Data Structure Examples
This appendix contains data structure examples for selected intrusion, correlation, and discovery events. Each example is displayed in binary format to clearly display how each bit is set.
Intrusion Event Data Structure Examples
This section contains examples of data structures that may be transmitted by eStreamer for intrusion events. The following examples are provided:
- Example of an Intrusion Event for the Defense Center 5.3 +
- Example of an Intrusion Impact Alert
- Example of a Packet Record
- Example of a Classification Record
- Example of a Priority Record
- Example of a Rule Message Record
- Example of a Version 5.1+ User Event
Example of an Intrusion Event for the Defense Center 5.3 +
The following diagram shows an example event record:
In the preceding example, the following event information appears:
Example of an Intrusion Impact Alert
The following diagram shows an example intrusion impact alert record:
In the preceding example, the following information appears:
|
|
---|---|
The first two bytes of this line indicate the standard header value of |
|
This line indicates that the message that follows is |
|
This line indicates a record type value of |
|
This line indicates that the data that follows is |
|
This line contains a value of |
|
This line indicates that the length of the impact alert block, including the impact alert block header, is |
|
This line indicates that the event identification number is |
|
This line indicates that the event is collected from device number |
|
This line indicates that the event occurred at second |
|
This line indicates that |
|
This line indicates that the IP address associated with the violation event is |
|
This line indicates that there is no destination IP address associated with the violation (values are set to |
|
This line indicates that a string block follows, containing a string block length and a text string which, in this case, contains the impact name. For more information about string blocks, see String Data Block. |
|
This line indicates that the total length of the string block, including the string block indicator and length is |
|
This line indicates that the description of the impact is “Vulnerable.” |
Example of a Packet Record
The following diagram shows an example packet record:
In the preceding example, the following packet information appears:
Example of a Classification Record
The following diagram shows an example classification record:
In the preceding example, the following event information appears:
Example of a Priority Record
The following example shows a sample priority record:
In the preceding example, the following event information appears:
Example of a Rule Message Record
The following example shows a sample rule record:
In the preceding example, the following event information appears:
Example of a Version 5.1+ User Event
The following diagram shows an example user event record:
In the preceding example, the following information appears:
|
|
---|---|
The first two bytes of this line indicate the standard header value of |
|
This line indicates that the message that follows is |
|
This line indicates a record type value of |
|
This line indicates that the data that follows is |
|
This line contains the archive timestamp. It is included since bit 23 was set. The timestamp is a Unix timestamp, stored as seconds since 1/1/1970. This time stamp is |
|
This line is for the legacy (IPv4) IP address. It contains all zeros as it is not populated and the IPv4 address is stored in the IPv6 field. |
|
This line contains the MAC address associated with the event. As there is no MAC address, it contains zeros. |
|
The first half of this line is the remainder of the MAC address, which is zeros. The next byte indicates the presence of an IPv6 address. The last byte in this line is reserved for future use and contains zeros. |
|
This line contains the UNIX timestamp (seconds since 01/01/1970) |
|
This line contains the microsecond (one millionth of a second) increment that the system generated the event. |
|
This line contains the event type. This has a value of |
|
This line contains the event subtype. This has a value of |
|
This line contains the serial file number. This field is for internal use and can be disregarded. |
|
This line contains the event’s position in the serial file. This field is for internal use and can be disregarded. |
|
This line contains the IPv6 address. This field is present and used if the Has IPv6 flag is set. In this case, however, it contains the IPv4 address |
|
This line initiates a User Login Information data block, indicated by block type |
|
This line indicates that the block that follows is |
|
This line indicates that the user login timestamp is |
|
This line is for the legacy (IPv4) IP address. It contains all zeros as it is not populated and the IPv4 address is stored in the IPv6 field. |
|
This line indicates that a string block follows, containing a string block length and a text string which, in this case, contains the user name. For more information about string blocks, see String Data Block. |
|
This line indicates that the length of the data in the string block is |
|
This line indicates that the name of the user is “ |
|
This line indicates the application ID for the application protocol used in the connection that the login information was derived from. |
|
This line indicates that a string block follows, containing a string block length and a text string which, in this case, contains the email address. For more information about string blocks, see String Data Block. |
|
This line indicates that the length of the data in the string block is |
|
This line contains IP address from the host where the user was detected logging in. |
|
The first byte contains the login type. The remainder of this line indicates that a string block follows, containing a string block length and a text string which, in this case, contains the name of the Active Directory server reporting a login. For more information about string blocks, see String Data Block. |
|
The first byte of this line completes the initiation of the string data block. This remainder of this line indicates that the length of the data in the string block is |
Discovery Data Structure Examples
This section contains examples of data structures that can be transmitted by eStreamer for discovery events. The following examples are provided:
Example of a New Network Protocol Message
The following diagram illustrates a sample new network protocol message for 3.0+:
Example of a New TCP Server Message
The following diagram illustrates a sample new TCP server message for 3.0:
Server Banner (HTTP/1.1 414 Reque) -Server banner shortened for example, typically 256B. |
|||||||||||||||||||||||||||||||||