Data Structure Examples

This appendix contains data structure examples for selected intrusion, correlation, and discovery events. Each example is displayed in binary format to clearly display how each bit is set.

See the following sections for more information:

Intrusion Event Data Structure Examples

This section contains examples of data structures that may be transmitted by eStreamer for intrusion events. The following examples are provided:

Example of an Intrusion Event for the Management Center 5.4+

The following diagram shows an example event record:

 

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

1

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

0

2

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

0

1

0

0

1

1

0

3

1

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

1

0

0

1

0

0

0

0

4

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

0

0

1

0

1

1

0

5

0

1

0

1

0

0

1

1

1

0

1

1

0

1

0

0

0

0

1

0

1

1

1

1

0

0

1

0

1

1

1

1

6

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

7

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

1

1

0

1

8

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

0

0

1

0

1

1

0

9

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

1

10

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

0

0

0

0

0

0

0

0

0

1

0

1

1

0

0

11

0

1

0

1

0

0

1

1

1

0

1

1

0

1

0

0

0

0

1

0

1

1

1

1

0

0

1

0

1

1

1

1

12

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

1

1

0

1

0

1

1

1

0

0

1

1

1

0

13

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

0

14

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

1

1

0

1

1

1

15

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

16

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

17

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

1

18

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

1

1

1

1

1

1

1

1

1

1

1

1

1

1

1

 

0

0

0

0

1

0

1

0

0

0

0

0

0

1

0

1

0

0

1

1

1

1

0

1

1

1

0

1

1

1

0

0

19

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

1

1

1

1

1

1

1

1

1

1

1

1

1

1

1

 

0

0

0

0

1

0

1

0

0

0

0

0

0

1

0

1

0

0

1

1

1

0

0

0

1

0

0

0

0

1

0

1

20

1

0

0

0

0

0

0

0

1

1

1

1

1

0

1

0

0

0

0

1

1

1

1

1

1

0

0

1

0

0

0

0

21

0

0

0

0

0

1

1

0

0

0

0

0

0

1

1

1

0

0

0

0

0

0

1

0

0

0

0

0

0

0

0

0

22

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

23

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

24

1

0

1

0

1

0

0

0

0

0

0

1

1

0

0

1

1

1

0

1

0

0

1

1

0

1

1

1

1

1

1

0

 

0

0

0

0

0

0

0

1

1

1

1

1

0

1

0

1

0

0

0

1

0

0

0

1

1

1

1

0

0

1

0

0

 

1

0

1

0

0

1

0

0

1

0

0

0

0

1

0

1

1

1

0

1

0

0

0

0

0

1

1

1

0

0

0

1

 

1

0

0

0

1

1

1

1

0

0

0

0

1

1

1

0

1

0

0

0

1

0

0

1

1

0

1

0

0

0

1

0

25

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

26

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

1

0

1

0

0

1

1

1

1

27

0

1

1

1

0

1

1

1

0

0

1

1

0

1

0

1

1

0

0

1

0

1

1

0

1

0

1

0

0

1

0

0

28

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

1

0

1

0

0

1

0

0

29

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

30

1

1

0

0

0

0

0

1

0

1

0

0

0

1

0

0

0

0

1

0

1

1

1

0

0

1

0

0

1

1

1

0

 

0

0

0

0

0

0

0

1

1

1

1

1

0

1

0

1

0

0

0

1

0

0

0

1

1

1

1

0

0

1

0

0

 

1

0

1

0

0

1

0

1

1

1

1

1

0

1

1

0

1

0

1

1

0

0

1

1

0

0

0

0

1

0

0

1

 

0

1

0

0

0

0

0

1

1

0

0

1

0

1

1

1

1

0

0

1

1

1

1

1

0

0

0

1

0

1

0

0

31

0

1

1

0

1

0

0

1

0

0

0

1

0

1

0

1

1

0

1

0

1

0

0

1

0

0

0

1

1

0

1

0

 

1

1

1

1

1

1

1

0

0

0

1

1

1

0

0

1

0

0

0

1

0

0

0

1

1

1

1

0

0

0

1

1

 

1

0

1

1

0

1

0

0

0

1

0

1

0

0

1

0

0

0

0

1

0

1

0

0

1

1

0

0

1

1

0

1

 

1

0

1

0

1

0

1

1

0

0

0

1

0

1

0

0

1

1

0

0

1

1

1

1

1

0

0

1

1

1

0

0

32

0

1

1

0

1

0

0

1

0

0

0

1

0

1

0

1

1

0

1

0

1

0

0

1

0

0

0

1

1

0

1

0

 

1

1

1

1

1

1

1

0

0

0

1

1

1

0

0

1

0

0

0

1

0

0

0

1

1

1

1

0

0

0

1

1

 

1

0

1

1

0

1

0

0

0

1

0

1

0

0

1

0

0

0

0

1

0

1

0

0

1

1

0

0

1

1

0

1

 

1

0

1

0

1

0

1

1

0

0

0

1

0

1

0

0

1

1

0

0

1

1

1

1

1

0

0

1

1

1

0

0

33

0

0

1

0

1

1

0

1

1

1

1

0

0

1

1

0

1

1

1

1

0

0

1

1

0

0

1

1

0

0

0

0

 

1

1

1

1

1

1

1

0

0

0

0

1

0

0

0

1

0

0

0

1

0

0

0

1

1

1

1

0

0

0

1

1

 

1

0

1

0

0

0

1

0

1

1

1

0

0

1

0

0

1

1

0

0

1

0

1

0

0

1

0

0

0

0

0

1

 

1

0

0

1

1

1

1

1

0

1

1

1

1

1

1

0

0

1

0

0

0

1

1

0

1

0

0

1

0

0

1

1

34

0

0

1

0

1

1

0

1

1

1

1

0

0

1

1

0

1

1

1

1

0

0

1

1

0

0

1

1

0

0

0

0

 

1

1

1

1

1

1

1

0

0

0

0

1

0

0

0

1

0

0

0

1

0

0

0

1

1

1

1

0

0

0

1

1

 

1

0

1

0

0

0

1

0

1

1

1

0

0

1

0

0

1

1

0

0

1

0

1

0

0

1

0

0

0

0

0

1

 

1

0

0

1

1

1

1

1

0

1

1

1

1

1

1

0

0

1

0

0

0

1

1

0

1

0

0

1

0

0

1

1

35

0

1

0

1

0

0

1

1

1

0

1

1

0

1

0

0

0

0

1

0

1

1

1

1

0

0

1

0

1

1

1

1

36

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

0

0

0

0

0

1

0

1

1

0

0

0

0

1

1

0

37

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

38

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

39

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

40

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

41

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

42

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

43

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

44

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

In the preceding example, the following event information appears:

 

Number
Description

1

The first two bytes of this line indicate the standard header value of 1. The second two bytes indicate that the message is a data message (that is, message type four).

2

This line indicates that the message that follows is 294 bytes long.

3

The first bit of this is a flag indicating that the header is an extended header containing an archive timestamp. The next 15 bits are an optional field containing the Netmap ID for the domain on which the event was detected. The remainder of the line indicates a record type value of 400, which represents an intrusion event record.

4

This line indicates that the event record that follows is 278 bytes long.

5

This line is the timestamp when the event was saved. In this case, it was saved on Wednesday, July 2, 2014 at 16:11:27.

6

This line is reserved for future use and is populated with zeros.

7

This line indicates that the block type is 45, which is the block type for Intrusion Event records for version 5.4+.

8

This line indicates that the data block is 278 bytes long.

9

This line indicates that the event is collected from sensor number 5.

10

This line indicates that the event identification number is 65580.

11

This line indicates that the event occurred at second 1404317489.

12

This line indicates that the event occurred at microsecond 46542.

13

This line indicates that the rule ID number is 4.

14

This line indicates that the event was detected by generator ID number 119, the rules engine.

15

This line indicates that the rule revision number is 1.

16

This line indicates that the classification identification number is 1.

17

This line indicates that the priority identification number is 3.

18

This line indicates that the source IP address is 10.5.61.220. Note that this field can contain either IPv4 or IPv6 addresses.

19

This line indicates that the destination IP address is 10.5.56.133. Note that this field can contain either IPv4 or IPv6 addresses.

20

The first two bytes in this line indicate that the source port number is 33018, and the second two bytes indicate that the destination port number is 8080.

21

This first byte in this line indicates that TCP ( 6) is the protocol used in the event. The second byte is the impact flag, which indicates that the event is red (vulnerable) since the second bit is 1 ; that the source or destination host is in a network monitored by the system, the source or destination host exists in the network map, and that the source or destination host is running a server on the port in the event; because the second and third flags are one, this is an orange event which is potentially vulnerable. The third byte in this line is the impact, which is 2 indicating that the event is orange and potentially vulnerable. The last byte indicates that the event was not blocked.

22

This line contains the MPLS label, if present.

23

The first two bytes in this line indicate that the VLAN ID is 0. The last two bytes are reserved and set to 0.

24

This line contains the unique ID number for the intrusion policy.

25

This line contains the internal identification number for the user. Since there is no applicable user, it is all zeros.

26

This line contains the internal identification number for the web application, which is 847.

27

This line contains the internal identification number for the client application, which is 2000000676.

28

This line contains the internal identification number for the application protocol, which is 676.

29

This line contains the unique identifier for the access control rule, which is 1.

30

This line contains the unique identifier for the access control policy.

31

This line contains the unique identifier for the ingress interface.

32

This line contains unique identifier for the egress interface. Since this event was blocked.

33

This line contains the unique identifier for the ingress security zone.

34

This line contains the unique identifier for the egress security zone.

35

This line contains the Unix timestamp of the connection event associated with the intrusion event.

36

The first two bytes in this line indicate the numerical ID of the Snort instance on the managed device that generated the connection event. The remaining two bytes indicate the value used to distinguish between connection events that happen during the same second.

37

The first two bytes in this line indicate the code for the country of the source host. The remaining two bytes indicate the code for the country of the destination host.

38

The first two bytes of this line contain the ID number of the compromise associated with this event. The remaining two bytes contain the beginning of the ID number for the security context (virtual firewall) that the traffic passed through.

39

This line contains the rest of the ID number for the security context (virtual firewall) that the traffic passed through.

40

The first two bytes of this line contain the last two bytes of the security context (virtual firewall) that the traffic passed through. The second two bytes contain the beginning of the SHA1 Hash of the SSL Server certificate if SSL was used.

41

This line contains the rest of the SHA1 Hash of the SSL Server certificate if SSL was used.

42

The first two bytes of this line contain the last two bytes of the SHA1 Hash of the SSL Server certificate. The second two bytes contain the SSL Action which was actually taken. Since SSL was not used in this connection, this is 0.

43

The first two bytes of this line contain the SSL Flow Status. Since SSL was not used in this connection, this is 0. The second two bytes contain the first two bytes of the UUID of the Network Analysis Policy associated with this event.

44

This line contains the rest of the UUID of the Network Analysis Policy associated with this event.

Example of an Intrusion Impact Alert

The following diagram shows an example intrusion impact alert record:

 

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

1

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

0

2

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

1

0

1

1

0

3

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

0

1

4

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

1

0

0

1

0

5

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

1

0

0

6

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

1

0

0

1

0

7

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

1

0

0

0

1

0

0

1

0

0

0

1

0

1

0

0

0

8

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

9

0

1

0

0

0

0

0

0

1

1

0

0

1

1

0

1

1

0

1

1

0

1

1

1

1

0

0

1

0

1

0

0

10

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

11

1

0

1

0

1

1

0

0

0

0

0

1

0

0

0

0

0

0

0

0

0

0

0

1

0

0

0

1

0

1

1

0

12

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

13

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

14

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

0

1

0

15

0

1

0

1

0

1

1

0

0

1

1

1

0

1

0

1

0

1

1

0

1

1

0

0

0

1

1

0

1

1

1

0

 

0

1

1

0

0

1

0

1

0

1

1

1

0

0

1

0

0

1

1

0

0

0

0

1

0

1

1

0

0

0

1

0

 

0

1

1

0

1

1

0

0

0

1

1

0

0

1

0

1

 

In the preceding example, the following information appears:

 

Number
Description

1

The first two bytes of this line indicate the standard header value of 1. The second two bytes indicate that the message is a data message (message type four).

2

This line indicates that the message that follows is 58 bytes long.

3

The first bit of this is a flag indicating that the header is not an extended header containing an archive timestamp. The next 15 bits are an optional field containing the Netmap ID for the domain on which the event was detected. The remainder of the line indicates a record type value of 9, which represents an intrusion impact alert record.

4

This line indicates that the data that follows is 50 bytes long.

5

This line contains a value of 20, indicating that an intrusion impact alert data block follows.

6

This line indicates that the length of the impact alert block, including the impact alert block header, is 50 bytes.

7

This line indicates that the event identification number is 201256.

8

This line indicates that the event is collected from device number 2.

9

This line indicates that the event occurred at second 1087223700.

10

This line indicates that 1 (red, vulnerable) is the impact level associated with the event.

11

This line indicates that the IP address associated with the violation event is 172.16.1.22.

12

This line indicates that there is no destination IP address associated with the violation (values are set to 0).

13

This line indicates that a string block follows, containing a string block length and a text string which, in this case, contains the impact name. For more information about string blocks, see String Data Block.

14

This line indicates that the total length of the string block, including the string block indicator and length is 18 bytes. This includes 10 bytes for the impact description and 8 bytes for the string header.

15

This line indicates that the description of the impact is “Vulnerable.”

Example of a Packet Record

The following diagram shows an example packet record:

 

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

1

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

0

2

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

1

1

1

0

1

1

1

0

1

3

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

4

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

1

1

1

0

1

0

1

0

1

5

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

1

6

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

1

1

1

1

1

0

1

1

0

1

1

0

0

1

1

0

7

0

0

1

1

1

1

1

1

0

0

0

0

0

1

0

0

0

1

1

1

1

1

1

1

0

1

1

1

0

0

1

0

8

0

0

1

1

1

1

1

1

0

0

0

0

0

1

0

0

0

1

1

1

1

1

1

1

0

1

1

1

0

1

0

0

9

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

1

1

1

1

0

0

0

0

1

1

0

0

1

1

1

0

1

10

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

11

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

1

1

0

1

1

1

0

0

1

12

0

0

1

1

0

0

0

0

0

1

1

1

1

0

0

0

0

0

1

1

0

0

0

0

0

0

1

1

0

0

0

0

 

0

0

1

1

0

0

0

0

0

0

1

1

0

0

0

0

0

0

1

1

1

0

1

0

0

0

1

0

0

0

0

0

In the preceding example, the following packet information appears:

 

Number
Description

1

The first two bytes of this line indicate the standard header value of 1. The second two bytes indicate that the message is a data message (message type four).

2

This line indicates that the message that follows is 989 bytes long.

3

The first bit of this is a flag indicating that the header is not an extended header containing an archive timestamp. The next 15 bits are an optional field containing the Netmap ID for the domain on which the event was detected. The remainder of the line indicates a record type value of 2, which represents a packet record.

4

This line indicates that the packet record that follows is 981 bytes long.

5

This line indicates that the event is collected from device number 3.

6

This line indicates that the event identification number is 195430.

7

This line indicates that the event occurred at second 10572378.

8

This line indicates that the packet was collected at second 10572380.

9

This line indicates that the packet was collected at microsecond 254365.

10

This line indicates that the link type is 1 (Ethernet layer).

11

This line indicates that the packet data that follows is 953 bytes long.

12

This line and the following line show the actual payload data. Note that the actual data is 953 bytes and has been truncated for the sake of this example.

Example of a Classification Record

The following diagram shows an example classification record:

 

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

1

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

0

2

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

1

1

1

0

0

3

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

0

0

0

1

1

4

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

1

0

1

0

0

5

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

0

0

0

0

6

0

0

0

0

0

0

0

0

0

0

0

0

0

1

1

1

0

1

1

1

0

1

0

0

0

1

1

1

0

0

1

0

 

0

1

1

0

1

1

1

1

0

1

1

0

1

0

1

0

0

1

1

0

0

0

0

1

0

1

1

0

1

1

1

0

 

0

0

1

0

1

1

0

1

0

1

1

0

0

0

0

1

0

1

1

0

0

0

1

1

0

1

1

1

0

1

0

0

 

0

1

1

0

1

0

0

1

0

1

1

1

0

1

1

0

0

1

1

0

1

0

0

1

0

1

1

1

0

1

0

0

7

0

1

1

1

1

0

0

1

0

0

0

0

0

0

0

0

0

0

0

1

1

1

0

1

0

1

0

0

0

0

0

1

 

0

0

1

0

0

0

0

0

0

1

0

0

1

1

1

0

0

1

1

0

0

1

0

1

0

1

1

1

0

1

0

0

 

0

1

1

1

0

1

1

1

0

1

1

0

1

1

1

1

0

1

1

1

0

0

1

0

0

1

1

0

1

0

1

1

 

0

0

1

0

0

0

0

0

0

1

0

1

0

1

0

0

0

1

1

1

0

0

1

0

0

1

1

0

1

1

1

1

 

0

1

1

0

1

0

1

0

0

1

1

0

0

0

0

1

0

1

1

0

1

1

1

0

0

0

1

0

0

0

0

0

 

0

1

1

1

0

1

1

1

0

1

1

0

0

0

0

1

0

1

1

1

0

0

1

1

0

0

1

0

0

0

0

0

 

0

1

0

0

0

1

0

0

0

1

1

0

0

1

0

1

0

1

1

1

0

1

0

0

0

1

1

0

0

1

0

1

 

0

1

1

0

0

0

1

1

0

1

1

1

0

1

0

0

0

1

1

0

0

1

0

1

0

1

1

0

0

1

0

0

8

1

0

0

1

1

1

0

1

1

1

0

0

0

1

1

0

0

0

0

0

0

1

0

1

1

1

1

0

1

0

0

0

 

1

1

0

0

1

0

1

1

1

0

1

0

0

0

1

0

0

0

0

1

0

0

0

1

1

1

0

1

1

0

0

1

 

1

0

0

0

1

0

0

1

1

1

0

0

1

1

0

0

0

0

0

0

0

0

0

0

0

1

0

1

0

0

0

0

 

0

1

0

1

0

1

1

0

0

0

0

0

0

1

0

0

0

0

0

0

0

1

0

1

0

0

0

0

0

0

0

1

9

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

In the preceding example, the following event information appears:

 

Number
Description

1

The first two bytes of the line indicate the standard header value of 1. The second two bytes indicate that the message is a data message (message type four).

2

This line indicates that the message that follows is 92 bytes long.

3

The first bit of this is a flag indicating that the header is not an extended header containing an archive timestamp. The next 15 bits are an optional field containing the Netmap ID for the domain on which the event was detected. The remainder of the line indicates a record type value of 67, which represents a classification record.

4

This line indicates that the classification record that follows is 84 bytes long.

5

This line indicates that the Classification ID is 35.

6

The first two bytes of this line indicate that the classification name that follows it is 15 bytes long. The second two bytes begin the classification name itself, which, in this case, is “trojan-activity”.

7

The first byte in this line is a continuation of the classification name described in line 6. The next two bytes in this line indicate that the classification description that follows it is 29 bytes long. The remaining byte begins the classification description, which, in this case, is “A Network Trojan was Detected.”

8

This line indicates the classification ID number that acts as a unique identifier for the classification.

9

This line indicates the classification revision ID number that acts as a unique identifier for the classification revision, which is null because there are no revisions to the classification.

Example of a Priority Record

The following example shows a sample priority record:

 

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

1

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

0

2

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

0

0

0

3

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

0

4

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

0

0

5

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

6

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

0

0

1

1

0

1

0

0

0

0

1

1

0

1

0

0

1

 

0

1

1

0

0

1

1

1

0

1

1

0

1

0

0

0

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

In the preceding example, the following event information appears:

 

Number
Description

1

The first two bytes in this line indicate the standard header value of 1. The second two bytes indicate that the message is a data message (message type four).

2

This line indicates that the message that follows is 16 bytes.

3

This line indicates a record type value of 4, which represents a priority record.

4

This line indicates that the priority record that follows is 8 bytes long.

5

This line indicates that the priority ID is one.

6

The first two bytes of this line indicate that there are four bytes included in the priority name. The second two bytes plus the two bytes on the following line show the priority name itself (“high”).

Example of a Rule Message Record

The following example shows a sample rule record:

 

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

1

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

0

2

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

0

0

0

0

0

1

3

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

0

0

0

1

0

4

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

1

1

1

0

0

1

5

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

6

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

1

0

1

1

0

1

1

0

1

0

0

1

0

1

7

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

8

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

1

0

1

1

0

1

1

0

1

0

0

1

0

1

9

0

0

0

0

0

0

0

0

0

1

0

0

0

1

1

1

1

0

1

1

0

1

1

0

0

0

1

1

0

1

1

1

 

0

0

1

0

0

1

1

1

0

0

1

1

1

0

0

1

0

0

1

0

0

1

1

0

0

0

0

1

1

1

1

1

 

0

0

0

1

0

0

0

1

1

1

1

0

0

0

1

1

1

0

1

1

0

0

0

0

0

0

0

0

1

0

0

1

 

1

0

0

0

0

1

0

0

1

0

0

0

1

1

1

1

0

1

1

0

1

0

0

1

1

1

1

0

0

0

1

1

10

0

1

1

0

1

1

0

1

1

1

0

1

0

0

1

0

1

0

1

1

0

1

1

0

0

0

1

1

0

1

1

1

 

0

0

1

0

1

0

1

0

1

0

1

0

0

1

0

1

0

0

1

0

0

1

1

0

0

0

0

1

1

1

1

1

 

0

0

0

1

0

0

0

1

1

1

1

0

0

0

1

1

1

0

1

1

0

0

0

0

0

0

0

0

1

0

0

1

 

1

0

0

0

0

1

0

0

1

0

0

0

1

1

1

1

0

1

1

0

1

0

0

1

1

1

1

0

0

0

1

1

11

0

1

1

0

1

1

0

1

1

1

0

1

0

0

1

0

0

1

0

0

0

0

0

1

0

1

0

1

0

0

0

0

 

0

1

0

1

0

0

0

0

0

0

1

0

1

1

0

1

0

1

0

0

0

1

0

0

0

1

0

0

0

1

0

1

 

0

1

0

1

0

1

0

0

0

1

0

0

0

1

0

1

0

1

0

0

0

0

1

1

0

1

0

1

0

1

0

0

 

0

0

1

0

0

0

0

0

0

1

0

0

0

1

0

0

0

1

0

0

1

1

1

0

0

1

0

1

0

0

1

1

 

0

0

1

0

0

0

0

0

0

1

1

1

0

0

1

0

0

1

1

0

0

1

0

1

0

1

1

1

0

0

0

1

 

0

1

1

1

0

1

0

1

0

1

1

0

0

1

0

1

0

1

1

1

0

0

1

1

0

1

1

1

0

1

0

0

 

0

0

1

0

0

0

0

0

0

1

1

0

0

1

1

0

0

1

1

0

1

1

1

1

0

1

1

1

0

0

1

0

 

0

0

1

0

0

0

0

0

0

1

1

1

0

0

0

0

0

1

1

0

1

1

1

1

0

1

1

1

0

1

0

0

 

0

1

1

0

0

1

0

1

0

1

1

0

1

1

1

0

0

1

1

1

0

1

0

0

0

1

1

0

1

0

0

1

 

0

1

1

0

0

0

0

0

1

0

1

1

0

1

1

0

0

0

0

1

0

0

0

0

0

1

1

0

1

1

0

1

 

0

1

1

0

0

0

0

1

0

1

1

0

1

1

0

0

0

1

1

1

0

1

1

1

0

1

1

0

0

0

0

1

 

0

1

1

1

0

0

1

0

0

1

1

0

0

1

0

1

0

0

1

0

0

0

0

0

0

1

0

1

0

0

1

1

 

0

1

1

0

0

0

0

1

0

1

1

0

0

1

1

0

0

1

1

0

0

1

0

1

0

1

0

0

0

1

1

1

 

0

1

1

1

0

1

0

1

0

1

1

0

0

0

0

1

0

1

1

1

0

0

1

0

0

1

1

0

0

1

0

0

 

0

0

1

0

0

0

0

0

0

1

1

1

0

1

0

0

0

1

1

0

0

1

1

1

0

0

1

0

0

0

0

0

 

0

1

1

0

0

1

0

0

0

1

1

0

1

1

1

1

0

1

1

0

1

1

0

1

0

1

1

0

0

0

0

1

 

0

1

1

0

1

0

0

1

0

1

1

0

1

1

1

0

0

0

1

0

0

0

0

0

0

0

1

1

0

0

1

1

 

0

0

1

1

0

1

1

0

0

0

1

1

0

0

0

0

0

0

1

0

1

1

1

0

0

1

1

0

0

0

1

1

 

0

1

1

0

1

1

1

0

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

In the preceding example, the following event information appears:

 

Number
Description

1

The first two bytes of this line indicate the standard header value of 1. The second two bytes indicate that the message is a data message (that is, message type four).

2

This line indicates that the message that follows is 129 bytes.

3

The first bit of this is a flag indicating that the header is not an extended header containing an archive timestamp. The next 15 bits are an optional field containing the Netmap ID for the domain on which the event was detected. The remainder of the line indicates a record type value of 66, which represents a rule message record.

4

This line indicates that the rule message record that follows is 121 bytes long.

5

This line indicates that the generator identification number is 1, the rules engine.

6

This line indicates that the rule identification number is 28069.

7

This line indicates that the rule revision number is 1.

8

This line indicates that the rule identification number rendered to the Secure Firewall System is 28069.

9

The first two bytes of this line indicate that there are 71 bytes included in the rule text name. The second two bytes begin the unique identifier number for the rule.

10

The first two bytes of this line finish the unique identifier number of the rule. The next two bytes begin the unique identifier number for the revision of the rule.

11

The first two bytes of this line finish the unique identifier number for the revision of the rule. The second two bytes begin the text of the rule message itself. The full text of the transmitted rule message is: APP-DETECT DNS request for potential malware SafeGuard to domain 360.cn.

Example of a Connection Statistics Data Block for 6.1.x

The following diagram shows an example connection statistics record:

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

1

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

0

2

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

1

1

0

0

1

1

0

0

3

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

0

0

1

1

1

4

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

1

0

1

1

1

1

0

0

5

0

1

0

1

0

1

1

1

1

1

1

1

1

0

1

1

1

0

0

0

1

1

1

0

0

0

1

1

0

1

0

0

6

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

7

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

8

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

9

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

10

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

0

0

0

0

0

0

0

11

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

12

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

13

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

1

1

1

1

0

1

0

1

1

14

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

15

1

1

0

1

0

0

0

1

1

0

0

0

0

1

0

0

1

1

1

1

1

0

1

1

0

1

0

1

0

1

1

1

16

0

0

0

0

1

0

0

0

1

0

1

1

1

0

1

0

0

0

0

0

1

1

0

0

0

0

0

0

0

0

0

0

17

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

18

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

1

0

0

0

1

1

19

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

1

0

0

0

0

1

0

0

20

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

21

0

1

0

1

1

0

0

1

1

1

1

0

0

1

0

0

0

1

0

1

0

0

0

0

0

1

0

1

1

1

0

0

 

0

1

0

0

0

1

0

0

1

0

0

1

0

0

1

1

0

0

0

1

0

0

0

1

1

1

1

0

0

1

1

0

 

1

0

1

0

0

1

1

0

0

0

1

0

1

1

0

1

1

1

1

1

0

0

0

1

1

1

0

1

1

1

0

1

 

1

1

1

1

0

1

1

1

0

0

1

1

0

0

0

1

1

0

1

0

1

0

0

0

0

1

0

1

1

1

1

0

22

0

1

1

0

0

0

0

0

1

1

0

1

0

1

0

1

0

0

0

0

1

1

0

0

1

0

0

0

0

0

0

0

 

0

1

0

0

0

1

0

0

1

0

0

1

0

0

1

1

0

0

0

1

0

0

0

1

1

1

1

0

0

1

1

0

 

1

0

0

1

1

0

0

0

0

1

0

0

0

0

1

1

1

0

0

0

0

1

0

0

1

1

0

1

1

0

0

0

 

1

1

0

1

0

1

1

0

1

0

1

0

0

0

1

1

1

1

1

0

0

0

0

0

0

0

0

0

1

0

0

0

23

0

1

0

1

1

0

0

1

1

0

0

1

0

0

0

1

0

0

1

0

0

1

1

0

1

1

0

1

1

1

1

0

 

0

1

0

0

0

1

0

0

1

0

0

1

0

0

1

1

0

0

0

1

0

0

0

1

1

1

1

0

0

1

1

0

 

1

0

1

0

0

1

1

0

0

0

1

0

1

1

0

1

1

1

1

1

0

0

0

1

1

1

0

1

1

1

1

1

 

1

1

1

1

0

1

1

1

0

0

1

1

0

0

0

1

1

0

1

0

1

0

0

0

0

1

0

1

1

1

1

0

24

0

1

1

0

0

0

0

0

1

0

0

0

1

1

0

1

0

1

1

0

1

1

0

0

1

1

1

1

0

1

0

0

 

0

1

0

0

0

1

0

0

1

0

0

1

0

0

1

1

0

0

0

1

0

0

0

1

1

1

1

0

0

1

1

0

 

1

0

0

1

1

0

0

0

0

1

0

0

0

0

1

1

1

0

0

0

0

1

0

0

1

1

0

1

1

0

0

0

 

1

1

0

1

0

1

1

0

1

0

1

0

0

0

1

1

1

1

1

0

0

0

0

0

0

0

0

0

1

0

0

0

25

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

1

1

1

1

1

1

1

1

1

1

1

1

1

1

1

 

1

0

1

0

1

1

0

0

0

0

0

1

0

0

0

0

0

0

0

0

0

0

1

1

0

0

0

0

0

1

0

1

26

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

1

1

1

1

1

1

1

1

1

1

1

1

1

1

1

 

0

1

0

0

1

0

0

0

0

0

1

1

0

0

0

0

1

0

0

1

0

1

0

1

1

1

1

1

0

1

0

0

27

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

28

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

1

0

1

0

1

1

1

1

1

1

0

1

0

0

1

1

1

0

0

0

0

1

1

1

0

0

1

1

1

0

1

29

0

0

0

1

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

0

0

0

0

0

1

1

0

0

1

1

30

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

31

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

32

0

0

0

0

0

0

0

0

0

1

0

0

0

0

0

0

1

0

1

0

1

0

1

1

0

0

0

0

1

0

1

0

33

0

0

0

0

0

0

0

1

1

0

1

1

1

0

1

1

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

34

0

0

0

0

0

1

1

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

35

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

1

1

1

0

0

1

1

1

0

0

36

0

1

1

1

0

0

1

1

0

1

0

1

0

1

1

1

1

1

1

1

1

0

1

1

1

0

0

0

1

1

1

0

37

0

0

1

1

0

0

1

1

0

1

0

1

0

1

1

1

1

1

1

1

1

0

1

1

1

0

0

0

1

1

1

0

38

0

0

1

1

0

0

1

1

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

39

0

0

0

0

1

1

0

1

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

40

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

1

0

41

1

1

0

0

1

1

1

1

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

42

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

43

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

44

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

45

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

46

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

47

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

48

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

0

0

0

0

0

49

0

1

0

1

0

0

1

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

0

50

0

1

1

0

0

0

1

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

51

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

52

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

1

53

0

0

0

1

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

54

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

55

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

56

0

0

0

0

1

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

57

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

58

0

0

0

0

1

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

59

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

60

0

0

0

0

1

0

0

0

0

0

0

1

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

0

0

0

61

0

0

0

0

0

0

0

1

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

62

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

63

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

64

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

65

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

66

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

67

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

68

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

0

0

0

0

0

0

0

69

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

1

0

1

0

0

1

0

0

0

0

0

0

0

0

0

0

0

70

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

71

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

72

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

73

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

74

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

75

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

76

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

77

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

78

0

0

0

0

1

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

79

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

80

0

0

0

0

1

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

81

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

82

0

0

0

0

1

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

83

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

84

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

85

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

86

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

87

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

88

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

89

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

90

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

91

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

92

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

93

0

0

0

0

0

0

0

0

0

0

0

0

1

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

94

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

95

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

96

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

1

0

0

1

1

1

0

0

1

1

1

1

0

0

0

1

1

0

0

1

0

1

1

0

1

1

1

0

0

0

0

 

0

1

1

1

1

0

0

0

0

1

0

0

0

0

1

0

0

0

0

1

0

0

0

1

1

1

1

0

0

1

1

0

 

1

0

1

0

1

0

0

1

1

0

0

1

1

0

1

1

1

1

0

0

1

1

0

1

1

0

1

1

0

0

0

1

97

1

0

0

1

1

1

0

0

1

0

1

1

0

1

0

1

0

1

0

1

0

0

1

1

1

1

1

1

1

1

0

1

98

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

99

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

100

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

101

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

102

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

103

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

0

0

104

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

105

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

106

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

107

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

 

 

 

 

 

 

 

In the preceding example, the following event information appears:

Number
Description

1

The first two bytes of this line indicate the standard header value of 1. The second two bytes indicate that the message is a data message (that is, message type four).

2

This line indicates that the message that follows is 716 bytes long.

3

The first bit of this is a flag indicating that the header is an extended header containing an archive timestamp. The next 15 bits are an optional field containing the Netmap ID for the domain on which the event was detected. The remainder of the line indicates a record type value of 71, which represents a connection statistics record.

4

This line indicates that the event record that follows is 700 bytes long.

5

This line is the timestamp when the event was saved. In this case, it was saved on Monday October 10, 2016 08:48:52 (am).

6

This line is reserved for future use and is populated with zeros.

7

This line gives the ID number of the device that generated the discovery event. The device ID is 1.

8

This line is for the legacy (IPv4) IP address. It contains all zeros as it is not populated and the IPv4 address is stored in the IPv6 field.

9

This line contains the MAC address of the host involved in the event. The MAC address is 00:00:00:00:00:00.

10

The first 16 bits of this line contain the remainder of the MAC address. The next 8 bits are a flag which indicates whether the host has an IPv6 address. The last 8 bits are empty and reserved for future use.

11

This line contains the Unix timestamp for when the event occurred.

12

This line contains the event microsecond. In this case, that is 0.

13

This line contains the event type. The type here is 1003.

14

This line contains the event subtype. In this case the event subtype is 1, which in concert with the event type 1003 means it is a Connection Statistics event.

15

This line is used for the File Number. It is for internal use only.

16

This line is used for the File Position. It is for internal use only.

17

This line contains the IPv6 address. This field is present and used if the Has IPv6 flag is set. In this case it contains the IPv6 address 0:3eb:0:1:d184:fb57:8ba:c00.

18

This line contains the block type. The value is 163, indicating a Connection Statistics Data Block type.

19

This line contains the length of the data block, indicating that it contains 644 bytes of data.

20

This line gives the ID number of the device that generated the discovery event. The device ID is 1.

21

This contains the ingress security zone. The zone is 59e4505c-4493-11e6-a62d-f1dff731a85.

22

This contains the egress security zone. The zone is 60d50c80-4493-11e6-9843-84d8d6a3e008.

23

This contains the ingress interface. The interface is 599126de-4493-11e6-a62d-f1dff731a85e.

24

This contains the egress interface. The interface is 608d6cf4-4493-11e6-9843-84d8d6a3e008.

25

This line contains the IP address of the host that initiated the session described in the connection event. This IP address is 172.16.3.5.

26

This line contains the IP address of the host that responded to the initiating host. This IP address is 72.48.149.244.

27

The IP address of the host behind the proxy that originated the request. This is blank in this example.

28

This line contains the revision number of the rule associated with the triggered correlation event. The revision number is 00000000-0000-0000-0000-000057e9c39d.

29

This contains the internal identifier of the rule that triggered the event. This rule is 268439603.

30

This line contains the internal identifier for the tunnel rule that triggered the event. As this event was not triggered by a tunnel rule, the value is 0.

31

The first two bytes of this line contain the action specified by the rule. In this case the value is 4, indicating that the action was Block. The last two bytes contain the rule reason, in this case 64 which means Intrusion Block.

32

The first two bytes contain the rest of the rule reason. The second two bytes contain the port used by the initiator host, 43786.

33

The first two bytes of this line contain the responder port, 443. The remaining two bytes contain the TCP flags.

34

The first byte of this line contains the protocol, 6, which indicates this event occured over TCP. The remaining 24 bites contain the first part of the IP address of the Netflow source, which is 00000000-0000-0000-0000-000000000000

35

The first byte of this line contains the last 8 bits of the Netflow source. The next two bytes contain the identifier of the Snort instance which generated the event, 7. The remaining byte contains the connection counter.

36

The first byte of this line contains the remaining portion of the connection counter. The last 24 bits contain the beginning of the Unix timestamp of the first packet exchanged in the session. This timestamp is 1476103731, indicating a time of Monday, October 10, 2016 8:48:51 AM.

37

The first byte contain the rest of the First Packet Timestamp. The remaining three bytes contain the timestamp of the last packet to be exchanged in the session, which also gives a time of Monday, October 10, 2016 8:48:51 AM, showing that the session lasted less than one second.

38

The first byte of this line contains the last 8 bits of the last packet timestamp. The remaining 24 bits contains the number of packets transmitted by the initiating host, 13 in this case.

39

The first byte in this line is the remainder of the initiator transmitted packets. The next 24 bits contain the number of packets transmitted by the responder, 0.

40

The first byte in this line is the remainder of the responder transmitted packets. The next 24 bits contain the number of bytes transmitted by the initiator, 1743.

41

The first byte is the last of Initiator Transmission bytes, the remaining 24 bits begins Responder Transmission bytes, which is 0.

42

The first byte is the last of Responder Transmission bytes, the remaining 24 bits begins Initiator Packets Dropped, which is 0.

43

The first byte is the last of Initiator Packets Dropped, the remaining 24 bits begins Responder Packets Dropped, which is 0.

44

The first byte is the last of Responder Packets Dropped, the remaining 24 bits begins Initiator Bytes Dropped, which is 0.

45

The first byte is the last of Initiator Bytes Dropped, the remaining 24 bits begins Responder Bytes Dropped, which is 0.

46

The first byte is the last of Responder Bytes Dropped, the remaining 24 bits begins the name of the interface on which rate limiting is applied, which is 00000000-0000-0000-0000-000000000000.

47

The first byte of this line is the remainder of the QOS Applied Interface. The rest is the QOS Rule applied to the connection; as there is not QOS rule applied to this interface, the ID is 0.

48

The first byte of this line is the remainder of the QOS Rule ID. The rest is the ID number, 16466, of the last user to log in to the host that generated the traffic.

49

The first byte of this line is the remainder of the User ID. The rest is the ID of the application protocol used in the connection, 1122 which indicates it is an HTTPS connection.

50

The first byte of this line is the remainder of the Application Protocol ID. The rest is the URL Category.

51

The first byte of this line is the remainder of the URL Category. The rest is the URL Reputation, which is 0 meaning “ Risk Unknown ”.

52

The first byte of this line is the remainder of the URL Reputation. The rest is the Client Application ID, which is 1296, meaning “ SSL Client ”.

53

The first byte of this line is the remainder of the Client Application ID. The rest is the Web Application ID, which is 0 meaning “ Unknown ”.

54

The first byte of this line is the remainder of the Web Application ID. The rest of the line begins the block type 0, which indicates the beginning of a string block type.

55

The first byte of this line is the remainder of the String Block Type. The rest is the block length, which shows that the Client Application URL contains 8 bytes including the header and length, meaning that there is no data in the Client Application URL.

56

The first byte of this line is the remainder of the string block length. As there is no data in the Client Application URL, the rest of this line begins block type 0, indicating the beginning of a string block type for the NetBIOS name.

57

The first byte of this line is the remainder of the String Block Type. The rest is the block length, which shows that the NetBIOS name contains 8 bytes including the header and length, meaning that there is no data in the NetBIOS name.

58

The first byte of this line is the remainder of the string block length. As there is no data in the NetBIOS name, the rest of this line begins block type 0, indicating the beginning of a string block type for the Client Application Version.

59

The first byte of this line is the remainder of the String Block Type. The rest is the block length, which shows that the Client Application Version contains 8 bytes including the header and length, meaning that there is no data in the Client Application Version.

60

This line contains the remaining byte of the Client Application Version Block Length. The last three bytes are the ID of the first monitor rule associated with the connection event, 268439553.

61

This line contains the last byte of the ID of the first monitor rule. The remaining three bytes are the ID of the second monitor rule, which is 0.

62

This line contains the last byte of the ID of the second monitor rule. The remaining three bytes are the ID of the third monitor rule, which is 0.

63

This line contains the last byte of the ID of the third monitor rule. The remaining three bytes are the ID of the fourth monitor rule, which is 0.

64

This line contains the last byte of the ID of the fourth monitor rule. The remaining three bytes are the ID of the fifth monitor rule, which is 0.

65

This line contains the last byte of the ID of the sixth monitor rule. The remaining three bytes are the ID of the seventh monitor rule, which is 0.

66

This line contains the last byte of the ID of the seventh monitor rule. The remaining three bytes are the ID of the eighth monitor rule, which is 0.

67

This line contains the last byte of the ID of the eighth monitor rule. The second byte in this line indicates whether the source or destination IP address matched the IP block list. The third byte in this line is the IP layer that matched the IP block list. The final byte begins the file event count, which is 0.

68

The first byte of this line is the remaining file event count. The next two bytes contain the intrusion event count. The last byte contains the initiator country, in this case 0 for “ unknown ”.

69

The first byte of this line is the second byte of the initiator country. The next two bytes are the responder country, 840. The last byte begins the original client country, in this case 0 for “ unknown ”.

70

The first byte of this line is the end of the original client country. The Next two bytes are the IOC number, 0. The last byte is the first byte of the Source Autonomous System, which is 0.

71

The first three bytes of this line are the Source Autonomous System. The last byte is the first byte of the Destination Autonomous System, which is 0.

72

The first three bytes of this line are the Destination Autonomous System. The last byte is the SNMP Index of the input interface, which is 0.

73

The first byte of this line is the SNMP Index of the input interface. The next two bytes are the SNMP index of the output interface, which is 0. The last byte in this line is the Type of Service setting for the incoming interface, 0.

74

The first byte of this line is the Type of Service setting for the outgoing interface, 0. The second byte is the source mask, 0. The third byte is the destination mask, 0. The last byte is the beginning of the ID number for the security context which the traffic passed through. In this case the Security Context is 00000000-0000-0000-0000-000000000000.

75

The first three bytes of this line are the remainder of the security context. The last byte is the VLAN ID, which is 0.

76

The first byte is the VLAN ID. The last three bytes start a string block with a value of 0. This string block contains the name of the referenced host.

77

The first byte is the remainder of the string block type. The last three bytes give the total length of the string block, including the bock type and length, which is 8 bytes meaning that there is no data in the string block as there is no referenced host.

78

The first byte is the rest of the string block length. The last three bytes start a string block with a value of 0. This string block contains the user agent.

79

The first byte is the remainder of the string block type. The last three bytes give the total length of the string block, including the block type and length, which is 8 bytes meaning that there is no data in the string block as there is no user agent.

80

The first byte is the rest of the string block length. The last three bytes start a string block with a value of 0. This string block contains the HTTP referrer.

81

The first byte is the remainder of the string block type. The last three bytes give the total length of the string block, including the bock type and length, which is 8 bytes meaning that there is no data in the string block as there is no HTTP referrer.

82

The first byte of this line contains the last of the string block length. The last three bytes contain the SSL Certificate fingerprint, which is 00000000000000000000.

83

The first byte if this line contains the last of the SSL Certificate Fingerprint ID. The rest of this line contains the SSL Policy ID, which is 00000000-0000-0000-0000-000000000000.

84

The first byte of this line is the end of the SSL Policy ID. The remaining three bytes are the SSL Rule ID, which is 0.

85

The first byte of this line is the rest of the SSL Rule ID. The next two bytes are the SSL Cipher Suite, which is 0, meaning TLS_NULL_WITH_NUL_NULL. The last byte is the SSL Version, which is 0.

86

This line contains the SSL Server Certificate Status, which is 0, meaning Not Checked.

87

The first two bytes of this line are the SSL Actual Action, which is 0 meaning Unknown. The next two bytes are the SSL Expected Action, which is 0 meaning Unknown.

88

The first two bytes of this line are the SSL Flow Status, which is 0 meaning Unknown. The next two bytes are the SSL Flow Error, which is 0 meaning Unknown.

89

The first two bytes of this line are the rest of the SSL Flow Error. The next two bytes are the SSL Flow Messages which are 0.

90

The first two bytes of this line are the SSL Flow Messages. The next two bytes are the SSL Flow Flags, which are 0.

91

The first two bytes of this line are the rest of the SSL Flow Flags. The next two bytes begin a string block, type 0, for the SSL Server name.

92

The first two bytes of this line finish the string block type, the next two bytes contain the string block length. The block length is 8 including the block type and length, meaning the string block contains no data.

93

The first two bytes contain the rest of the string block length. The next two bytes contain the SSL URL Category, which is 0 meaning Unknown.

94

The first two bytes of this line contain the rest of the SSL URL Category. The next two bytes begin the SSL Session ID, which is 00000000000000000000000000000000.

95

The first byte of this line contain the end of the SSL Session ID. The next byte contains the length of the SSL Session ID, which is 0. The next two bytes begin the SSL Ticket ID, which is 00000000000000000000.

96

The first two bytes of this line contain the end of the SSL Ticket ID. The third byte contains the SSL Ticket ID length which is 0. The last byte begins the Network Analysis Policy Revision, which is 4e78cb70-7842-11e6-a99b-cdb19cb553fd.

97

The first three bytes of this line contain the end of the Network Analysis Policy Revision. The last byte begins the Endpoint Profile ID, which is 0.

98

The first three bytes of this line are the Endpoint Profile ID. The remaining byte begins the Security Group ID, which is 0.

99

The first three bytes of this line are the Security Group ID. The remaining byte begins the Location IPv6, the IP Address of the interface communication with ISE, which is empty.

100

The first three bytes of this line end the Location IPv6. The remaining byte begins the HTTP Response, which is 0 meaning there was not HTTP Response.

101

The first three bytes of this line end the HTTP Response. The remaining byte begins a string block, which is type 0, for the DNS Query.

102

The first three bytes complete the string block type. The remaining byte contains the string block length which is 8 bytes including the block type and length, meaning there is no data in the DNS Query.

103

The first three bytes end the string block length. The remaining byte in this line begins the DNS Record Type, which is 71.

104

The first byte in this line ends the DNS Record type. The next two bytes are the DNS Response Type which is 0. The last byte begins the DNS TTL.

105

The first three bytes in this line are the DNS TTL. The last byte begins the Sinkhole UUID, which is 00000000-0000-0000-0000-000000000000.

106

The first three bytes of this line end the Sinkhole UUID. The last byte begins the first Security Intelligence List, which is 0.

107

The first three bytes in this line end the first Security Intelligence List. The last byte begins the second Security Intelligence List, which is 0.

Example of a Version 5.1+ User Event

The following diagram shows an example user event record:

 

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

1

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

0

2

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

0

1

1

0

0

1

3

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

1

1

1

1

1

4

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

0

0

1

0

0

1

5

0

1

0

1

0

0

1

1

0

0

1

1

0

0

0

0

0

1

1

1

1

1

0

0

0

0

1

0

1

0

0

1

6

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

7

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

1

8

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

9

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

10

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

0

0

0

0

0

0

0

11

0

1

0

1

0

0

1

0

1

1

1

0

1

1

1

1

1

1

1

1

0

0

0

1

0

1

1

1

0

0

1

1

12

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

1

1

0

0

0

1

1

0

0

1

0

0

1

1

1

1

13

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

1

1

1

1

0

1

1

0

0

14

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

15

0

1

1

1

0

0

1

1

1

1

1

1

0

0

0

1

1

1

1

0

1

1

1

1

0

1

0

1

0

0

1

0

16

0

0

0

1

0

0

0

1

0

0

0

0

0

0

1

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

17

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

1

1

1

1

1

1

1

1

1

1

1

1

1

1

1

 

0

0

0

0

1

0

1

0

0

0

0

0

0

1

0

0

0

0

0

0

1

1

1

1

0

1

1

1

1

0

0

0

18

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

1

1

1

1

1

1

19

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

1

0

0

0

1

20

0

1

0

1

0

0

1

0

1

1

1

0

1

1

1

1

1

1

1

1

0

0

0

1

0

1

1

1

0

0

1

1

21

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

22

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

23

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

0

0

0

24

0

0

1

0

0

0

0

0

0

0

1

1

0

0

1

1

0

0

1

1

0

0

0

0

0

0

1

1

0

0

0

1

 

0

1

0

0

0

0

0

0

0

0

1

1

0

0

0

1

0

0

1

1

0

0

0

0

0

0

1

0

1

1

1

0

 

0

0

1

1

0

1

0

0

0

0

1

0

1

1

1

0

0

0

1

1

0

0

0

1

0

0

1

1

0

0

0

1

 

0

0

1

0

1

1

1

0

0

0

1

1

0

0

0

1

0

0

1

1

0

1

1

1

0

0

1

1

0

1

0

1

25

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

0

0

1

26

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

1

0

1

0

1

0

1

0

27

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

28

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

29

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

1

1

1

1

1

1

1

1

1

1

1

1

1

1

1

 

0

0

0

0

1

0

1

0

0

0

0

0

0

1

0

0

0

0

0

0

1

1

1

1

0

1

1

1

1

0

0

0

30

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

31

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

In the preceding example, the following information appears:

 

Number
Description

1

The first two bytes of this line indicate the standard header value of 1. The second two bytes indicate that the message is a data message (that is, message type four).

2

This line indicates that the message that follows is 153 bytes long.

3

The first bit of this is a flag indicating that the header is an extended header containing an archive timestamp. The next 15 bits are an optional field containing the Netmap ID for the domain on which the event was detected. The remainder of the line indicates a record type value of 95, which represents a user information update message block.

4

This line indicates that the data that follows is 137 bytes long.

5

This line contains the archive timestamp. It is included since bit 23 was set. The timestamp is a Unix timestamp, stored as seconds since 1/1/1970. This time stamp is 1,391,789,354, which is Mon Feb  3 19:43:49 2014.

6

This line contains zeros and is reserved for future use.

7

This line indicates that the detection engine ID is 3.

8

This line is for the legacy (IPv4) IP address. It contains all zeros as it is not populated and the IPv4 address is stored in the IPv6 field.

9

This line contains the MAC address associated with the event. As there is no MAC address, it contains zeros.

10

The first half of this line is the remainder of the MAC address, which is zeros. The next byte indicates the presence of an IPv6 address. The last byte in this line is reserved for future use and contains zeros.

11

This line contains the UNIX timestamp (seconds since 01/01/1970)

that the system generated the event.

12

This line contains the microsecond (one millionth of a second) increment that the system generated the event.

13

This line contains the event type. This has a value of 1004, which indicates a user modification message.

14

This line contains the event subtype. This has a value of 2, which indicates a user login event.

15

This line contains the serial file number. This field is for internal use and can be disregarded.

16

This line contains the event’s position in the serial file. This field is for internal use and can be disregarded.

17

This line contains the IPv6 address. This field is present and used if the Has IPv6 flag is set. In this case, however, it contains the IPv4 address 10.4.15.120.

18

This line initiates a User Login Information data block, indicated by block type 127.

19

This line indicates that the block that follows is 81 bytes long.

20

This line indicates that the user login timestamp is 1,391,456,7, which means it was generated at Mon, 03 Oct 2014 19:43:47 GMT.

21

This line is for the legacy (IPv4) IP address. It contains all zeros as it is not populated and the IPv4 address is stored in the IPv6 field.

22

This line indicates that a string block follows, containing a string block length and a text string which, in this case, contains the user name. For more information about string blocks, see String Data Block.

23

This line indicates that the length of the data in the string block is 16 bytes.

24

This line indicates that the name of the user is “ 301@10.4.11.175.”

25

The line indicates the ID number of the user.

26

This line indicates the application ID for the application protocol used in the connection that the login information was derived from.

27

This line indicates that a string block follows, containing a string block length and a text string which, in this case, contains the email address. For more information about string blocks, see String Data Block.

28

This line indicates that the length of the data in the string block is 0 bytes. This is because there is no email address associated with this user.

29

This line contains IP address from the host where the user was detected logging in.

30

The first bye contains the login type. The remainder of this line indicates that a string block follows, containing a string block length and a text string which, in this case, contains the name of the Active Directory server reporting a login. For more information about string blocks, see String Data Block.

31

The first byte of this line completes the initiation of the string data block.This remainder of this line indicates that the length of the data in the string block is 0 bytes. This is because there is no Active Directory server associated with this login.

Discovery Data Structure Examples

This section contains examples of data structures that may be transmitted by eStreamer for discovery events. The following examples are provided:

Example of a New Network Protocol Message

The following diagram illustrates a sample new network protocol message for 3.0+:

Byte

0

1

2

3

 

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

 

Header Version 1

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

0

Start Standard Message Header with Event Msg (4)

 

Message Length (49B)

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

1

0

0

0

1

 

New NW Protocol Msg (13)

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

1

0

1

 

Msg Length 41B)

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

1

1

0

1

0

0

0

 

Detection Engine ID (2)

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

 

IP (192.168.1.10)

1

1

0

0

0

0

0

0

1

0

1

0

1

0

0

0

0

0

0

0

0

0

0

1

0

0

0

0

1

0

1

0

 

MAC Address (none)

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

Reserved Bytes (0)

Unix Sec (1047242787)

0

0

1

1

1

1

1

0

0

1

1

0

1

0

1

1

1

0

1

0

1

0

0

0

0

0

1

0

0

0

1

1

 

Unix MSec (973208)

0

0

0

0

0

0

0

0

0

0

0

0

1

1

1

0

1

1

0

1

1

0

0

1

1

0

0

1

1

0

0

0

 

Reserved Bytes (0)

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

1

1

1

1

0

1

0

0

0

Event Type 1000—New

EventSub 4-New Trans Prot

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

0

 

File Number

0

1

0

0

0

0

0

0

0

1

0

0

0

1

1

1

1

0

0

0

1

0

0

1

1

1

0

1

0

0

0

1

 

File Position

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

1

0

0

0

0

0

0

End Standard Message Header

Protocol (6—TCP)

0

0

0

0

0

1

1

0

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Example of a New TCP Server Message

The following diagram illustrates a sample new TCP server message for 3.0:

 

Byte

0

1

2

3

 

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

 

Header Version 1

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

0

Start Standard Message Header with Event Msg (4)

Message Length (256B)

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

0

0

0

0

0

0

0

 

New TCP Svc Msg (11)

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

1

1

 

Msg Length (248B)

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

1

1

1

1

0

0

0

 

Detection Engine ID (2)

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

 

IP (192.168.1.10)

1

1

0

0

0

0

0

0

1

0

1

0

1

0

0

0

0

0

0

0

0

0

0

1

0

0

0

0

1

0

1

0

 

MAC Address (none)

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

Reserved Bytes (0)

Unix Sec (1047242787)

0

0

1

1

1

1

1

0

0

1

1

0

1

0

1

1

1

0

1

0

1

0

0

0

0

0

1

0

0

0

1

1

 

Unix MSec (973208)

0

0

0

0

0

0

0

0

0

0

0

0

1

1

1

0

1

1

0

1

1

0

0

1

1

0

0

1

1

0

0

0

 

Reserved Bytes (0)

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

1

1

1

1

0

1

0

0

0

Event Type 1000—New

Event Subtype 2 -New Host

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

 

File Number

0

1

0

0

0

0

0

0

0

1

0

0

0

1

1

1

1

0

0

0

1

0

0

1

1

1

0

1

0

0

0

1

 

File Position

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

1

0

0

0

0

0

0

End Standard Message Header

Server Block Header (12)

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

1

0

0

Start Server Data Block

Server Length (208B)

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

1

0

1

0

0

0

0

 

Server Port (80)

0

0

0

0

0

0

0

0

0

1

0

1

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

Hits

Hits (1)

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

String Block Header

String Block Header (0)

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

String Block Length

String Block Length (13B)

0

0

0

0

0

0

0

0

0

0

0

0

1

1

0

1

0

1

1

0

1

0

0

0

0

1

1

1

0

1

0

0

 

Server Name ( https)

0

1

1

1

0

1

0

0

0

1

1

1

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

String Block Header

String Block Header (0)

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

String Block Length

String Block Length (15B)

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

1

1

1

0

1

0

0

0

0

0

1

 

Server Vendor ( Apache + null byte)

0

1

1

1

0

0

0

0

0

1

1

0

0

0

0

1

0

1

1

0

0

0

1

1

0

1

1

0

1

0

0

0

 

0

1

1

0

0

1

0

1

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

String Block Header

String Block Header (0)

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

String Block Length

String Length (8-no product)

0

0

0

0

0

0

0

0

0

0

0

0

1

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

String Block Header

String Block Header (0)

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

String Block Length

String Block Length (22B)

0

0

0

0

0

0

0

0

0

0

0

1

0

1

1

0

0

0

1

1

0

0

0

1

0

0

1

0

1

1

1

0

 

 

Version - 1.3.26 (Unix)

 

0

0

1

1

0

0

1

1

0

0

1

0

1

1

1

0

0

0

1

1

0

0

1

0

0

0

1

1

0

1

1

0

 

0

0

1

0

0

0

0

0

0

0

1

0

1

0

0

0

0

1

0

1

0

1

0

1

0

1

1

0

1

1

1

0

 

0

1

1

0

1

0

0

1

0

1

1

1

1

0

0

0

0

0

1

0

1

0

0

1

0

0

0

0

0

0

0

0

 

List Block Header (11)

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

1

0

1

Start Sub-server List

List Block Size (94B)

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

1

1

1

1

0

 

Sub-server Hdr (1)

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

Start Sub-server Block

Sub-server Len (46B)

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

1

1

1

0

 

String Block Header (0)

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

String Length (16B)

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

0

0

0

 

Sub-server Name - mod_ssl

0

1

1

0

1

1

0

1

0

1

1

0

1

1

1

1

0

1

1

0

0

1

0

0

0

1

0

1

1

1

1

1

 

0

1

1

1

0

0

1

1

0

1

1

1

0

0

1

1

0

1

1

0

1

1

0

0

0

0

0

0

0

0

0

0

 

String Block Header (0)

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

String Block Len (8B)

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

0

0

(No subtype vendor)

String Block Header (0)

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

 

String Block Length (14B)

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

1

1

0

 

Sub-server Version - 2.8.9 + null character

0

0

1

1

0

0

1

0

0

0

1

0

1

1

1

0

0

0

1

1

1

0

0

0

0

0

1

0

1

1

1

0

End Sub-server Block

0

0

1

1

1

0

0

1

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

Start Sub-server Block

Sub-server Hdr (1)

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

Sub-server Length

Sub-server Length (48B)

0

0

0

0

0

0

0

0

0

0

1

1

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

String Block Header

String Block Header (0)

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

String Block Size

String Block Size (16B)

0

0

0

0

0

0

0

0

0

0

0

1

0

0

0

0

0

1

0

0

1

1

1

1

0

1

1

1

0

0

0

0

 

Sub-server Name - OpenSSL

0

1

1

0

0

1

0

1

0

1

1

0

1

1

1

0

0

1

0

1

0

0

1

1

0

1

0

1

0

0

1

1

 

0

1

0

0

1

1

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

String Block Header

String Block Header (0)

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

String Data Length

String Length (8-no vendor)

0

0

0

0

0

0

0

0

0

0

0

0

1

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

String Block Header

String Block Hdr (0)

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

String Block Length

String Block Len (16B)

0

0

0

0

0

0

0

0

0

0

0

1

0

0

0

0

0

0

1

1

0

0

0

0

0

0

1

0

1

1

1

0

 

Sub-server Version - 0.9.6.d + null byte

0

0

1

1

1

0

0

1

0

0

1

0

1

1

1

0

0

0

1

1

0

1

1

0

0

0

1

0

1

1

1

0

End Sub-server Block

0

1

1

0

0

1

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

Confidence %

Confidence % (100)

0

0

0

0

0

0

0

0

0

1

1

0

0

1

0

0

0

0

1

1

1

1

1

0

0

1

1

0

1

0

1

1

Last used

Last Used (1047242787)

1

0

1

0

1

0

0

0

0

0

1

0

0

0

1

1

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

Blob Data Block

Blob Data Block (10)

0

0

0

0

0

0

0

0

0

0

0

0

1

0

1

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

Blob Data Length

Blob Data Length (22B)

0

0

0

0

0

0

0

0

0

0

0

1

0

1

1

0

0

1

0

0

1

0

0

0

0

1

0

1

0

1

0

0

 

 

 

 

Server Banner (HTTP/1.1 414 Reque) -Server banner shortened for example, typically 256B.

0

1

0

1

0

1

0

0

0

1

0

1

0

0

0

0

0

0

1

0

1

1

1

1

0

0

1

1

0

0

0

1

 

0

0

1

0

1

1

1

0

0

0

1

1

0

0

0

1

0

0

1

0

0

0

0

0

0

0

1

1

0

1

0

0

 

0

0

1

1

0

0

0

1

0

0

1

1

0

1

0

0

0

0

1

0

0

0

0

0

0

1

0

1

0

0

1

0

 

0

1

1

0

0

1

0

1

0

1

1

1

0

0

0

1

0

1

1

1

0

1

0

1

0

1

1

0

0

1

0

1

End Server Data Block