- Event Streamer Integration Guide version 6.6.0
- Event Streamer Integration Guide Table of Contents
- Introduction
- Understanding the eStreamer Application Protocol
- Understanding Intrusion and Correlation Data Structures
- Understanding Discovery & Connection Data Structures
- Understanding Host Data Structures
- Configuring eStreamer
- Data Structure Examples
- Understanding Legacy Data Structures
- Event Streamer Integration Guide Index
Understanding Host Data Structures
This chapter describes the format of the Full Host Profile data block that conveys a set of data describing a single host. The eStreamer server generates and sends these blocks on request for host data. For information about the client request procedure, the message structure, and the delivery method, see Host Data and Multiple Host Data Message Format.
eStreamer uses the series 1 data block structure to package these Full Host profile blocks. For the general structure of series 1 blocks, see Series 1 Data Block Header. The Full Host Profile data block contains a number of encapsulated blocks which are individually described in the subsections where they are defined in Understanding Discovery & Connection Data Structures.
See the following sections for more information about current and legacy Full Host Profile data blocks:
- Full Host Profile Data Block 5.3+ describes the current Full Host Profile data block structure.
- Full Host Profile Data Block 5.0 - 5.0.2 describes the legacy Full Host Profile data block structure for versions 5.0 - 5.0.2.
Full Host Profile Data Block 5.3+
The Full Host Profile data block for version 5.3+ contains a full set of data describing one host. It has the format shown in the graphic below and explained in the following table. Note that, except for List data blocks, the graphic does not show the fields of the encapsulated data blocks. These encapsulated data blocks are described separately in Understanding Discovery & Connection Data Structures. The Full Host Profile data block a block type value of 149. It supersedes the prior version, which has a block type of 140.
Note An asterisk (*) next to a block name in the following diagram indicates that multiple instances of the data block may occur.
The following diagram shows the format of the Full Host Profile data block for 5.3+:
(Third Party Scan) Host Vulnerability Data Blocks with Original Vuln IDs (85)* |
||||||||||||||||||||||||||||||||
The following table describes the components of the Full Host Profile for 5.3+ record.
|
|
|
---|---|---|
Initiates a List data block comprising IP address data blocks conveying TCP service data. This value is always |
||
Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus the length of all encapsulated IP address data blocks. |
||
IP addresses of the host and when each IP address was last seen. See Host IP Address Data Block for a description of this data block. |
||
Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data derived from the existing fingerprints for the host. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks. |
||
Operating System Fingerprint data blocks containing information about the operating system on a host derived from the existing fingerprints for the host. See Operating System Fingerprint Data Block 5.1+ for a description of this data block. |
||
Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using a server fingerprint. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks. |
||
Operating System Fingerprint (Server Fingerprint) Data Blocks * |
Operating System Fingerprint data blocks containing information about the operating system on a host identified using a server fingerprint. See Operating System Fingerprint Data Block 5.1+ for a description of this data block. |
|
Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using a client fingerprint. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks. |
||
Operating System Fingerprint (Client Fingerprint) Data Blocks * |
Operating System Fingerprint data blocks containing information about the operating system on a host identified using a client fingerprint. See Operating System Fingerprint Data Block 5.1+ for a description of this data block. |
|
Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using a Cisco VDB fingerprint. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks. |
||
Operating System Fingerprint (VDB) Native Fingerprint 1) Data Blocks * |
Operating System Fingerprint data blocks containing information about the operating system on a host identified using the fingerprints in the Cisco vulnerability database (VDB). See Operating System Fingerprint Data Block 5.1+ for a description of this data block. |
|
Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using a Cisco VDB fingerprint. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks. |
||
Operating System Fingerprint (VDB) Native Fingerprint 2) Data Blocks * |
Operating System Fingerprint data blocks containing information about the operating system on a host identified using the fingerprints in the Cisco vulnerability database (VDB). See Operating System Fingerprint Data Block 5.1+ for a description of this data block. |
|
Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data added by a user. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks. |
||
Operating System Fingerprint (User Fingerprint) Data Blocks * |
Operating System Fingerprint data blocks containing information about the operating system on a host added by a user. See Operating System Fingerprint Data Block 5.1+ for a description of this data block. |
|
Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data added by a vulnerability scanner. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks. |
||
Operating System Fingerprint (Scan Fingerprint) Data Blocks * |
Operating System Fingerprint data blocks containing information about the operating system on a host added by a vulnerability scanner. See Operating System Fingerprint Data Block 5.1+ for a description of this data block. |
|
Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data added by an application. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks. |
||
Operating System Fingerprint (Application Fingerprint) Data Blocks * |
Operating System Fingerprint data blocks containing information about the operating system on a host added by an application. See Operating System Fingerprint Data Block 5.1+ for a description of this data block. |
|
Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data selected through fingerprint conflict resolution. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks. |
||
Operating System Fingerprint (Conflict Fingerprint) Data Blocks * |
Operating System Fingerprint data blocks containing information about the operating system on a host selected through fingerprint conflict resolution. See Operating System Fingerprint Data Block 5.1+ for a description of this data block. |
|
Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying mobile device fingerprint data. This value is always 31. |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks. |
||
Operating System Fingerprint data blocks containing information about the operating system on a mobile device host. See Operating System Fingerprint Data Block 5.1+ for a description of this data block. |
||
Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using an IPv6 server fingerprint. This value is always 31. |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks. |
||
Operating System Fingerprint (IPv6 Server Fingerprint) Data Blocks * |
Operating System Fingerprint data blocks containing information about the operating system on a host identified using an IPv6 server fingerprint. See Operating System Fingerprint Data Block 5.1+ for a description of this data block. |
|
Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using an IPv6 client fingerprint. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks. |
||
Operating System Fingerprint (IPv6 Client Fingerprint) Data Blocks * |
Operating System Fingerprint data blocks containing information about the operating system on a host identified using an IPv6 client fingerprint. See Operating System Fingerprint Data Block 5.1+ for a description of this data block. |
|
Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using an IPv6 DHCP fingerprint. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks. |
||
Operating System Fingerprint data blocks containing information about the operating system on a host identified using an IPv6 DHCP fingerprint. See Operating System Fingerprint Data Block 5.1+ for a description of this data block. |
||
Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using a user agent fingerprint. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks. |
||
Operating System Fingerprint data blocks containing information about the operating system on a host identified using a user agent fingerprint. See Operating System Fingerprint Data Block 5.1+ for a description of this data block. |
||
Initiates a List data block comprising Full Server data blocks conveying TCP service data. This value is always |
||
Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus the length of all encapsulated Full Server data blocks. |
||
List of Full Server data blocks conveying data about the TCP services on the host. See Full Host Server Data Block 4.10.0+ for a description of this data block. |
||
Initiates a List data block comprising Full Server data blocks conveying UDP service data. This value is always |
||
Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus the length of all encapsulated Full Server data blocks. |
||
List of Full Server data blocks conveying data about the UDP sub-servers on the host. See Full Host Server Data Block 4.10.0+ for a description of this data block. |
||
Initiates a List data block comprising Protocol data blocks conveying network protocol data. This value is always |
||
Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus the length of all encapsulated Protocol data blocks. |
||
List of Protocol data blocks conveying data about the network protocols on the host. See Protocol Data Block for a description of this data block. |
||
Initiates a List data block comprising Protocol data blocks conveying transport protocol data. This value is always |
||
Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus the length of all encapsulated Protocol data blocks. |
||
List of Protocol data blocks conveying data about the transport protocols on the host. See Protocol Data Block for a description of this data block. |
||
Initiates a List data block containing Host MAC Address data blocks. This value is always |
||
Number of bytes in the list, including the list header and all encapsulated Host MAC Address data blocks. |
||
List of Host MAC Address data blocks. See Host MAC Address 4.9+ for a description of this data block. |
||
UNIX timestamp that represents the last time the system detected host activity. |
||
VLAN identification number that indicates which VLAN the host is a member of. |
||
Initiates a Generic List data block comprising Host Vulnerability data blocks conveying Client Application data. This value is always 31. |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Client Application data blocks. |
||
List of Client Application data blocks. See Full Host Client Application Data Block 5.0+ for a description of this data block. |
||
Initiates a String data block for the host NetBIOS name. This value is always |
||
Number of bytes in the String data block, including eight bytes for the string block type and length fields, plus the number of bytes in the NetBIOS name string. |
||
Initiates a String data block for host notes. This value is always |
||
Number of bytes in the notes String data block, including eight bytes for the string block type and length fields, plus the number of bytes in the notes string. |
||
Contains the contents of the Notes host attribute for the host. |
||
Initiates a Generic List data block comprising Host Vulnerability data blocks conveying VDB vulnerability data. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated data blocks. |
||
List of Host Vulnerability data blocks for vulnerabilities identified in the Cisco vulnerability database (VDB). See Host Vulnerability Data Block 4.9.0+ for a description of this data block. |
||
Initiates a Generic List data block comprising Host Vulnerability data blocks conveying third-party scan vulnerability data. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated data blocks. |
||
Host Vulnerability data blocks sourced from a third party scanner and containing information about host vulnerabilities cataloged in the Cisco vulnerability database (VDB). See Host Vulnerability Data Block 4.9.0+ for a description of this data block. |
||
Initiates a Generic List data block comprising Host Vulnerability data blocks conveying third party scan vulnerability data. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated data blocks. |
||
Host Vulnerability data blocks sourced from a third party scanner. Note that the host vulnerability IDs for these data blocks are the third party scanner IDs, not Cisco-detected IDs. See Host Vulnerability Data Block 4.9.0+ for a description of this data block. |
||
Initiates a List data block comprising Attribute Value data blocks conveying attribute data. This value is always |
||
Number of bytes in the List data block, including the list header and all encapsulated data blocks. |
||
List of Attribute Value data blocks. See Attribute Value Data Block for a description of the data blocks in this list. |
||
A true-false flag indicating whether the operating system is running on a mobile device. |
||
A true-false flag indicating whether the mobile device operating system is jailbroken. |
||
Initiates a Generic List data block comprising IOC State data blocks.This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated IOC State data blocks. |
||
IOC State data blocks containing information about compromises on a host. See IOC State Data Block for 5.3+ for a description of this data block. |