data blocks conveying user input data regarding what fixes have been applied to hosts in the specified IP address ranges. This value is always 31.

Generic List Block Length

uint32

Number of bytes in the Generic List data block, including the list header and all encapsulated Fix List data blocks.

Fix List Data Blocks *

variable

Fix List data blocks containing information about fixes applied to the hosts. See Fix List Data Block for a description of this data block.

Legacy User Login Data Blocks

See the following sections for more information:

User Login Information Data Block for 5.0 - 5.0.2

The User Login Information data block is used in User Information Update messages and conveys changes in login information for a detected user. For more information, see User Information Update Message Block.

The User Login Information data block has a block type of 121 for version 5.0 - 5.0.2.

The graphic below shows the format of the User Login Information data block:

 

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

 

User Login Information Block Type (121)

 

User Login Information Block Length

 

Timestamp

 

IP Address

User

Name

String Block Type (0)

String Block Length

User Name...

 

User ID

 

Application ID

Email

String Block Type (0)

String Block Length

Email...

The following table describes the components of the User Login Information data block.

 

Table B-25 User Login Information Data Block Fields 5.0 - 5.0.2

Field
Data Type
Description

User Login Information Block Type

uint32

Initiates a User Login Information data block. This value is 121 for version 5.0 - 5.0.2.

User Login Information Block Length

uint32

Total number of bytes in the User Login Information data block, including eight bytes for the user login information block type and length fields, plus the number of bytes in the user login information data that follows.

Timestamp

uint32

Timestamp of the event.

IP Address

uint8[4]

IP address from the host where the user was detected logging in, in IP address octets.

String Block Type

uint32

Initiates a String data block containing the username for the user. This value is always 0.

String Block Length

uint32

Number of bytes in the username String data block, including eight bytes for the block type and length fields, plus the number of bytes in the username.

Username

string

The user name for the user.

User ID

uint32

Identification number of the user.

Application ID

uint32

The application ID for the application protocol used in the connection that the login information was derived from.

String Block Type

uint32

Initiates a String data block containing the email address for the user. This value is always 0.

String Block Length

uint32

Number of bytes in the email address String data block, including eight bytes for the block type and length fields, plus the number of bytes in the email address.

Email

string

The email address for the user.

User Login Information Data Block 5.1-5.4.x

The User Login Information data block is used in User Information Update messages and conveys changes in login information for a detected user. For more information, see User Account Update Message Data Block.

The User Login Information data block has a block type of 73 for version 4.7 - 4.10.x, a block type of 121 in the series 1 group of blocks for version 5.0 - 5.0.2, and a block type of 127 in the series 1 group of blocks for version 5.1-5.4.x.

The graphic below shows the format of the User Login Information data block:

 

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

 

User Login Information Block Type (127)

 

User Login Information Block Length

 

Timestamp

 

IPv4 Address

User

Name

String Block Type (0)

String Block Length

User Name...

 

User ID

 

Application ID

Email

String Block Type (0)

String Block Length

Email...

 

IPv6 Address

 

IPv6 Address, continued

 

IPv6 Address, continued

 

IPv6 Address, continued

Reported By

Login Type

String Block Type (0)

String Block Type (0), cont.

String Block Length

String Block Length

Reported By...

The following table describes the components of the User Login Information data block.

 

Table B-26 User Login Information Data Block Fields

Field
Data Type
Description

User Login Information Block Type

uint32

Initiates a User Login Information data block. This value is 127 for version 5.1+.

User Login Information Block Length

uint32

Total number of bytes in the User Login Information data block, including eight bytes for the user login information block type and length fields, plus the number of bytes in the user login information data that follows.

Timestamp

uint32

Timestamp of the event.

IPv4 Address

uint32

This field is reserved but no longer populated. The IPv4 address is stored in the IPv6 Address field. See IP Addresses for more information.

String Block Type

uint32

Initiates a String data block containing the username for the user. This value is always 0.

String Block Length

uint32

Number of bytes in the username String data block, including eight bytes for the block type and length fields, plus the number of bytes in the username.

Username

string

The user name for the user.

User ID

uint32

Identification number of the user.

Application ID

uint32

The application ID for the application protocol used in the connection that the login information was derived from.

String Block Type

uint32

Initiates a String data block containing the email address for the user. This value is always 0.

String Block Length

uint32

Number of bytes in the email address String data block, including eight bytes for the block type and length fields, plus the number of bytes in the email address.

Email

string

The email address for the user.

IPv6 Address

uint8[16]

IPv6 address from the host where the user was detected logging in, in IP address octets.

Login Type

uint8

The type of user login detected.

String Block Type

uint32

Initiates a String data block containing the Reported By value. This value is always 0.

String Block Length

uint32

Number of bytes in the Reported By String data block, including eight bytes for the block type and length fields, plus the number of bytes in the Reported By field.

Reported By

string

The name of the Active Directory server reporting a login.

User Login Information Data Block 6.0.x

The User Login Information data block is used in User Information Update messages and conveys changes in login information for a detected user. For more information, see User Account Update Message Data Block.

he User Login Information data block has a block type of 159 for version 6.0.x. It has new ISE integration endpoint profile, Security Intelligence fields.

The User Login Information data block has a block type of 73 for version 4.7 - 4.10.x, a block type of 121 in the series 1 group of blocks for version 5.0 - 5.0.2, and a block type of 127 in the series 1 group of blocks for version 5.1+. See User Login Information Data Block 5.1-5.4.x for more information.

The graphic below shows the format of the User Login Information data block:

 

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

 

User Login Information Block Type (159)

 

User Login Information Block Length

 

Timestamp

 

IPv4 Address

User

Name

String Block Type (0)

String Block Length

User Name...

Domain

String Block Type (0)

String Block Length

Domain...

 

User ID

 

Realm ID

 

Endpoint Profile ID

 

Security Group ID

 

Protocol

Email

String Block Type (0)

String Block Length

Email...

 

IPv6 Address

 

IPv6 Address, continued

 

IPv6 Address, continued

 

IPv6 Address, continued

 

Location IPv6 Address

 

Location IPv6 Address, continued

 

Location IPv6 Address, continued

 

Location IPv6 Address, continued

Reported By

Login Type

Auth. Type

String Block Type (0)

String Block Type (0), cont.

String Block Length

String Block Length, cont.

Reported By...

The following table describes the components of the User Login Information data block.

 

Table B-27 User Login Information Data Block Fields

Field
Data Type
Description

User Login Information Block Type

uint32

Initiates a User Login Information data block. This value is 159 for version 6.0.x.

User Login Information Block Length

uint32

Total number of bytes in the User Login Information data block, including eight bytes for the user login information block type and length fields, plus the number of bytes in the user login information data that follows.

Timestamp

uint32

Timestamp of the event.

IPv4 Address

uint32

This field is reserved but no longer populated. The IPv4 address is stored in the IPv6 Address field. See IP Addresses for more information.

String Block Type

uint32

Initiates a String data block containing the username for the user. This value is always 0.

String Block Length

uint32

Number of bytes in the username String data block, including eight bytes for the block type and length fields, plus the number of bytes in the username.

Username

string

The user name for the user.

String Block Type

uint32

Initiates a String data block containing the domain. This value is always 0.

String Block Length

uint32

Number of bytes in the username String data block, including eight bytes for the block type and length fields, plus the number of bytes in the domain.

Domain

string

Domain in which the user logged in.

User ID

uint32

Identification number of the user.

Realm ID

uint32

Integer ID which corresponds to an identity realm.

Endpoint Profile ID

uint32

ID number of the type of device used by the connection endpoint. This is unique for each DC and resolved in metadata.

Security Group ID

uint32

ID number of the network traffic group.

Protocol

uint32

Protocol used to detect or report the user. Possible values are:

  • 165 - FTP
  • 426 - SIP
  • 547 - AOL Instant Messenger
  • 683 - IMAP
  • 710 - LDAP
  • 767 - NTP
  • 773 - Oracle Database
  • 788 - POP3
  • 1755 - MDNS

String Block Type

uint32

Initiates a String data block containing the email address for the user. This value is always 0.

String Block Length

uint32

Number of bytes in the email address String data block, including eight bytes for the block type and length fields, plus the number of bytes in the email address.

Email

string

The email address for the user.

IPv6 Address

uint8[16]

IPv6 address from the host where the user was detected logging in, in IP address octets.

Location IPv6 Address

uint8[16]

Most recent IP address on which the user logged in. Can be either an IPv4 or IPv6 address.

Login Type

uint8

The type of user login detected.

Authentication Type

uint8

Type of authentication used by the user. Values may be:

  • 0 - no authorization required
  • 1 - passive authentication, AD agent, or ISE session
  • 2 - captive portal successful authentication
  • 3 - captive portal guest authentication
  • 4 - captive portal failed authentication

String Block Type

uint32

Initiates a String data block containing the Reported By value. This value is always 0.

String Block Length

uint32

Number of bytes in the Reported By String data block, including eight bytes for the block type and length fields, plus the number of bytes in the Reported By field.

Reported By

string

The name of the Active Directory server reporting a login.

User Login Information Data Block 6.1.x

The User Login Information data block has a block type of 165 in the series 1 group of blocks for version 6.1+. It has new port and tunneling fields. It supersedes block type 159. See User Login Information Data Block 6.0.x for more information. It is superseded by block type 167.

The graphic below shows the format of the User Login Information data block:

 

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

 

User Login Information Block Type (165)

 

User Login Information Block Length

 

Timestamp

 

IPv4 Address

User

Name

String Block Type (0)

String Block Length

User Name...

Domain

String Block Type (0)

String Block Length

Domain...

 

User ID

 

Realm ID

 

Endpoint Profile ID

 

Security Group ID

 

Protocol

 

Port

Range Start

 

Start Port

End Port

Email

String Block Type (0)

String Block Length

Email...

 

IPv6 Address

 

IPv6 Address, continued

 

IPv6 Address, continued

 

IPv6 Address, continued

 

Location IPv6 Address

 

Location IPv6 Address, continued

 

Location IPv6 Address, continued

 

Location IPv6 Address, continued

Reported By

Login Type

Auth. Type

String Block Type (0)

String Block Type (0), cont.

String Block Length

String Block Length, cont.

Reported By...

The following table describes the components of the User Login Information data block.

 

Table B-28 User Login Information Data Block Fields

Field
Data Type
Description

User Login Information Block Type

uint32

Initiates a User Login Information data block. This value is 165 for version 6.1+.

User Login Information Block Length

uint32

Total number of bytes in the User Login Information data block, including eight bytes for the user login information block type and length fields, plus the number of bytes in the user login information data that follows.

Timestamp

uint32

Timestamp of the event.

IPv4 Address

uint32

This field is reserved but no longer populated. The IPv4 address is stored in the IPv6 Address field. See IP Addresses for more information.

String Block Type

uint32

Initiates a String data block containing the username for the user. This value is always 0.

String Block Length

uint32

Number of bytes in the username String data block, including eight bytes for the block type and length fields, plus the number of bytes in the username.

Username

string

The user name for the user.

String Block Type

uint32

Initiates a String data block containing the domain. This value is always 0.

String Block Length

uint32

Number of bytes in the username String data block, including eight bytes for the block type and length fields, plus the number of bytes in the domain.

Domain

string

Domain in which the user logged in.

User ID

uint32

Identification number of the user.

Realm ID

uint32

Integer ID which corresponds to an identity realm.

Endpoint Profile ID

uint32

ID number of the type of device used by the connection endpoint. This is unique for each DC and resolved in metadata.

Security Group ID

uint32

ID number of the network traffic group.

Protocol

uint32

Protocol used to detect or report the user. Possible values are:

  • 165 - FTP
  • 426 - SIP
  • 547 - AOL Instant Messenger
  • 683 - IMAP
  • 710 - LDAP
  • 767 - NTP
  • 773 - Oracle Database
  • 788 - POP3
  • 1755 - MDNS

Port

uint16

The port number on which the user was detected.

Range Start

uint16

The start port in the port range used by the TS Agent.

Start Port

uint16

The start port in the range the TS Agent assigned to the individual user.

End Port

uint16

The end port in the range the TS Agent assigned to the individual user.

String Block Type

uint32

Initiates a String data block containing the email address for the user. This value is always 0.

String Block Length

uint32

Number of bytes in the email address String data block, including eight bytes for the block type and length fields, plus the number of bytes in the email address.

Email

string

The email address for the user.

IPv6 Address

uint8[16]

IPv6 address from the host where the user was detected logging in, in IP address octets.

Location IPv6 Address

uint8[16]

Most recent IP address on which the user logged in. Can be either an IPv4 or IPv6 address.

Login Type

uint8

The type of user login detected.

Authentication Type

uint8

Type of authentication used by the user. Values may be:

  • 0 - no authorization required
  • 1 - passive authentication, AD agent, or ISE session
  • 2 - captive portal successful authentication
  • 3 - captive portal guest authentication
  • 4 - captive portal failed authentication

String Block Type

uint32

Initiates a String data block containing the Reported By value. This value is always 0.

String Block Length

uint32

Number of bytes in the Reported By String data block, including eight bytes for the block type and length fields, plus the number of bytes in the Reported By field.

Reported By

string

The name of the Active Directory server reporting a login.

User Login Information Data Block 6.1.x

The User Login Information data block is used in User Information Update messages and conveys changes in login information for a detected user. For more information, see User Information Update Message Block.

The User Login Information data block has a block type of 165 in the series 1 group of blocks for version 6.1x. It has new port and tunneling fields. It supersedes block type 159. It is superseded by block type 167. See User Login Information Data Block 6.0.x for more information.

The graphic below shows the format of the User Login Information data block:

 

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

 

User Login Information Block Type (165)

 

User Login Information Block Length

 

Timestamp

 

IPv4 Address

User

Name

String Block Type (0)

String Block Length

User Name...

Domain

String Block Type (0)

String Block Length

Domain...

 

User ID