- Discovery and Connection Event Data Messages
- Metadata for Discovery Events
- Fingerprint Record
- Client Application Record
- Vulnerability Record
- Criticality Record
- Network Protocol Record
- Attribute Record
- Scan Type Record
- Server Record
- Source Type Record
- Source Application Record
- Source Detector Record
- Third Party Scanner Vulnerability Record
- User Record
- Web Application Record
- Intrusion Policy Name Record
- Access Control Rule Action Record Metadata
- URL Category Record Metadata
- URL Reputation Record Metadata
- Access Control Rule Reason Metadata
- IOC State Data Block for 5.3+
- IOC Name Data Block for 5.3+
- Security Intelligence Category Metadata
- Security Intelligence Source/Destination Record
- Discovery Event Header 5.2+
- Discovery and Connection Event Types and Subtypes
- Host Discovery Structures by Event Type
- New Host and Host Last Seen Messages
- Server Messages
- New Network Protocol Message
- New Transport Protocol Message
- Client Application Messages
- IP Address Change Message
- Operating System Update Messages
- IP Address Reused and Host Timeout/Deleted Messages
- Vulnerability Change Message
- Hops Change Message
- TCP and UDP Port Closed/Timeout Messages
- MAC Address Messages
- Host Identified as a Bridge/Router Message
- VLAN Tag Information Update Messages
- Change NetBIOS Name Message
- Update Banner Message
- Policy Control Message
- Connection Statistics Data Message
- Connection Chunk Message
- User Set Vulnerabilities Messages for Version 4.6.1+
- User Add and Delete Host Messages
- User Delete Server Message
- User Set Host Criticality Messages
- Attribute Messages
- Attribute Value Messages
- User Server and Operating System Messages
- User Protocol Messages
- User Client Application Messages
- Add Scan Result Messages
- New Operating System Messages
- Identity Conflict and Identity Timeout System Messages
- Host IOC Set Messages
- User Data Structures by Event Type
- String Data Block
- BLOB Data Block
- List Data Block
- Generic List Block
- Sub-Server Data Block
- Protocol Data Block
- Integer (INT32) Data Block
- Vulnerability Reference Data Block
- VLAN Data Block
- Server Banner Data Block
- String Information Data Block
- Attribute Address Data Block 5.2+
- Attribute List Item Data Block
- Attribute Value Data Block
- Full Sub-Server Data Block
- Operating System Data Block 3.5+
- Policy Engine Control Message Data Block
- Attribute Definition Data Block for 4.7+
- User Protocol Data Block
- User Client Application Data Block for 5.1.1+
- User Client Application List Data Block
- IP Address Range Data Block for 5.2+
- Attribute Specification Data Block
- Host IP Address Data Block
- MAC Address Specification Data Block
- Address Specification Data Block
- Connection Chunk Data Block for 5.1.1+
- Fix List Data Block
- User Server Data Block
- User Server List Data Block
- User Hosts Data Block 4.7+
- User Vulnerability Change Data Block 4.7+
- User Criticality Change Data Block 4.7+
- User Attribute Value Data Block 4.7+
- User Protocol List Data Block 4.7+
- Host Vulnerability Data Block 4.9.0+
- Identity Data Block
- Host MAC Address 4.9+
- Secondary Host Update
- Web Application Data Block for 5.0+
- Connection Statistics Data Block 5.3.1+
- Scan Result Data Block 5.2+
- Host Server Data Block 4.10.0+
- Full Host Server Data Block 4.10.0+
- Server Information Data Block for 4.10.x, 5.0 - 5.0.2
- Full Server Information Data Block
- Generic Scan Results Data Block for 4.10.0+
- Scan Vulnerability Data Block for 4.10.0+
- Full Host Client Application Data Block 5.0+
- Host Client Application Data Block for 5.0+
- User Vulnerability Data Block 5.0+
- Operating System Fingerprint Data Block 5.1+
- Mobile Device Information Data Block for 5.1+
- Host Profile Data Block for 5.2+
- User Product Data Block 5.1+
Understanding Discovery &
Connection Data Structures
This chapter provides details about the data structures used in eStreamer messages for discovery and connection events, as well as the metadata for those events. Discovery and connection event messages use the same general message format and series of data blocks; the differences are in the contents of data blocks themselves.
Discovery events include two sub-categories of events:
- Host discovery events, which identify new and changed hosts on your managed network, including the applications running on the hosts detected from the contents of the packets, and the host vulnerabilities.
- User events, which report the detection of new users and user activity, such as logins.
Connection events report information about the session traffic between your monitored hosts and all other hosts. Connection information includes the first and last packet of the transaction, source and destination IP address, source and destination port, and the number of packets and bytes sent and received. If applicable, connection events also report the client application and URL involved in the session.
For information about requesting discovery or connection events from the eStreamer server, see Request Flags.
For information about the general structure of eStreamer event data messages, see Understanding the Organization of Event Data Messages.
See the following sections in this chapter for more information about discovery and connection event data structures:
- Discovery and Connection Event Data Messages provides a high-level view of the structure that eStreamer uses for host discovery, user, and connection messages.
- Discovery and Connection Event Record Types describes the record types for discovery and connection events.
- Metadata for Discovery Events describes the metadata records that you can request for context information to convert numeric and coded data to text; for example, convert the user ID in an event to a user name.
- Discovery Event Header 5.2+ describes the structure of the standard event header used in all discovery and connection messages, and the values that can occur in the event type and event subtype fields. The event type and subtype fields further define the structure of the data record carried in the message.
- Host Discovery Structures by Event Type describes the structure of the data record that eStreamer uses for the various host discovery event types.
- User Data Structures by Event Type describes the structure of the data record that eStreamer uses for the various user event types.
- Understanding Discovery (Series 1) Blocks describes the series of data block structures that are used to convey complex records in discovery and connection event messages. Series 1 data blocks also appear in correlation events.
- User Vulnerability Data Block 5.0+ describes other series 1 block structures that are used to convey complex user event records.
Tip
See “Data Structure Examples” section for examples that illustrate sample discovery events.
Discovery and Connection Event Data Messages
eStreamer packages the data for discovery and connection events in the same message structure, which contains:
- a record header that defines the record type
- a discovery event header that identifies and characterizes the event, and specifically identifies the event type and subtype. For information, see Discovery Event Header 5.2+.
- a data record consisting of a block header and a data block. Discovery and connection event data messages use series 1 data blocks. For information, see Host Discovery and Connection Data Blocks or User Vulnerability Data Block 5.0+.
Discovery and Connection Event Record Types
The following table lists the event record types for host discovery and connection events, and provides links to the event message structure for each record type. The list includes metadata record types as well. Some records contain a single data block which stores a specific piece of data. These data blocks are broken up into series 1 blocks that contain most types of data, and series 2 blocks that specifically contain discovery data. The table also indicates the status of each version (current or legacy). A current record is the latest version. A legacy record has been superseded by a later version but can still be requested from eStreamer.
|
|
|
|
|
|
|
|---|---|---|---|---|---|
Metadata for Discovery Events
You request metadata by metadata version number. For the metadata version that corresponds to your version of the FireSIGHT System, see Understanding Metadata. For important information on how eStreamer streams metadata records, see Metadata Transmission.
For information on the structures of the various metadata records types for host discovery and user event records, see:
- Fingerprint Record
- Client Application Record
- Vulnerability Record
- Criticality Record
- Network Protocol Record
- Attribute Record
- Scan Type Record
- Server Record
- Source Type Record
- Source Application Record
- Source Detector Record
- Third Party Scanner Vulnerability Record
- User Record
- Web Application Record
- Intrusion Policy Name Record
- Access Control Rule Action Record Metadata
- URL Category Record Metadata
- URL Reputation Record Metadata
- Access Control Rule Reason Metadata
- IOC State Data Block for 5.3+
- Security Intelligence Source/Destination Record
For metadata records for intrusion and correlation events, see Intrusion Event and Metadata Record Types.
Fingerprint Record
The eStreamer service transmits the fingerprint metadata for an event within a Fingerprint record, the format of which is shown below. (Fingerprint metadata is sent when one of the metadata flags—bits 1, 14, 15, or 20 in the Request Flags field of a request message—is set. See Request Flags.) Note that the Record Type field, which appears after the Message Length field, has a value of 54, indicating a Fingerprint record.
The following table describes the fields in the Fingerprint record.
Client Application Record
The eStreamer service transmits the client application metadata for an event within a Client Application record, the format of which is shown below. (Client application metadata is sent when one of the metadata flags—bits 1, 14, 15, or 20 in the Request Flags field of a request message—is set. See Request Flags.) Note that the Record Type field, which appears after the Message Length field, has a value of 55, indicating a Client Application record.
The following table describes the fields in the Client Application record.
|
|
|
|
|---|---|---|
Vulnerability Record
The eStreamer service transmits metadata containing vulnerability information for an event within a Vulnerability record, the format of which is shown below. (Vulnerability information is sent when one of the metadata flags—bits 1, 14, 15, or 20 in the Request Flags field of a request message—is set. See Request Flags.) Note that the Record Type field, which appears after the Message Length field, has a value of 57, indicating a Vulnerability record.
The following table describes the fields in the Vulnerability record.
Criticality Record
The eStreamer service transmits metadata containing host criticality information for an event within a Criticality record, the format of which is shown below. (Criticality information is sent when one of the metadata flags—bits 1, 14, 15, or 20 in the Request Flags field of a request message—is set. See Request Flags.) Note that the Record Type field, which appears after the Message Length field, has a value of 58, indicating a Criticality record.
The following table describes the fields in the Criticality record.
|
|
|
|
|---|---|---|
Network Protocol Record
The eStreamer service transmits metadata containing network protocol information for an event within a Network Protocol record, the format of which is shown below. (Network protocol information is sent when one of the metadata flags—bits 1, 14, 15, or 20 in the Request Flags field of a request message—is set. See Request Flags.) Note that the Record Type field, which appears after the Message Length field, has a value of 59, indicating a Network Protocol record.
The following table describes the fields in the Network Protocol record.
|
|
|
|
|---|---|---|
Attribute Record
The eStreamer service transmits metadata containing attribute information for an event within an Attribute record, the format of which is shown below. (Attribute information is sent when one of the metadata flags—bits 1, 14, 15, or 20 in the Request Flags field of a request message—is set. See Request Flags.) Note that the Record Type field, which appears after the Message Length field, has a value of 60, indicating an Attribute record.
The following table describes the fields in the Attribute record.
|
|
|
|
|---|---|---|
Scan Type Record
The eStreamer service transmits metadata containing scan type information for an event within a Scan Type record, the format of which is shown below. (Scan type information is sent when one of the metadata flags—bits 1, 14, 15, or 20 in the Request Flags field of a request message—is set. See Request Flags.) Note that the Record Type field, which appears after the Message Length field, has a value of 61, indicating a Scan Type record.
The following table describes the fields in the Scan Type record.
|
|
|
|
|---|---|---|
Server Record
The eStreamer service transmits metadata containing server information for an event within a Server record, the format of which is shown below. The application ID of the server’s application protocol provides the cross-reference to the metadata. (Server information is sent when one of the metadata flags—bits 1, 14, 15, or 20 in the Request Flags field of a request message—is set. See Request Flags.) Note that the Record Type field, which appears after the Message Length field, has a value of 63, indicating a Server record.
The following table describes the fields in the Server record.
|
|
|
|
|---|---|---|
The name of the application protocol. For application ID 65535, the name is |
Source Type Record
The eStreamer service transmits metadata containing information about the source application for an event within a Source Type record, the format of which is shown below. (Source type information is sent when one of the metadata flags—bits 1, 14, 15, or 20 in the Request Flags field of a request message—is set. See Request Flags.) Note that the Record Type field, which appears after the Message Length field, has a value of 90, indicating a Source Type record.
The following table describes the fields in the Source Type record.
|
|
|
|
|---|---|---|
Source Application Record
The eStreamer service transmits metadata containing information about the source application for a host discovery event within a Source Application record, the format of which is shown below. (Source application information is sent when one of the metadata flags—bits 1, 14, 15, or 20 in the Request Flags field of a request message—is set. See Request Flags.) Note that the Record Type field, which appears after the Message Length field, has a value of 91, indicating a Source Application record.
The following table describes the fields in the Source Application record.
|
|
|
|
|---|---|---|
The number of bytes included in the source application name. |
||
Source Detector Record
The eStreamer service transmits metadata containing information about the source application for a host discovery event within a Source Type record, the format of which is shown below. (Source type information is sent when one of the metadata flags—bits 1, 14, 15, or 20 in the Request Flags field of a request message—is set. See Request Flags.) Note that the Record Type field, which appears after the Message Length field, has a value of 96, indicating a Source Detector record.
The following table describes the fields in the Source Detector record.
|
|
|
|
|---|---|---|
Third Party Scanner Vulnerability Record
The eStreamer service transmits metadata containing third-party vulnerability information for an event within a Third Party Scanner Vulnerability record, the format of which is shown below. (Vulnerability information is sent when one of the metadata flags—bits 1, 14, 15, or 20 in the Request Flags field of a request message—is set. See Request Flags.) Note that the Record Type field, which appears after the Message Length field, has a value of 106, indicating a Third Party Scanner Vulnerability record.
The following table describes the fields in the Vulnerability record.
|
|
|
|
|---|---|---|
The Common Vulnerabilities and Exposures (CVE) ID number for the vulnerability. |
||
User Record
The eStreamer service transmits metadata containing information about users detected by the system within a User record, the format of which is shown below. (User information is sent when the Version 4 metadata and the policy event request flag—bits 20 and 22, respectively, in the Request Flags field of a request message—is set. See Request Flags.) Note that the Record Type field, which appears after the Message Length field, has a value of 98, indicating a User record.
The following table describes the fields in the User record.
|
|
|
|
|---|---|---|
Web Application Record
The system detects the content of HTTP traffic from websites, if available. Web application metadata for a host discovery event may include the specific type of content (for example, WMV or QuickTime).
The eStreamer service transmits the web application metadata for an event within a Web Application record, the format of which is shown below. (Web application metadata is sent when one of the metadata flags—bits 1, 14, 15, or 20 in the Request Flags field of a request message—is set. See Request Flags.) Note that the Record Type field, which appears after the Message Length field, has a value of 109, indicating a Web Application record.
The following table describes the fields in the Web Application record.
|
|
|
|
|---|---|---|
Intrusion Policy Name Record
The eStreamer service transmits metadata containing intrusion policy name information for a connection event within an Intrusion Policy Name record, the format of which is shown below. (Intrusion policy name information is sent when one of the metadata flags—version 4 metadata bit 20 in the Request Flags field of a request message—is set. See Request Flags.) Note that the Intrusion Policy Name record field, which appears after the Message Length field, has a value of 118, indicating an Intrusion Policy Name record. It contains a UUID String data block, block type 14 in the series 2 set of data blocks.
The following table describes the fields in the Intrusion Policy Name data block.
Access Control Rule Action Record Metadata
The eStreamer service transmits metadata containing the action associated with a triggered access control rule within an Access Control Rule Action record, the format of which is shown below. (Access Control Rule Action information is sent when the version 4 metadata flag—bit 20 in the Request Flags field of a request message—is set. See Request Flags.) Note that the Access Control Rule Action record field, which appears after the Message Length field, has a value of 120, indicating an Access Control Rule Action record.
The following table describes the fields in the Access Control Rule Action record.
|
|
|
|
|---|---|---|
URL Category Record Metadata
The eStreamer service transmits metadata containing the category name associated with a URL in a connection log within a URL Category record, the format of which is shown below. (URL category information is sent when the version 4 metadata flag—bit 20 in the Request Flags field of a request message—is set. See Request Flags.) Note that the record field, which appears after the Message Length field, has a value of 121, indicating a URL Category record.
The following table describes the fields in the URL Category record.
|
|
|
|
|---|---|---|
URL Reputation Record Metadata
The eStreamer service transmits metadata containing the reputation (that is, risk level) associated with a URL in a connection log within a URL Reputation record, the format of which is shown below. (URL reputation information is sent when the version 4 metadata flag—bit 20 in the Request Flags field of a request message—is set. See Request Flags.) Note that the URL Reputation metadata record field, which appears after the Message Length field, has a value of 122, indicating a URL Reputation metadata record.
The following table describes the fields in the URL Reputation record.
|
|
|
|
|---|---|---|
Access Control Rule Reason Metadata
The eStreamer service transmits metadata containing information about the reason an access control rule triggered an intrusion event or connection event within an Access Control Rule Reason record, the format of which is shown below. Access control rule reason metadata is sent when the Version 4 metadata flag—bit 20 in the Request Flags field of a request message—is set. See Request Flags. Note that the Record Type field, which appears after the Message Length field, has a value of 124, indicating an Access Control Rule Reason record. It contains an Access Control Rule Reason Block (as documented in Access Control Rule Reason Data Block 5.1+). The Access Control Rule Reason data block is block type 21 in series 2.
The following table describes the fields in the Access Control Rule ID data block.
IOC State Data Block for 5.3+
The IOC State data block provides information about an Indication of Compromise (IOC). It is block type of 150 in series 1. It is used by the host tracker to store information about a compromise on a host. The following diagram shows the structure of an IOC State data block:
The following table describes the components of the IOC State data block.
IOC Name Data Block for 5.3+
This is a data block that provides the category and event type for an Indication of Compromise (IOC). The record type is 161, with a block type of 39 in series 2. It is exposed as metadata for any event that has IOC information. These include malware events, file events, and intrusion events.
The following diagram shows the structure of an IOC Name data block:
The following table describes the fields in the IOC Name data block.
Security Intelligence Category Metadata
The eStreamer service transmits metadata containing information about the Security Intelligence category within a Security Intelligence Category record, the format of which is shown below. Access control rule reason metadata is sent when the Version 4 metadata flag—bit 20 in the Request Flags field of a request message—is set. See Request Flags. Note that the Record Type field, which appears after the Message Length field, has a value of 280, indicating a Security Intelligence Category record. It contains a Security Intelligence Category data block (as documented in Security Intelligence Category Data Block 5.1+). The Security Intelligence data block is block type 22 in series 2.
The following table describes the fields in the Security Intelligence Category record.
Security Intelligence Source/Destination Record
The eStreamer service transmits metadata containing whether a Security Intelligence-detected IP address is a source IP address or destination IP address within a Security Intelligence Source/Destination record, the format of which is shown below. (The source/destination IP information is sent when one of the metadata flags—bits 1, 14, 15, or 20 in the Request Flags field of a request message—is set. See Request Flags.) Note that the Record Type field, which appears after the Message Length field, has a value of 281, indicating a Security Intelligence Source/Destination record.
The following table describes the fields in the Security Intelligence Source/Destination record.
Discovery Event Header 5.2+
Discovery and connection event messages contain a discovery event header. It conveys the type and subtype of the event, the time the event occurred, the device on which the event occurred, and the structure of the event data in the message. This header is followed by the actual host discovery, user, or connection event data. The structures associated with the different event type/subtype values are described in Host Discovery Structures by Event Type. This header has IPv6 support, and deprecates Discovery Event Header 5.0 - 5.1.1.x.
The event type and event subtype fields of the discovery event header identify the structure of the transmitted event message. After the structure of the event data block is determined, your program can parse the message appropriately.
The shaded rows in the following diagram illustrate the format of the discovery event header.
| eStreamer Server Timestamp (in events, only if bit 23 is set) |
||||||||||||||||||||||||||||||||
The following table describes the discovery event header.
|
|
|
|
|---|---|---|
ID number of the device that generated the discovery event. You can obtain the metadata for the device by requesting Version 3 and 4 metadata. See Managed Device Record Metadata for more information. |
||
This field is reserved but no longer populated. The IPv4 address is stored in the IPv6 Address field. See IP Addresses for more information. |
||
UNIX timestamp (seconds since 01/01/1970) that the system generated the event. |
||
Microsecond (one millionth of a second) increment that the system generated the event. |
||
Event type ( |
||
Event subtype. See Host Discovery Structures by Event Type for a list of available event subtypes. |
||
Serial file number. This field is for Cisco internal use and can be disregarded. |
||
Event’s position in the serial file. This field is for Cisco internal use and can be disregarded. |
||
IPv6 address. This field is present and used if the Has IPv6 flag is set. |
Discovery and Connection Event Types and Subtypes
The values in the Event Type and Event Subtype fields identify and classify the event contained in a host discovery or user data message. They also identify the structure of the data in the message.
The following table lists the event types and event subtypes for discovery and connection events.
|
|
|
|
|---|---|---|
Tip For information about the data structure used for each event type/subtype, see Host Discovery Structures by Event Type.
Host Discovery Structures by Event Type
eStreamer builds host discovery event messages based on the event type indicated in the discovery event header. The following sub-sections describe the high-level structure for each event type:
- New Host and Host Last Seen Messages
- Server Messages
- New Network Protocol Message
- New Transport Protocol Message
- Client Application Messages
- IP Address Change Message
- Operating System Update Messages
- IP Address Reused and Host Timeout/Deleted Messages
- Vulnerability Change Message
- Hops Change Message
- TCP and UDP Port Closed/Timeout Messages
- MAC Address Messages
- Host Identified as a Bridge/Router Message
- VLAN Tag Information Update Messages
- Change NetBIOS Name Message
- Update Banner Message
- Policy Control Message
- Connection Statistics Data Message
- Connection Chunk Message
- User Set Vulnerabilities Messages for Version 4.6.1+
- User Add and Delete Host Messages
- User Delete Server Message
- User Set Host Criticality Messages
- Attribute Messages
- Attribute Value Messages
- User Server and Operating System Messages
- User Protocol Messages
- User Client Application Messages
- Add Scan Result Messages
- New Operating System Messages
- Identity Conflict and Identity Timeout System Messages
The data block diagrams in the following sections depict the different record data blocks returned in host discovery event messages.
New Host and Host Last Seen Messages
New Host and Host Last Seen event messages have a standard discovery event header and a Host Profile data block (as documented in Host Profile Data Block for 5.2+). The Host Profile data block is block type 139 in series 1.
Note that the Host Last Seen message includes server information only for servers on the host that have changed within the Update Interval set in the discovery detection policy. In other words, only servers that have changed since the system last reported information will be included in the Host Last Seen message.
Note The Host Profile data block differs depending on which system version created the message. For information on legacy versions of the Host Profile data block, see Legacy Host Data Structures.
Server Messages
The following TCP and UDP server event messages have a standard discovery event header (as documented in Discovery Event Header 5.2+) followed by a Server data block (as documented in Host Server Data Block 4.10.0+, block type 103 in series 1):
- New TCP Server
- New UDP Server
- TCP Server Information Update
- UDP Server Information Update
- TCP Server Confidence Update
- UDP Server Confidence Update
Note The Server data block differs depending on which system version created the message. For information on the legacy versions of the Server data block, see Understanding Legacy Data Structures.
Each of these events uses the following format:
New Network Protocol Message
A New Network Protocol event message has a standard discovery event header (as documented in Discovery Event Header 5.2+) followed by a two-byte field for the network protocol (using protocol values described in following table).
New Transport Protocol Message
A New Transport Protocol event message has a standard discovery event header (as documented in Discovery Event Header 5.2+, block type 4 in series 1) and a one-byte field for the transport protocol number (using values described in following table).
Client Application Messages
New Client Application, Client Application Update, and Client Application Timeout events have the same format and contain a standard discovery event header (as documented in Discovery Event Header 5.2+) followed by a Client Application data block (see Host Client Application Data Block for 5.0+, block type 122 in series 1). The discovery event header has a different record type, event type, and event subtype, depending on the event transmitted.
Note The Client Application data block differs depending on the system version that created the message. For information on the legacy version of the Client Application data block, see Understanding Legacy Data Structures.
IP Address Change Message
The following host discovery messages have a standard discovery event header (as documented in Discovery Event Header 5.2+) and two different forms, structures, one with four bytes for the IP address and one with 16 bytes for the IP address.
Four bytes are used for the IP address (in IP address octets) in the following case:
16 bytes are used for the IP address in the following cases:
Operating System Update Messages
The OS Information Update event message has a standard discovery event header (as documented in Discovery Event Header 5.2+) followed by an Operating System data block (as documented in Operating System Data Block 3.5+, block type 53 in series 1).
IP Address Reused and Host Timeout/Deleted Messages
The following host event messages have a standard discovery event header (as documented in Discovery Event Header 5.2+) with no other data:
- Host IP Address Reused
- Host Timeout
- Host Deleted: Host Limit Reached
- Host Dropped: Host Limit Reached
Vulnerability Change Message
A Vulnerability Change event message has a standard discovery event header (as documented in Discovery Event Header 5.2+) followed by a Vulnerability Reference data block (as documented in Vulnerability Reference Data Block, block type 8 in series 1).
Hops Change Message
A Hops Change event message has a standard discovery event header (as documented in Discovery Event Header 5.2+) followed by a one-byte field for the hops count.
TCP and UDP Port Closed/Timeout Messages
TCP and UDP Port Closed and Port Timeout event messages have a standard discovery event header (as documented in Discovery Event Header 5.2+) followed by a two-byte field for the port number.
MAC Address Messages
MAC Information Change and Additional MAC Detected for Host messages have a standard discovery event header (as documented in Discovery Event Header 5.2+), 1 byte for the TTL value, 6 bytes for the MAC address, and 1 byte to indicate whether the MAC address was detected via ARP/DHCP traffic as the actual MAC address.
Note If you receive MAC address messages from a system running version 4.9.x, you must check for the length of the MAC address data block and decode accordingly. If the data block is 8 bytes in length (16 bytes with the header), see MAC Address Messages. If the data block is 12 bytes in length (20 bytes with the header), see Host MAC Address 4.9+.
Note that the MAC address data block header is not used within MAC Information Change and Additional MAC Detected for Host messages.
Host Identified as a Bridge/Router Message
A Host Identified as a Bridge/Router event message has a standard discovery event header (as documented in Discovery Event Header 5.2+) followed by a four-byte field for the value that matches the host type:
VLAN Tag Information Update Messages
The VLAN Tag Information Update event has a standard discovery event header (as documented in Discovery Event Header 5.2+) followed by VLAN data block (as documented in VLAN Data Block). The VLAN Data block is block type 14 in the series 1 group of blocks.
Change NetBIOS Name Message
A Change NetBIOS Name event message has a standard discovery event header (as documented in Discovery Event Header 5.2+) followed by a String Information data block (as documented in String Information Data Block). The String Information data block is block type 35 in series 1.
Note The Change NetBIOS Domain event is not currently generated by the FireSIGHT System.
Update Banner Message
An Update Banner event message has a standard discovery event header (as documented in Discovery Event Header 5.2+) followed by a Server Banner data block (as documented in Server Banner Data Block). The server banner data block is block type 37 in series 1.
Policy Control Message
The Policy Control Message event has a standard discovery event header (as documented in Discovery Event Header 5.2+) followed by a Policy Control Message data block. The format of the Policy Control Message data block differs depending on the system version. For information on policy control message data block format for the current version, see Policy Engine Control Message Data Block.
Connection Statistics Data Message
The Connection Statistics event has a standard discovery event header (as documented in Discovery Event Header 5.2+) followed by a Connection Statistics data block. The documentation of each version of the Connection Statistics data block includes the system versions that use it. For information on the connection statistics data block format for version 5.3.1+, see Connection Statistics Data Block 5.3.1+.
Note The Connection Statistics data block differs depending on which system version created the message. For information on legacy versions, see the Connection Statistics data block in Understanding Legacy Data Structures.
Connection Chunk Message
The Connection Chunk event has a standard discovery event header (as documented in Discovery Event Header 5.2+) followed by a Connection Chunk data block. The format differs depending on the system version. For information on connection chunk data block format for the current version, see Connection Chunk Data Block for 5.1.1+. The Connection Chunk data block is block type 136 in series 1.
User Set Vulnerabilities Messages for Version 4.6.1+
User Set Valid Vulnerabilities, User Set Invalid Vulnerabilities, and User Vulnerability Qualification messages use the same data format: the standard discovery event header (see Discovery Event Header 5.2+) followed by a User Vulnerability change data block (see User Vulnerability Change Data Block 4.7+, block type 80 in series 1). They are differentiated by record type, event type, and event subtype.
User Add and Delete Host Messages
The following host input event messages have the standard discovery event header (see Discovery Event Header 5.2+) followed by a User Hosts data block (see User Hosts Data Block 4.7+, block type 78 in series 1):
User Delete Server Message
User Delete Server messages have the standard discovery event header (see Discovery Event Header 5.2+) followed by a User Server List data block (see User Server List Data Block). The User Server List data block is block type 77 in series 1.
User Set Host Criticality Messages
User Set Host Criticality messages have the standard discovery event header (see Discovery Event Header 5.2+) followed by a User Criticality Change data block (see User Criticality Change Data Block 4.7+). The User Criticality Change data block is block type 81 in series 1.
Attribute Messages
The following event messages have a standard discovery event header (as documented in Discovery Event Header 5.2+) followed by an Attribute Definition data block (as documented in Attribute Definition Data Block for 4.7+, block type 55 in series 1):
Each of these events use the following format:
Attribute Value Messages
The following event messages have a standard discovery event header (as documented in Discovery Event Header 5.2+) followed by a User Attribute Value data block (as documented in User Attribute Value Data Block 4.7+, block type 82 in series 1):
Each of these events use the following format:
User Server and Operating System Messages
The following event messages have a standard discovery event header (as documented in Discovery Event Header 5.2+) followed by a User Product data block (as documented in User Product Data Block 5.1+, block type 60 in series 1):
Each of these events use the following format:
User Protocol Messages
The following event messages have a standard discovery event header (as documented in Discovery Event Header 5.2+) followed by a User Protocol List data block (as documented in User Protocol List Data Block 4.7+, block type 83 in series 1):
Each of these events use the following format:
User Client Application Messages
The following event messages have a standard discovery event header (as documented in Discovery Event Header 5.2+) followed by a User Client Application List data block (as documented in User Client Application List Data Block, block type 60 in series 1):
Each of these events use the following format:
Add Scan Result Messages
The Add Scan Result event message has a standard discovery event header (as documented in Discovery Event Header 5.2+) followed by a Scan Results data block (as documented in Scan Result Data Block 5.2+). The Scan Result data block is block type 142 in series 1.
This event uses the following format:
New Operating System Messages
The New OS event message has a standard discovery event header (as documented in Discovery Event Header 5.2+) followed by an Operating System Fingerprint data block (as documented in Operating System Fingerprint Data Block 5.1+).
This event uses the following format:
Identity Conflict and Identity Timeout System Messages
The Identity Conflict and Identity Timeout event messages each have a standard discovery event header (as documented in Discovery Event Header 5.2+) followed by an Identity data block (as documented in Identity Data Block). The Identity data block is block type 94 in series 1. These messages are generated when there are conflicts or timeouts in a fingerprint source identity.
This event uses the following format:
Host IOC Set Messages
The Host IOC Set message has a standard discovery event header (as documented in Discovery Event Header 5.2+) followed by an integer data block (as documented in Integer (INT32) Data Block). This integer data block contains the ID number of the IOC set for the host.
This event uses the following format:
User Data Structures by Event Type
eStreamer builds user event messages based on the event type indicated in the discovery event header. The following sub-sections describe the high-level structure for each event type:
User Modification Messages
When any of the following events occurs through system detection, a user modification message is sent:
- a new user is detected (a New User Identity event—event type 1004, subtype 1),
- a user is removed (a Delete User Identity event—event type 1004, subtype 3)
- a user is dropped (a User Identity Dropped: User Limit Reached event—event type 1004, subtype 4)
User Modification event messages have a standard discovery event header (as documented in Discovery Event Header 5.2+) and a User Information data block (as documented in User Information Data Block). The User Information data block is block type 120 in series 1.
User Information Update Message Block
When the login changes for a user (a User Login event—event type 1004, subtype 2) detected by the system, a user information update message is sent.
User Information Update event messages have a standard discovery event header (as documented in Discovery Event Header 5.2+) and a User Login Information data block (as documented in User Login Information Data Block 5.1+). The User Login Information data block is block type 121 in series 1.
Understanding Discovery (Series 1) Blocks
Most discovery and connection events incorporate one or more data blocks from the series 1 group of data structures. Each series 1 data block type conveys a particular type of information. The block type number appears in the data block header which precedes the data in the block. For information on block header format, see Data Block Header.
Series 1 Data Block Header
The series 1 data block header, like the series 2 block header, has two 32-bit integer fields that contain the block’s type number and the block length.
Note The data block length field contains the number of bytes in the entire data block, including the eight bytes of the two data block header fields.
For some block series 1 types, the block header is followed immediately by raw data. In more complex block types, the header may be followed by standard fixed length fields or by the header of a series 1 primitive block that encapsulates another series 1 data block or list of blocks.
Series 1 Primitive Data Blocks
Both series 1 and series 2 blocks include a set of primitives that encapsulate lists of variable-length blocks as well as variable-length strings and BLOBs within messages. These primitive blocks have the standard series 1 block header discussed above. These primitives appear only within other series 1 data blocks. Any number can be included in a given block type. For details on the structure of the primitive blocks, see the following:
Host Discovery and Connection Data Blocks
For the list of block types in host discovery and connection events, see Table 4-27. The block types in user events are described in Table 4-83. These are all Series 1 data blocks.
Each entry in the table below contains a link to the subsection where the data block is defined. For each block type, the status (current or legacy) is indicated. A current data block is the latest version. A legacy data block is one that is used for an older version of the product, and the message format can still be requested from eStreamer.
|
|
|
|
|
|---|---|---|---|
Contains string data. See String Data Block for more information. |
|||
Contains information about a sub-server detected on a server. See Sub-Server Data Block for more information. |
|||
Contains protocol data. See Protocol Data Block for more information. |
|||
Contains integer (numeric) data. See Integer (INT32) Data Block for more information. |
|||
Contains vulnerability data. See Vulnerability Reference Data Block for more information. |
|||
Contains a raw block of binary data and is used specifically for banners. See BLOB Data Block for more information. |
|||
Contains a list of other data blocks. See List Data Block for more information. |
|||
Contains VLAN information. See VLAN Data Block for more information. |
|||
Contains intrusion impact alert information. Intrusion impact alert events have slightly different headers than other data blocks. See Intrusion Impact Alert Data 5.3+ for more information. |
|||
Contains generic list information, for example, to encapsulate lists of blocks, such as Client Application blocks, in the Host Profile block. See Generic List Block for more information. |
|||
Contains string information. For example, when used in the Scan Vulnerability data block, the String Information data block contains the CVE identification number data. See String Information Data Block. |
|||
Contains server banner data. See Server Banner Data Block for more information. |
|||
Contains the host attribute address (as documented in earlier versions of the product). The successor block is 146. |
|||
Contains a host attribute list item value. See Attribute List Item Data Block for more information. |
|||
Contains client application information for New Client Application events (as documented for earlier versions of the product). |
|||
Contains complete host profile information (as documented in earlier versions of the product). |
|||
Contains attribute identification numbers and values for host attributes. See Attribute Value Data Block for more information. |
|||
Contains information about a sub-server detected on a server. Referenced in Full Server information blocks and in full host profiles. Includes vulnerability information for each sub-server. See Full Sub-Server Data Block for more information. |
|||
Contains operating system information for Version 3.5+. See Operating System Data Block 3.5+ for more information. |
|||
Contains information on user policy control changes. See Policy Engine Control Message Data Block for more information. |
|||
Contains information on attribute definitions. See Attribute Definition Data Block for 4.7+ for more information. |
|||
Contains information for connection statistics events in 4.7 - 4.9.0 (as documented in earlier versions of the product). |
|||
Contains protocol information from user input. See User Protocol Data Block for more information. |
|||
Contains client application data from user input. See User Client Application Data Block for 5.0 - 5.1 for more information. Superseded by block 138. |
|||
Contains lists of user client application data blocks. See User Client Application List Data Block for more information. |
|||
Contains IP address range specifications. See IP Range Specification Data Block for 5.0 - 5.1.1.x for more information. Superseded by block 141. |
|||
Contains an attribute name and value. See Attribute Specification Data Block for more information. |
|||
Contains MAC address range specifications. See MAC Address Specification Data Block for more information. |
|||
Contains lists of IP and MAC address specification blocks. See Address Specification Data Block for more information. |
|||
Contains host input data imported from a third-party application, including third-party application string mappings. See User Product Data Block for 5.0.x for more information. The successor block type 118 introduced for 5.0 has an identical structure as block type 65. |
|||
Contains connection chunk information. See Connection Chunk Data Block for 5.0 - 5.1 for more information. The successor block type 119 introduced for 5.0 has an identical structure as block type 66. |
|||
Contains a fix that applies to a host. See Fix List Data Block for more information. |
|||
Contains results from an Nmap scan (as documented in earlier versions of the product). |
|||
Contains results from a third-party scan (as documented in earlier versions of the product). |
|||
Contains server information from a user input event. See User Server Data Block for more information. |
|||
Contains lists of user server blocks. See User Server List Data Block for more information. |
|||
Contains information about host ranges from a user host input event. See User Hosts Data Block 4.7+ for more information. |
|||
Contains information about a vulnerability for a host or hosts (as documented in earlier versions of the product). The successor block introduced for version 5.0 has block type 124. |
|||
Contains lists of deactivated or activated vulnerabilities. See User Vulnerability Change Data Block 4.7+ for more information. |
|||
Contains information on criticality changes for a host or host. See User Criticality Change Data Block 4.7+ for more information. |
|||
Contains attribute value changes for a host or hosts. See User Attribute Value Data Block 4.7+ for more information. |
|||
Contains lists of protocols for a host or hosts. See User Protocol List Data Block 4.7+ for more information. |
|||
Contains vulnerabilities that apply to a host. See Host Vulnerability Data Block 4.9.0+ for more information. |
|||
Contains information on vulnerabilities detected by a scan (as documented in earlier versions of the product). |
|||
Contains lists of operating system fingerprints. See Operating System Fingerprint Data Block for 5.0 - 5.0.2 for more information. The successor block introduced for version 5.1 has block type 130. |
|||
Contains server information used in server fingerprints (as documented in earlier versions of the product). |
|||
Contains server information for a host (as documented in earlier versions of the product). |
|||
Contains server information for a host (as documented in earlier versions of the product). |
|||
Contains profile information for a host. See Host Profile Data Block for 5.2+ for more information. The successor block introduced for version 5.1 has block type 132. |
|||
Contains complete host profile information (as documented in earlier versions of the product). Supersedes data block 47. |
|||
Contains identity data for a host. See Identity Data Block for more information. |
|||
Contains MAC address information for a host. See Host MAC Address 4.9+ for more information. |
|||
Contains lists of MAC address information reported by a secondary Secondary Host Update. |
|||
Contains lists of web application data (as documented in earlier versions of the product). The successor block introduced for version 5.0 has block type 123. |
|||
Contains server information for a host (as documented in earlier versions of the product). |
|||
Contains server information for a host (as documented in earlier versions of the product). |
|||
Contains client application information for New Client Application events (as documented in earlier versions of the product). The successor block type 122 introduced for version 5.0 has the same structure as block type 100. |
|||
Contains information for connection statistics events in 4.9.1+ (as documented in earlier versions of the product). |
|||
Contains information about a vulnerability and is used within Add Scan Result events. See Scan Result Data Block 5.0 - 5.1.1.x. |
|||
Contains server information for a host. See Host Server Data Block 4.10.0+ for more information. |
|||
Contains server information for a host. See Full Host Server Data Block 4.10.0+ for more information. |
|||
Contains server information used in server fingerprints. See Server Information Data Block for 4.10.x, 5.0 - 5.0.2 for more information. The successor block type 117 introduced for 5.0 has an identical structure as block type 105. |
|||
Contains information about a server detected on a host. See Full Server Information Data Block for more information. |
|||
Contains results from an Nmap scan. See Generic Scan Results Data Block for 4.10.0+ for more information. |
|||
Contains information on vulnerabilities detected by a third-party scan. See Scan Vulnerability Data Block for 4.10.0+. |
|||
Contains complete host profile information. See Full Host Profile Data Block 5.0 - 5.0.2 for more information. Supersedes data block 92. |
|||
Contains client application information for New Client Application events and includes a list of vulnerabilities. See Full Host Client Application Data Block 5.0+ for more information. |
|||
Contains information for connection statistics events in 5.0 - 5.0.2. See Connection Statistics Data Block 5.0 - 5.0.2 for more information. The successor block introduced for version 5.1 has block type 126. |
|||
Contains server information used in server fingerprints. See Server Information Data Block for 4.10.x, 5.0 - 5.0.2 for more information. |
|||
Contains host input data imported from a third-party application, including third-party application string mappings. See User Product Data Block for 5.0.x for more information. The predecessor block type 65, superseded in 5.0, has the same structure as this block type. The successor block introduced for version 5.1 has block type 132. |
|||
Contains connection chunk information for versions 4.10.1 - 5.1. See Connection Chunk Data Block for 5.0 - 5.1 for more information. The successor block is 136. |
|||
Contains client application information for New Client Application events for version 5.0+. See Host Client Application Data Block for 5.0+ for more information. It supersedes block type 100. |
|||
Contains web application data for version 5.0+. See Web Application Data Block for 5.0+ for more information. It supersedes block type 97. |
|||
Contains information about a vulnerability for a host or hosts. See User Vulnerability Data Block 5.0+. It supersedes block type 79. |
|||
Contains information for connection statistics events in 4.10.2 (as documented in earlier versions of the product). The successor block introduced for version 5.1 has block type 115. |
|||
Contains information for connection statistics events in 5.1. See Connection Statistics Data Block 5.1 for more information. It supersedes block type 115. This block type is superseded by block type 137. |
|||
Contains lists of operating system fingerprints. See Operating System Fingerprint Data Block 5.1+ for more information. It supersedes block type 87. |
|||
Contains information about a detected mobile device’s hardware. See Mobile Device Information Data Block for 5.1+ for more information. |
|||
Contains profile information for a host. See Full Host Profile Data Block 5.2.x for more information. It supersedes block type 91. Superseded by block 139. |
|||
Contains host input data imported from a third-party application, including third-party application string mappings. See User Product Data Block 5.1+ for more information. This supersedes the predecessor block type 118. |
|||
Contains complete host profile information. See Full Host Profile Data Block 5.1.1 for more information. Supersedes data block 111. |
|||
Contains connection chunk information. See Connection Chunk Data Block for 5.1.1+ for more information. Supersedes block 119. |
|||
Contains information for connection events in 5.1.1. See Connection Chunk Data Block for 5.0 - 5.1 for more information. It supersedes block type 126. It is superseded by block type 144. |
|||
Contains client application data from user input. See User Client Application Data Block for 5.1.1+ for more information. It supersedes block type 59. |
|||
Contains profile information for a host. See Host Profile Data Block for 5.2+ for more information. It supersedes block type 132. |
|||
Contains complete host profile information. See Full Host Profile Data Block 5.3+ for more information. Supersedes data block 135. |
|||
Contains IP address range specifications. See IP Address Range Data Block for 5.2+ for more information. It supersedes block 61. |
|||
Contains information about a vulnerability and is used within Add Scan Result events. See Scan Result Data Block 5.2+. It supersedes block 102. |
|||
Contains a host’s IP address and last seen information. See Host IP Address Data Block for more information. |
|||
Contains information for connection events in 5.2.x. See Connection Statistics Data Block 5.2.x for more information. It supersedes block type 137. |
|||
Contains the host attribute address for 5.2+. See Attribute Address Data Block 5.2+ for more information. It supersedes block type 38. |
|||
Contains complete host profile information. See Full Host Profile Data Block 5.3+ for more information. Supersedes data block 135. |
|||
Contains information for connection events in 5.3+. See Connection Statistics Data Block 5.3 for more information. It supersedes block type 144. |
|||
Contains information for connection events in 5.3+. See Connection Statistics Data Block 5.3.1+ for more information. It supersedes block type 152. |
String Data Block
The String data block is used for sending string data in series 1 blocks. It commonly appears within other series 1 data blocks to describe, for example, operating system or server names.
Empty string data blocks (string data blocks containing no string data) have a block length value of 8 and are followed by zero bytes of string data. An empty string data block is returned when there is no content for the string value, as might happen, for example, in the OS vendor string field in an Operating System data block when the vendor of the operating system is unknown.
The String data block has a block type of 0 in the series 1 group of blocks.
Note Strings returned in this data block are not always null-terminated (that is, they are not always terminated with a 0).
The following diagram shows the format of the String data block:
The following table describes the fields of the String data block.
|
|
|
|
|---|---|---|
Combined length of the string data block header and string data. |
||
Contains the string data and may contain a terminating character (null byte) at the end of the string. |
BLOB Data Block
The BLOB data block can be used to convey binary data. For example, it is used to hold the server banner captured by the system. The BLOB data block has a block type of 10 in the series 1 group of blocks.
The following diagram shows the format of the BLOB data block:
The following table describes the fields of the BLOB data block.
|
|
|
|
|---|---|---|
Number of bytes in the BLOB data block, including eight bytes for the BLOB block type and length fields, plus the length of the binary data that follows. |
||
List Data Block
The List data block is used to encapsulate a list of series 1 data blocks. For example, if a list of TCP servers is being transmitted, the Server data blocks containing the data are encapsulated in a List data block. The List data block has a block type of 11 in the series 1 group of blocks.
The following diagram shows the basic format of a List data block:
The following table describes the fields of the List data block.
Generic List Block
The Generic List data block is used to encapsulate a list of series 1 data blocks. For example, when client application information is transmitted within a Host Profile data block, a list of Client Application data blocks are encapsulated by the Generic List data block. The Generic List data block has a block type of 31 in the series 1 group of blocks.
The following diagram shows the basic structure of a Generic List data block:
The following table describes the fields of the Generic List data block.
Sub-Server Data Block
The Sub-Server data block conveys information about an individual sub-server, which is a server called by another server on the same host and has associated vulnerabilities. The Sub-Server data block has a block type of 1 in the series 1 group of blocks.
The following diagram shows the format of the Sub-Server data block:
The following table describes the fields of the Sub-Server data block.
Protocol Data Block
The Protocol data block defines protocols. It is a very simple data block, with only the block type, block length, and the IANA protocol number identifying the protocol. The Protocol data block has a block type of 4 in the series 1 group of blocks.
The following graphic shows the format of the Protocol data block:
The following table describes the fields of the Protocol data block.
Integer (INT32) Data Block
The Integer (INT32) data block is used in List data blocks to convey 32-bit integer data, for example, in the Vulnerability Reference data block where it is used to transmit a list of vulnerability identification numbers.
The Integer data block has a block type of 7 in the series 1 group of blocks.
The following diagram shows the format of the integer data block:
The following table describes the fields of the Integer data block:
|
|
|
|
|---|---|---|
Number of bytes in the Integer data block. This value is always |
||
Vulnerability Reference Data Block
The Vulnerability Reference data block describes the list of vulnerabilities to which a host is subject, including the affected port, protocol, server, and list of related vulnerabilities. The Vulnerability Reference data block has a block type of 8 in the series 1 group of blocks.
Note An asterisk (*) next to a series 1 data block name in the following diagram indicates the message may contain zero or more instances of the block.
The following diagram shows the format of the Vulnerability Reference data block:
The following table describes the fields of the Vulnerability Reference data block:
|
|
|
|
|---|---|---|
Initiates a Vulnerability Reference data block. This value is always |
||
Number of bytes in the Vulnerability Reference data block, including eight bytes for the vulnerability reference block type and length fields, plus the number of bytes of vulnerability reference data that follows. |
||
Port used by the sub-server affected by the listed vulnerabilities. |
||
Initiates a String data block for the protocol affected by the listed vulnerabilities. This value is set to |
||
Number of bytes in the String data block for the protocol name, including eight bytes for the string block type and length fields, plus the number of bytes in the protocol name. |
||
Contains the name of the protocol used by the sub-server affected by the listed vulnerabilities. |
||
Initiates a String data block for the sub-server affected by the vulnerability. |
||
Number of bytes in the String data block containing the sub-server name, including eight bytes for the String block type and length fields, plus the number of bytes in the sub-server name. |
||
Contains the name of the sub-server affected by the listed vulnerabilities. |
||
Initiates a list that contains zero or more VDB vulnerability ID numbers encapsulated in Integer data blocks. |
||
Number of bytes in the vulnerability ID list, including eight bytes for the list block type and length fields, plus the number of bytes in the encapsulated Integer data blocks. |
||
Contains zero or more Integer data blocks containing vulnerability identification numbers. See Integer (INT32) Data Block for the data fields that appear in an Integer data block. |
VLAN Data Block
The VLAN data block contains VLAN tag information for a host. The VLAN data block has a block type of 14 in the series 1 group of blocks.The following diagram shows the format of the VLAN data block:
The following table describes the fields of the VLAN data block.
|
|
|
|
|---|---|---|
Number of bytes in the VLAN data block. This value is always |
||
Contains the VLAN identification number that indicates which VLAN the host is a member of. |
||
Server Banner Data Block
The Server Banner data block provides information about the banner for a server running on a host. It contains the server port, protocol, and the banner data. The Server Banner data block has a block type of 37 in the series 1 group of blocks.
The following diagram shows the format of the Server Banner data block.
Note An asterisk(*) next to a block type field in the following diagram indicates the message may contain zero or more instances of the series 1 data block.
The following table describes the fields of the Server Banner data block.
String Information Data Block
The String Information data block contains string data. For example, the String Information data block is used to convey the Common Vulnerabilities and Exposures (CVE) identification string within a Scan Vulnerability data block. The String Information data block has a block type of 35 in the series 1 group of blocks.
The following diagram shows the format of the String Information data block:
The following table describes the fields of the String Information data block.
Attribute Address Data Block 5.2+
The Attribute Address data block contains an attribute list item and is used within an Attribute Definition data block. It has a block type of 146 in the series 1 group of blocks.
The following diagram shows the basic structure of an Attribute Address data block:
The following table describes the fields of the Attribute Address data block.
Attribute List Item Data Block
The Attribute List Item data block contains an attribute list item and is used within an Attribute Definition data block. It has a block type of 39 in the series 1 group of blocks.
The following diagram shows the basic structure of an Attribute List Item data block:
The following table describes the fields of the Attribute List Item data block.
Attribute Value Data Block
The Attribute Value data block conveys attribute identification numbers and values for host attributes. An Attribute Value data block for each attribute applied to the host in the event is included in a list in the Full Host Profile data block. The Attribute Value data block has a block type of 48 in the series 1 group of blocks.
The following diagram shows the format of the Attribute Value data block:
The following table describes the components of the Attribute Value data block.
Full Sub-Server Data Block
The Full Sub-Server data block conveys information about a sub-server associated with a server detected on a host, and includes information about the sub-server such as its vendor and version and any related VDB and third-party vulnerabilities for the sub-server on the host. A sub-server is a loadable module of a server that has its own associated vulnerabilities. A Full Host Server data block includes a Full Sub-Server data block for each sub-server detected on the host. The Full Sub-Server data block has a block type of 51 in the series 1 group of blocks.
Note An asterisk (*) next to a series 1 data block name in the following diagram indicates that multiple instances of the data block may occur.
The following diagram shows the format of the Full Sub-Server data block:
The following table describes the components of the Full Sub-Server data block.
|
|
|
|
|---|---|---|
Initiates a Full Sub-Server data block. This value is always |
||
Total number of bytes in the Full Sub-Server data block, including eight bytes for the Full Sub-Server block type and length fields, plus the number of bytes in the full sub-server data that follows. |
||
Initiates a String data block containing the sub-server name. This value is always |
||
Number of bytes in the sub-server name String data block, including eight bytes for the block type and length fields, plus the number of bytes in the sub-server name. |
||
Initiates a String data block containing the sub-server vendor’s name. This value is always |
||
Number of bytes in the vendor name String data block, including eight bytes for the block type and length fields, plus the number of bytes in the sub-server vendor name. |
||
Initiates a String data block that contains the sub-server version. This value is always |
||
Number of bytes in the sub-server version String data block, including eight bytes for the block type and length fields, plus the number of bytes in the sub-server version. |
||
Initiates a Generic List data block comprising Host Vulnerability data blocks conveying VDB Vulnerability data. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Host Vulnerability data blocks. |
||
Host Vulnerability data blocks containing information about host vulnerabilities identified by Cisco. See Host Vulnerability Data Block 4.9.0+ for a description of this data block. |
||
Initiates a Generic List data block comprising Host Vulnerability data blocks conveying Third-Party Scan Vulnerability data. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Host Vulnerability data blocks. |
||
Host Vulnerability data blocks containing information about host vulnerabilities identified by a third-party vulnerability scanner. See Host Vulnerability Data Block 4.9.0+ for a description of this data block. |
Operating System Data Block 3.5+
The operating system data block for Version 3.5+ has a block type of 53 in the series 1 group of blocks. The block includes a fingerprint Universally Unique Identifier (UUID). The following diagram shows the format of an operating system data block in 3.5+.
The following table describes the fields of the v3.5 operating system data block.
Policy Engine Control Message Data Block
The Policy Engine Control Message data block conveys the control message content for policy types. The Policy Engine Control Message data block has a block type of 54 in the series 1 group of blocks.
The following diagram shows the format of the Policy Engine Control Message data block:
The following table describes the components of the Policy Engine Control Message data block.
Attribute Definition Data Block for 4.7+
The Attribute Definition data block contains the attribute definition in an attribute creation, change, or deletion event and is used within Host Attribute Add events (event type 1002, subtype 6), Host Attribute Update events (event type 1002, subtype 7), and Host Attribute Delete events (event type 1002, subtype 8). It has a block type of 55 in the series 1 group of blocks.
For more information on those events, see Attribute Messages.
The following diagram shows the basic structure of an Attribute Definition data block:
The following table describes the fields of the Attribute Definition data block.
|
|
|
|
|---|---|---|
Initiates an Attribute Definition data block. This value is always |
||
Number of bytes in the Attribute Definition data block, including eight bytes for the attribute definition block type and length, plus the number of bytes in the attribute definition data that follows. |
||
Identification number that maps to the source of the attribute data. Depending on the source type, this may map to RNA, a user, a scanner, or a third-party application. |
||
An ID number that acts as a unique identifier for the affected attribute. |
||
Identification number of the affected attribute, if applicable. |
||
Initiates a String data block for the attribute definition name. This value is always |
||
Number of bytes in the String data block for the attribute definition name, including eight bytes for the string block type and length, plus the number of bytes in the attribute definition name. |
||
Type of attribute. Possible values are:
|
||
First integer in the integer range for the defined attribute. |
||
Last integer in the integer range for the defined attribute. |
||
Flag indicating if an IP address is auto-assigned based on the attribute. |
||
Initiates a List data block comprising Attribute List Item data blocks conveying attribute list items. This value is always |
||
Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus all encapsulated Attribute List Item data blocks. This field is followed by zero or more Attribute List Item data blocks. |
||
Initiates the first Attribute List Item data block. This data block can be followed by other Attribute List Item data blocks up to the limit defined in the list block length field. |
||
Number of bytes in the Attribute List Item String data block, including eight bytes for the block type and header fields, plus the number of bytes in the attribute list item. |
||
Attribute List Item data as documented in Attribute List Item Data Block. |
||
Initiates a List data block comprising Attribute Address data blocks conveying IP addresses for hosts with the attribute. This value is always |
||
Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus all encapsulated Attribute Address data blocks. This field is followed by zero or more Attribute Address data blocks. |
||
Initiates the first Attribute Address data block. This data block can be followed by other Attribute Address data blocks up to the limit defined in the list block length field. |
||
Number of bytes in the Attribute Address data block, including eight bytes for the block type and header fields, plus the number of bytes in the attribute address. |
||
Attribute Address data as documented in Attribute Address Data Block 5.2+. |
User Protocol Data Block
The User Protocol data block is used to contain information about added protocols, the type of the protocol, and lists of IP address and MAC address ranges for the hosts with the protocol. The User Protocol data block has a block type of 57 in the series 1 group of blocks.
The following diagram shows the basic structure of a User Protocol data block:
The following table describes the fields of the User Protocol data block.
|
|
|
|
|---|---|---|
Initiates a User Protocol data block. This value is always |
||
Total number of bytes in the User Protocol data block, including eight bytes for the user protocol block type and length fields, plus the number of bytes of user protocol data that follows. |
||
Initiates a Generic List data block comprising IP Range Specification data blocks conveying IP address range data. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated IP Range Specification data blocks. |
||
IP Range Specification data blocks containing information about the IP address ranges for the user input. See IP Address Range Data Block for 5.2+ for a description of this data block. |
||
Initiates a Generic List data block comprising MAC Range Specification data blocks conveying MAC address range data. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated MAC Range Specification data blocks. |
||
MAC Range Specification data blocks containing information about the MAC address ranges for the user input. See MAC Address Specification Data Block for a description of this data block. |
||
Indicates the type of the protocol. The protocol can be either |
||
Indicates the protocol for the data contained in the data block. |
User Client Application Data Block for 5.1.1+
The User Client Application data block contains information about the source of the client application data, the identification number for the user who added the data, and the lists of IP address range data blocks. The payload ID, which was added in Version 5.3.1, specifies the application instance associated with the record. The User Client Application data block has a block type of 138 in the series 1 group of blocks. It replaces block type 59.
The following diagram shows the basic structure of a User Client Application data block:
The following table describes the fields of the User Client Application data block.
|
|
|
|
|---|---|---|
Initiates a User Client Application data block. This value is always |
||
Total number of bytes in the User Client Application data block, including eight bytes for the user client application block type and length fields, plus the number of bytes of user client application data that follows. |
||
Initiates a Generic List data block comprising IP Range Specification data blocks conveying IP address range data. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated IP Range Specification data blocks. |
||
IP Range Specification data blocks containing information about the IP address ranges for the user input. See IP Address Range Data Block for 5.2+ for a description of this data block. |
||
The internal identification number for the application protocol, if applicable. |
||
The internal identification number of the detected client application, if applicable. |
||
Initiates a String data block that contains the client application version. This value is always |
||
Number of bytes in the client application version String data block, including the string block type and length fields, plus the number of bytes in the version. |
||
This field is included for backwards compatibility. It is always |
||
The internal identification number for the web application, if applicable. |
User Client Application List Data Block
The User Client Application List data block contains information about the source of the client application data, the identification number for the user who added the data, and the lists of client application blocks. The User Client Application List data block has a block type of 60 in the series 1 group of blocks.
The following diagram shows the basic structure of a User Client Application List data block:
The following table describes the fields of the User Client Application List data block.
|
|
|
|
|---|---|---|
Initiates a User Client Application List data block. This value is always |
||
Total number of bytes in the User Client Application List data block, including eight bytes for the user client application list block type and length fields, plus the number of bytes of user client application list data that follows. |
||
Identification number that maps to the source that added the affected client application. Depending on the source type, this may map to RNA, a user, a scanner, or a third-party application. |
||
Initiates a Generic List data block. This value is always |
||
Number of bytes in the Generic List block and encapsulated data blocks. This number includes the eight bytes of the generic list block header fields, plus the number of bytes in all of the encapsulated data blocks. |
||
Encapsulated User Client Application data blocks up to the maximum number of bytes in the list block length. For more information on the User Client Application data block, see User Client Application Data Block for 5.1.1+. |
IP Address Range Data Block for 5.2+
The IP Address Range data block for 5.2+ conveys a range of IP addresses. IP Address Range data blocks are used in User Protocol, User Client Application, Address Specification, User Product, User Server, User Hosts, User Vulnerability, User Criticality, and User Attribute Value data blocks. The IP Address Range data block has a block type of 141 in the series 1 group of blocks.
The following diagram shows the format of the IP Address Range data block:
The following table describes the components of the IP Address Range Specification data block.
Attribute Specification Data Block
The Attribute Specification data block conveys the attribute name and value. The Attribute Specification data block has a block type of 62 in the series 1 group of blocks.
The following diagram shows the format of the Attribute Specification data block:
The following table describes the components of the Attribute Specification data block.
Host IP Address Data Block
The Host IP Address data block conveys an individual IP address. The IP address may be either an IPv4 or IPv6 address. Host IP Address data blocks are used in User Protocol, Address Specification, and User Host data blocks. The Host IP data block has a block type of 143 in the series 1 group of blocks.
The following diagram shows the format of the Host IP Address data block:
The following table describes the components of the Host IP Address data block.
MAC Address Specification Data Block
The MAC Address Specification data block conveys an individual MAC address. MAC Address Specification data blocks are used in User Protocol, Address Specification, and User Hosts data blocks. The MAC Address Specification data block has a block type of 63 in the series 1 group of blocks.
The following diagram shows the format of the MAC Address Specification data block:
The following table describes the components of the MAC Address Specification data block.
Address Specification Data Block
The Address Specification data block is used to contain lists of IP address range specifications and MAC address specifications. The Address Specification data block has a block type of 64 in the series 1 group of blocks.
The following diagram shows the basic structure of an Address Specification data block:
The following table describes the fields of the Address Specification data block.
|
|
|
|
|---|---|---|
Initiates an Address Specification data block. This value is always |
||
Total number of bytes in the Address Specification data block, including eight bytes for the address specification block type and length fields, plus the number of bytes of address specification data that follows. |
||
Initiates a Generic List data block. This value is always |
||
Number of bytes in the Generic List block and encapsulated data blocks. This number includes the eight bytes of the generic list block header fields, plus the number of bytes in all of the encapsulated data blocks. |
||
Encapsulated IP Address Range Specification data blocks up to the maximum number of bytes in the list block length. For more information, see IP Address Range Data Block for 5.2+. |
||
Initiates a Generic List data block. This value is always |
||
Number of bytes in the Generic List block and encapsulated data blocks. This number includes the eight bytes of the generic list block header fields, plus the number of bytes in all of the encapsulated data blocks. |
||
Encapsulated MAC Address Specification data blocks up to the maximum number of bytes in the list block length. For more information, see MAC Address Specification Data Block. |
Connection Chunk Data Block for 5.1.1+
The Connection Chunk data block conveys connection data. It stores connection log data that aggregates over a five-minute period. The Connection Chunk data block has a block type of 136 in the series 1 group of blocks. It supersedes block type 119. The following diagram shows the format of the Connection Chunk data block:
The following table describes the components of the Connection Chunk data block.
Fix List Data Block
The Fix List data block conveys a fix that applies to a host. A Fix List data block for each fix applied to the affected host is included in a User Product data block. The Fix List data block has a block type of 67 in the series 1 group of blocks.
The following diagram shows the format of the Fix List data block:
The following table describes the components of the Fix List data block.
User Server Data Block
The User Server data block contains server details from a user input event. The User Server data block has a block type of 76 in the series 1 group of blocks.
The following diagram shows the basic structure of a User Server data block:
The following table describes the fields of the User Server data block.
User Server List Data Block
The User Server List data block contains a list of server data blocks from a user input event. The User Server List data block has a block type of 77 in the series 1 group of blocks. The following diagram shows the basic structure of a User Server List data block:
The following table describes the fields of the User Server List data block.
User Hosts Data Block 4.7+
The User Hosts data block is used in User Add and Delete Host Messages to contain information about host ranges and user and source identity from a user host input event. The User Hosts data block has a block type of 78 in the series 1 group of blocks.
The following diagram shows the basic structure of a User Hosts data block:
The following table describes the fields of the User Hosts data block.
|
|
|
|
|---|---|---|
Total number of bytes in the User Hosts data block, including eight bytes for the user hosts block type and length fields, plus the number of bytes of user hosts data that follows. |
||
Initiates a Generic List data block comprising IP Range Specification data blocks conveying IP address range data. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated IP Range Specification data blocks. |
||
IP Range Specification data blocks containing information about the IP address ranges for the user input. See IP Address Range Data Block for 5.2+ for a description of this data block. |
||
Initiates a Generic List data block comprising MAC Range Specification data blocks conveying MAC address range data. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated MAC Range Specification data blocks. |
||
MAC Range Specification data blocks containing information about the MAC address ranges for the user input. See MAC Address Specification Data Block for a description of this data block. |
||
Identification number that maps to the source that added or updated the hostdata. Depending on the source type, this may map to RNA, a user, a scanner, or a third-party application. |
||
User Vulnerability Change Data Block 4.7+
The User Vulnerability Change data block contains a list of deactivated vulnerabilities for the host, the identification number for the user who deactivated the vulnerabilities, information about the source that supplied the vulnerability changes, and the criticality value. The User Vulnerability Change data block has a block type of 80 in the series 1 group of blocks. Changes from the previous User Vulnerability Change data block include a new source type field and the use of the Generic list data block instead of the List data block to store vulnerability deactivations. This data block is used in user vulnerability change messages as documented in User Set Vulnerabilities Messages for Version 4.6.1+.
The following diagram shows the basic structure of a User Vulnerability Change data block:
The following table describes the fields of the Generic List data block.
|
|
|
|
|---|---|---|
Initiates a User Vulnerability Change data block. This value is always |
||
Total number of bytes in the User Vulnerability Change data block, including eight bytes for the host vulnerability block type and length fields, plus the number of bytes of host vulnerability data that follows. |
||
Identification number that maps to the source that updated or added the host vulnerability change value. Depending on the source type, this may map to RNA, a user, a scanner, or a third-party application. |
||
Initiates a Generic List data block. This value is always |
||
Number of bytes in the Generic List block and encapsulated data blocks. This number includes the eight bytes of the generic list block header fields, plus the number of bytes in all of the encapsulated data blocks. |
||
Encapsulated User Vulnerability data blocks up to the maximum number of bytes in the list block length. For more information, see User Vulnerability Data Block 5.0+. |
User Criticality Change Data Block 4.7+
The User Criticality data block is used to contain a list of IP address range specifications for hosts where the host criticality changed, the identification number for the user who updated the criticality value, information about the source that supplied the criticality value, and the criticality value. The User Criticality data block has a block type of 81 in the series 1 group of blocks. Changes from the previous User Criticality data block include a new source type field and the use of the Generic list data block instead of the List data block to store IP addresses.
The User Criticality data block is used in user set host criticality messages as documented in User Set Host Criticality Messages.
The following diagram shows the basic structure of a User Criticality data block:
The following table describes the fields of the User Criticality data block.
User Attribute Value Data Block 4.7+
The User Attribute Value data block contains a list of IP address ranges that indicate the hosts where the attribute value has changed, together with the identification number for the user who added the attribute value, information about the source that supplied the attribute value, and the BLOB data block containing the attribute value. The User Attribute Value data block has a block type of 82 in the series 1 group of blocks. Changes from the previous User Attribute Value data block include a new source type field and the use of the Generic list data block instead of the List data block to store IP addresses.
The following diagram shows the structure of a User Attribute Value data block:
The following table describes the fields of the User Attribute Value data block.
User Protocol List Data Block 4.7+
The User Protocol List data block is used to contain information about the source of the protocol data, the identification number for the user who added the data, and the lists of user protocol data blocks. The User Protocol List data block has a block type of 83 in the series 1 group of blocks. For more information on User Protocol data blocks, see User Protocol Data Block.
The User Protocol List data block is used in user protocol messages, as documented in User Protocol Messages.
The following diagram shows the basic structure of a User Protocol List data block:
The following table describes the fields of the Generic List data block.
Host Vulnerability Data Block 4.9.0+
The Host Vulnerability data block conveys vulnerabilities that apply to a host. Each Host Vulnerability data block describes one vulnerability for a host in an event. Host Vulnerability data blocks appear in the Full Host Profile, Full Host Server, and Full Sub-Server data blocks. The Host Vulnerability data block has a block type of 85 in the series 1 group of blocks.
The following diagram shows the format of the Host Vulnerability data block:
The following table describes the components of the Host Vulnerability data block.
Identity Data Block
The identity data block has a block type of 94 in the series 1 group of blocks. Identity data blocks are used in identity conflict and identity timeout messages, which indicate when the identities of an operating system or server fingerprint source conflict or time out. The data block describes reported identities that have been identified as being in conflict with active source identities (user, scanner, or application). For more information, see Identity Conflict and Identity Timeout System Messages.
The following diagram shows the format of an identity data block for 4.9+.
The following table describes the fields of the Cisco identity data block.
Host MAC Address 4.9+
The host MAC address data block has a block type of 95 in the series 1 group of blocks. The block includes the time-to-live value for the host data, as well as the MAC address, the primary subnet of the host, and the last seen value for the host.
The following diagram shows the format of a host MAC address data block in 4.9+.
The following table describes the fields of the Host MAC Address data block.
Secondary Host Update
The Secondary Host Update data block contains information for a host sent as a secondary host update from a device monitoring a subnet other than that where the host resides. It is used within Change Secondary Update events (event type 1001, subtype 31). The Secondary Host Update data block has a block type of 96 in the series 1 group of blocks.
The following diagram shows the format of a Secondary Host Update data block:
The following table describes the fields of the Secondary Host Update data block.
Web Application Data Block for 5.0+
The Web Application data block for 5.0+ has a block type of 123 in the series 1 group of blocks. The data block describes the web application from detected HTTP client requests.
The following diagram shows the format of a Web Application data block in 5.0+.
The following table describes the fields of the Web Application data block.
Connection Statistics Data Block 5.3.1+
The connection statistics data block is used in connection data messages. The only changes to the connection data block between versions 5.3 and 5.3.1 is the addition of a security context field. The connection statistics data block for version 5.3.1+ has a block type of 154 in the series 1 group of blocks. It deprecates block type 152, Connection Statistics Data Block 5.3.
You request connection event records by setting the extended event flag—bit 30 in the Request Flags field—in the request message with an event version of 11 and an event code of 71. See Request Flags. If you enable bit 23, an extended event header is included in the record.For more information on the Connection Statistics Data message, see Connection Statistics Data Message.
The following diagram shows the format of a Connection Statistics data block for 5.3.1+:
The following table describes the fields of the Connection Statistics data block for 5.3.1+.
Scan Result Data Block 5.2+
The Scan Result data block describes a vulnerability and is used within Add Scan Result events (event type 1002, subtype 11). The Scan Result data block has a block type of 142 in the series 1 group of blocks. It supersedes block type 102. The IP address field was increased to 16 bytes for version 5.2.
The following diagram shows the format of a Scan Result data block:
The following table describes the fields of the Scan Result data block.
|
|
|
|
|---|---|---|
Initiates a Scan Result data block. This value is always |
||
Number of bytes in the Scan Vulnerability data block, including eight bytes for the scan vulnerability block type and length fields, plus the number of bytes of scan vulnerability data that follows. |
||
Contains the user identification number for the user who imported the scan result or ran the scan that produced the scan result. |
||
IP address of the host affected by the vulnerabilities in the result, in IP address octets. |
||
Port used by the sub-server affected by the vulnerabilities in the results. |
||
IANA protocol number or Ethertype. This is handled differently for Transport and Network layer protocols. Transport layer protocols are identified by the IANA protocol number. For example: Network layer protocols are identified by the decimal form of the IEEE Registration Authority Ethertype. For example: |
||
Initiates a List data block comprising Scan Vulnerability data blocks conveying transport Scan Vulnerability data. This value is always |
||
Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus all encapsulated Scan Vulnerability data blocks. This field is followed by zero or more Scan Vulnerability data blocks. |
||
Initiates a Scan Vulnerability data block describing a vulnerability detected during a scan. This value is always |
||
Number of bytes in the Scan Vulnerability data block, including eight bytes for the scan vulnerability block type and length fields, plus the number of bytes in the scan vulnerability data that follows. |
||
Initiates a List data block comprising Scan Vulnerability data blocks conveying transport Scan Vulnerability data. This value is always |
||
Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus all encapsulated Scan Vulnerability data blocks. This field is followed by zero or more Scan Vulnerability data blocks. |
||
Initiates a Generic Scan Results data block describing server and operating system data detected during a scan. This value is always |
||
Number of bytes in the Generic Scan Results data block, including eight bytes for the generic scan results block type and length fields, plus the number of bytes in the scan result data that follows. |
||
Initiates a Generic List data block comprising User Product data blocks conveying host input data from a third-party application. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated User Product data blocks. |
||
User Product data blocks containing host input data. See User Product Data Block 5.1+ for a description of this data block. |
Host Server Data Block 4.10.0+
The Host Server data block conveys information about the detected servers on a host. It contains a block for each detected server, and also includes a list of web application data blocks for the web applications the server is running. Host Server data blocks are contained in messages for new and changed TCP and UDP servers. For more information, see Server Messages. The Host Server data block has a block type of 103 in the series 1 group of blocks.
Note An asterisk(*) next to a data block name in the following diagram indicates that multiple instances of the data block may occur.
The following diagram shows the format of the Host Server data block:
The following table describes the fields of the Host Server data block.
|
|
|
|
|---|---|---|
Initiates a Host Server data block. This value is always |
||
Total number of bytes in the Host Server data block, including the eight bytes in the Host Server block type and length fields, plus the number of bytes of data that follows. |
||
UNIX timestamp that represents the last time the system detected the server in use. |
||
Initiates a Generic List data block. This value is always |
||
Number of bytes in the Generic List block and encapsulated sub-server information data blocks. This number includes the eight bytes of the generic list block header fields, plus the number of bytes in all of the encapsulated data blocks. |
||
Server information data blocks up to the maximum number of bytes in the list block length. For details, see Server Information Data Block for 4.10.x, 5.0 - 5.0.2. |
||
Number of bytes in the Generic block and encapsulated web application data blocks. This number includes the eight bytes of the generic list block header fields, plus the number of bytes in all of the encapsulated web application data blocks. |
||
Encapsulated web application data blocks up to the maximum number of bytes in the list block length. For details, see Web Application Data Block for 5.0+. |
Full Host Server Data Block 4.10.0+
The Full Host Server data block conveys information about a server, including the server port, the frequency of use and most recent update, confidence of data accuracy, and Cisco and third-party vulnerabilities related to that server for the host. The Full Host Server data block contains a Full Sub-Server Information data block for each sub-server on the server. Each Full Host Profile data block contains a Full Host Server data block for each TCP and UDP server on the host. The Full Host Server data block has a block type of 104 in the series 1 group of blocks.
Note An asterisk(*) next to a series 1 data block name in the following diagram indicates that multiple instances of the data block may occur.
The following diagram shows the format of the Full Server data block:
The following table describes the components of the Full Server data block.
|
|
|
|
|---|---|---|
Initiates a Full Server data block. This value is always |
||
Total number of bytes in the Full Server data block, including eight bytes for the full server block type and length fields, plus the number of bytes of full server data that follows. |
||
Initiates a Generic List data block comprising data blocks of detected sub-server data. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated sub-server information data blocks. |
||
Full Server Information data blocks containing information about sub-servers for a host server detected by Cisco. See Full Server Information Data Block for a description of this data block. |
||
Initiates a Generic List data block comprising sub-server information data blocks conveying sub-server data added by a user. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated server information data blocks. |
||
Full Server Information data blocks containing information about sub-servers on a host added by a user. See Full Server Information Data Block for a description of this data block. |
||
Initiates a Generic List data block comprising sub-server information data blocks conveying sub-server data added by a scanner. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated sub-server information data blocks. |
||
Full Server Information data blocks containing information about sub-servers on a host added by a scanner. See Full Server Information Data Block for a description of this data block. |
||
Initiates a Generic List data block comprising sub-server information data blocks conveying sub-server data added by an application. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated sub-server information data blocks. |
||
Full Server Information data blocks containing information about sub-servers on a host added by an application. See Full Server Information Data Block for a description of this data block. |
||
Percentage of confidence of Cisco in correct identification of the full server data. |
||
Initiates a BLOB data block, which contains banner data. This value is always |
||
Total number of bytes in the BLOB data block, including eight bytes for the block type and length fields, plus the number of bytes in the banner. |
||
First n bytes of the packet involved in the server event, where n is equal to or less than 256. |
||
Initiates a Generic List data block comprising Host Vulnerability data blocks conveying Cisco vulnerability data. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Host Vulnerability data blocks. |
||
Host Vulnerability data blocks containing information about host vulnerabilities in the vulnerability database (VDB). See Host Vulnerability Data Block 4.9.0+ for a description of this data block. |
||
Initiates a Generic List data block comprising Host Vulnerability data blocks conveying third-party host vulnerability data sourced from a third-party scanner and containing vulnerability information already cataloged in the VDB. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Host Vulnerability data blocks. |
||
Host Vulnerability data blocks sourced from a third-party scanner and containing information about host vulnerabilities cataloged in the vulnerability database (VDB). See Host Vulnerability Data Block 4.9.0+ for a description of this data block. |
||
Initiates a Generic List data block comprising Host Vulnerability data blocks conveying third-party host vulnerability data generated by a third-party scanner. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Host Vulnerability data blocks. |
||
Host Vulnerability data blocks containing third-party vulnerability data for vulnerabilities identified by a third-party scanner but not cataloged in the VDB. See Host Vulnerability Data Block 4.9.0+ for a description of this data block. |
||
Initiates a Generic List data block. This value is always |
||
Number of bytes in the Generic List block and encapsulated Web Application data blocks. This number includes the eight bytes of the generic list block header fields, plus the number of bytes in all of the encapsulated data blocks. |
||
Encapsulated Web Application data blocks up to the maximum number of bytes in the list block length. |
Server Information Data Block for 4.10.x, 5.0 - 5.0.2
The Server Information data block conveys information about a server, including the server ID, server vendor and version, and source information. The Server Information data block has a block type of 105 in the series 1 group of blocks for 4.10.x and a block type of 117 in the series 1 group of blocks for 5.0 - 5.0.2. Server information data blocks are conveyed in lists within Host Server blocks and Full Host server data blocks. For more information see Host Server Data Block 4.10.0+ and Full Host Server Data Block 4.10.0+.
The following diagram shows the format of the Server Information data block:
The following table describes the components of the Server Information data block.
|
|
|
|
|---|---|---|
Initiates a Server Information data block. The block type is |
||
Total number of bytes in the Server Information data block, including eight bytes for the Server Information block type and length fields, four bytes for the server ID, eight bytes for the vendor name block type and length, another four for the vendor name, eight bytes for the version string block type and length, another four for the version string, and four bytes each for the last used, source type, and source ID fields. |
||
The application ID for the application protocol running on the detected server. |
||
Initiates a String data block containing the server vendor’s name. This value is always |
||
Number of bytes in the vendor name String data block, including eight bytes for the block type and length fields, plus the number of bytes in the server vendor name. |
||
Initiates a String data block that contains the server version. This value is always |
||
Number of bytes in the server version String data block, including eight bytes for the block type and length fields, plus the number of bytes in the server version. |
||
Indicates when the server information was last used in traffic. |
||
Identification number that maps to the source of the server data. Depending on the source type, this may map to RNA, a user, a scanner, or a third-party application. |
||
Initiates a list of Sub-Server data blocks. This value is always |
||
Number of bytes in the List data block, including eight bytes for the list block type and length fields, plus the number of bytes in the encapsulated Sub-Server data blocks that follow. |
||
Initiates the first Sub-Server data block. This data block can be followed by other Sub-Server data blocks up to the limit defined in the list block length field. |
||
Total number of bytes in each Sub-Server data block, including the eight bytes in the Sub-Server block type and length fields, plus the number of bytes of data that follows. |
||
Sub-server data as documented in Sub-Server Data Block. |
Full Server Information Data Block
The Full Server Information data block conveys information about a server detected on a host, including the server’s application protocol, vendor, and version, and the list of its associated sub-servers. For each sub-server, information is included by a Full Sub-Server data block (see Full Sub-Server Data Block). The Full Server Information data block has a block type of 106 in the series 1 group of blocks.
Note An asterisk(*) next to a series 1 data block name in the following diagram indicates that multiple instances of the data block may occur.
The following diagram shows the format of the Full Server Information data block:
The following table describes the components of the Full Server Information data block.
|
|
|
|
|---|---|---|
Initiates a Full Server Information data block. This value is always |
||
Total number of bytes in the Full Server Information data block, including eight bytes for the full server block type and length fields, plus the number of bytes in the full server data that follows. |
||
The application ID of the application protocol running on the server. |
||
Initiates a String data block containing the application protocol vendor’s name. This value is always |
||
Number of bytes in the vendor name String data block, including eight bytes for the block type and length fields, plus the number of bytes in the vendor name. |
||
Initiates a String data block that contains the application protocol version. This value is always |
||
Number of bytes in the String data block, including eight bytes for the block type and length fields, plus the number of bytes in the version. |
||
UNIX timestamp that represents the last time the system detected the server in use. |
||
Identification number that maps to the source of the server data. Depending on the source type, this may map to RNA, a user, a scanner, or a third-party application. |
||
Initiates a List data block comprising Full Server Information data blocks conveying sub-server data. This value is always |
||
Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus all encapsulated Full Sub-Server data blocks. This field is followed by zero or more Full Sub-Server data blocks. |
||
Initiates the first Full Sub-Server data block. This data block can be followed by other Full Sub-Server data blocks up to the limit defined in the list block length field. |
||
Total number of bytes in each Full Sub-Server data block, including the eight bytes in the Full Sub-Server block type and length fields, plus the number of bytes of data that follows. |
||
Full Sub-Server data blocks containing sub-servers for the server. See Full Sub-Server Data Block for a description of this data block. |
Generic Scan Results Data Block for 4.10.0+
The Generic Scan Results data block contains scan results and is used in the Scan Result Data Block 5.2+. The Generic Scan Results data block has a block type of 108 in the series 1 group of blocks.
The following diagram shows the basic structure of a Generic Scan Results data block:
The following table describes the fields of the Generic Scan Results data block.
Scan Vulnerability Data Block for 4.10.0+
The Scan Vulnerability data block describes a vulnerability and is used within Scan Result data blocks, which in turn are used in Add Scan Result events (event type 1002, subtype 11). For more information, see Scan Result Data Block 5.2+ and Add Scan Result Messages. The Scan Vulnerability data block has a block type of 109 in the series 1 group of blocks.
The following diagram shows the format of a Scan Vulnerability data block:
The following table describes the fields of the Scan Vulnerability data block.
|
|
|
|
|---|---|---|
Initiates a Scan Vulnerability data block. This value is always |
||
Number of bytes in the Scan Vulnerability data block, including eight bytes for the scan vulnerability block type and length fields, plus the number of bytes of scan vulnerability data that follows. |
||
IANA protocol number or Ethertype. This is handled differently for Transport and Network layer protocols. Transport layer protocols are identified by the IANA protocol number. For example: Network layer protocols are identified by the decimal form of the IEEE Registration Authority Ethertype. For example: |
||
Number of bytes in the String data block for the ID, including eight bytes for the string block type and length, plus the number of bytes in the ID. |
||
The ID for the reported vulnerability as specified by the scan utility that detected it. For a vulnerability detected by a Qualys scan, for example, this field indicates the Qualys ID. |
||
Number of bytes in the String data block for the vulnerability name, including eight bytes for the string block type and length, plus the number of bytes in the vulnerability name. |
||
Initiates a String data block for the vulnerability description. |
||
Number of bytes in the String data block for the vulnerability description, including eight bytes for the string block type and length, plus the number of bytes in the vulnerability description. |
||
Number of bytes in the String data block for the vulnerability name, including eight bytes for the string block type and length, plus the number of bytes in the vulnerability name. |
||
Initiates a String data block for the vulnerability description. |
||
Number of bytes in the String data block for the vulnerability description, including eight bytes for the string block type and length, plus the number of bytes in the vulnerability description. |
||
Initiates a List data block for the list of Bugtraq identification numbers. |
||
Number of bytes in the List data block for the list of Bugtraq identification numbers, including eight bytes for the string block type and length, plus the number of bytes in the Integer data blocks containing the Bugtraq IDs. |
||
Contains zero or more Integer (INT32) data blocks that form a list of Bugtraq identification numbers. For more information on these data blocks, see Integer (INT32) Data Block. |
||
Initiates a List data block for the list of Common Vulnerability Exposure (CVE) identification numbers. |
||
Number of bytes in the List data block for the CVE identification number, including eight bytes for the string block type and length, plus the number of bytes in the CVE identification number. |
||
Contains zero or more String Information data blocks that form a list of CVE identification numbers. For more information on these data blocks, see String Information Data Block. |
Full Host Client Application Data Block 5.0+
The Full Host Client Application data block for version 5.0+ describes a client application, plus an appended list of associated web applications and vulnerabilities. The Full Host Client Application data block is used within the Full Host Profile data block (type 111). It has a block type of 112 in the series 1 group of blocks.
The following diagram shows the basic structure of a Full Host Client Application data block for 5.0+:
The following table describes the fields of the Full Host Client Application data block.
Host Client Application Data Block for 5.0+
The Host Client Application data block for 5.0+ describes a client application and is used within New Client Application events (event type 1000, subtype 7), Client Application Timeout events (event type 1001, subtype 20), and Client Application Update events (event type 1001, subtype 32). The Host Client Application data block for 4.10.2+ has a block type of 122 in the series 1 group of blocks.
The following diagram shows the basic structure of a Host Client Application data block for 5.0+:
The following table describes the fields of the Host Client Application data block.
|
|
|
|
|---|---|---|
Initiates a Host Client Application data block. This value is always |
||
Number of bytes in the Client Application data block, including eight bytes for the client application block type and length, plus the number of bytes in the client application data that follows. |
||
Number of times the system has detected the client application in use. |
||
UNIX timestamp that represents the last time the system detected the client in use. |
||
Identification number of the detected client application, if applicable. |
||
The internal identification number for the application protocol, if applicable. |
||
Initiates a String data block for the client application version. This value is always |
||
Number of bytes in the String data block for the client application version, including eight bytes for the string block type and length, plus the number of bytes in the client application version. |
||
Initiates a Generic List data block. This value is always |
||
Number of bytes in the Generic List block and encapsulated Web Application data blocks. This number includes the eight bytes of the generic list block header fields, plus the number of bytes in all of the encapsulated data blocks. |
||
Encapsulated Web Application data blocks up to the maximum number of bytes in the list block length. See Web Application Data Block for 5.0+ for information on the encapsulated data blocks (block type 123). |
User Vulnerability Data Block 5.0+
The User Vulnerability data block describes a vulnerability and is used within User Vulnerability Change data blocks. These in turn are used in User Set Valid Vulnerabilities events and User Set Invalid Vulnerabilities events. The User Vulnerability data block for 5.0+ has a block type of 124 in the series 1 group of blocks. It supersedes block type 79. For more information on User Vulnerability Change data blocks, see User Vulnerability Change Data Block 4.7+.
The following diagram shows the format of a User Vulnerability data block:
The following table describes the fields of the User Vulnerability data block.
|
|
|
|
|---|---|---|
Initiates a User Vulnerability data block. This value is always |
||
Number of bytes in the User Vulnerability data block, including eight bytes for the user vulnerability block type and length fields, plus the number of bytes of user vulnerability data that follows. |
||
Initiates a Generic List data block comprising IP Range Specification data blocks conveying IP address range data. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated IP Range Specification data blocks. |
||
IP address ranges from user input. See IP Address Range Data Block for 5.2+ for a description of this data block. |
||
Port used by the server affected by the vulnerability. For client application vulnerabilities, the value is |
||
IANA protocol number or Ethertype for the protocol used by the server affected by the vulnerability. This is handled differently for Transport and Network layer protocols. Transport layer protocols are identified by the IANA protocol number. For example: Network layer protocols are identified by the decimal form of the IEEE Registration Authority Ethertype. For example: |
||
A unique ID number for the third-party vulnerability, if one exists. Otherwise, the value is |
||
Initiates a String data block for the vulnerability name. The value is always |
||
The number of bytes in the String data block for the vulnerability name, including eight bytes for the string block type and length, plus the number of bytes in the vulnerability name. |
||
The application ID of the client application. For server vulnerabilities, the value is |
||
The application ID of the application protocol used by client application. For server vulnerabilities, the value is |
||
Initiates a String data block for the version string. The value is always |
||
The number of bytes in the String data block for the version, including eight bytes for the string block type and length, plus the number of bytes in the client application version string. |
||
The client application version. For server vulnerabilities, the value is |
Operating System Fingerprint Data Block 5.1+
The Operating System Fingerprint data block has a block type of 130 in the series 1 group of blocks. The block includes a fingerprint Universally Unique Identifier (UUID), as well as the fingerprint type, the fingerprint source type, and the fingerprint source ID.
The following diagram shows the format of an Operating System Fingerprint data block in 5.1+.
The following table describes the fields of the operating system fingerprint data block.
|
|
|
|
|---|---|---|
Initiates the operating system data block. This value is always |
||
Number of bytes in the Operating System Fingerprint data block, including eight bytes for the Operating System Fingerprint Data Block block type and length, plus the number of bytes in the Operating System Fingerprint data that follows. |
||
Fingerprint identification number, in octets, that acts as a unique identifier for the operating system. The fingerprint UUID maps to the operating system name, vendor, and version in the vulnerability database (VDB). |
||
Indicates the type (i.e., user or scanner) of the source that supplied the operating system fingerprint. |
||
Identification number that maps to the login name of the user that supplied the operating system fingerprint. |
||
Indicates the difference between the TTL value in the fingerprint and the TTL value seen in the packet used to fingerprint the host. |
||
Initiates a Generic List data block. This value is always |
||
Number of bytes in the Generic List block and encapsulated data blocks. This number includes the eight bytes of the generic list block header fields, plus the number of bytes in all of the encapsulated data blocks. |
||
Encapsulated Mobile Device Information data blocks up to the maximum number of bytes in the list block length. See Mobile Device Information Data Block for 5.1+ for a description of this data block. |
Mobile Device Information Data Block for 5.1+
The following diagram shows the format of a Mobile Device Information data block. The data block contains the last time the host was detected, mobile device information, and whether the mobile device is jailbroken. The Mobile Device Information data block has a block type of 131 in the series 1 group of blocks.
The describes the fields of the Mobile Device Information data block returned by 5.1+.
Host Profile Data Block for 5.2+
The following diagram shows the format of a Host Profile data block. The data block also does not include a host criticality value, but does include a VLAN presence indicator. In addition, a data block can convey a NetBIOS name for the host. The Host Profile data block has a block type of 139 in the series 1 group of blocks. The data block now supports IPv6 addresses, and client application data blocks have been added.
Note An asterisk(*) next to a block type field in the following diagram indicates the message may contain zero or more instances of the series 1 data block.
The following table describes the fields of the host profile data block returned by 5.2+.
|
|
|
|
|---|---|---|
Initiates the Host Profile data block for 5.2+. This value is always |
||
Number of bytes in the Host Profile data block, including eight bytes for the host profile block type and length fields, plus the number of bytes included in the host profile data that follows. |
||
Indicates whether the host is in the primary or secondary network of the device that detected it: |
||
Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using a server fingerprint. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks. |
||
Operating System Fingerprint (Server Fingerprint) Data Blocks * |
Operating System Fingerprint data blocks containing information about the operating system on a host identified using a server fingerprint. See Operating System Fingerprint Data Block 5.1+ for a description of this data block. |
|
Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using a client fingerprint. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks. |
||
Operating System Fingerprint (Client Fingerprint) Data Blocks * |
Operating System Fingerprint data blocks containing information about the operating system on a host identified using a client fingerprint. See Operating System Fingerprint Data Block 5.1+ for a description of this data block. |
|
Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using an SMB fingerprint. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks. |
||
Operating System Fingerprint (SMB Fingerprint) Data Blocks * |
Operating System Fingerprint data blocks containing information about the operating system on a host identified using an SMB fingerprint. See Operating System Fingerprint Data Block 5.1+ for a description of this data block. |
|
Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using a DHCP fingerprint. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks. |
||
Operating System Fingerprint (DHCP Fingerprint) Data Blocks * |
Operating System Fingerprint data blocks containing information about the operating system on a host identified using a DHCP fingerprint. See Operating System Fingerprint Data Block 5.1+ for a description of this data block. |
|
Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using a mobile device fingerprint. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks. |
||
Operating System Fingerprint data blocks containing information about the operating system on a host identified using a mobile device fingerprint. See Operating System Fingerprint Data Block 5.1+ for a description of this data block. |
||
Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using an IPv6 server fingerprint. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks. |
||
Operating System Fingerprint data blocks containing information about the operating system on a host identified using an IPv6 server fingerprint. See Operating System Fingerprint Data Block 5.1+ for a description of this data block. |
||
Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using an IPv6 client fingerprint. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks. |
||
Operating System Fingerprint data blocks containing information about the operating system on a host identified using an IPv6 client fingerprint. See Operating System Fingerprint Data Block 5.1+ for a description of this data block. |
||
Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using an IPv6 DHCP fingerprint. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks. |
||
Operating System Fingerprint (IPv6 DHCP Fingerprint) Data Blocks * |
Operating System Fingerprint data blocks containing information about the operating system on a host identified using an IPv6 DHCP fingerprint. See Operating System Fingerprint Data Block 5.1+ for a description of this data block. |
|
Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using a user agent fingerprint. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks. |
||
Operating System Fingerprint (User Agent Fingerprint) Data Blocks * |
Operating System Fingerprint data blocks containing information about the operating system on a host identified using a user agent fingerprint. See Operating System Fingerprint Data Block 5.1+ for a description of this data block. |
|
Initiates a List data block comprising Server data blocks conveying TCP server data. This value is always |
||
Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus all encapsulated Server data blocks. |
||
Host server data blocks describing a TCP server. See Host Server Data Block 4.10.0+ for a description of this data block. |
||
Initiates a List data block comprising Server data blocks conveying UDP server data. This value is always |
||
Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus all encapsulated Server data blocks. |
||
Host server data blocks describing a UDP server. See Host Server Data Block 4.10.0+ for a description of this data block. |
||
Initiates a List data block comprising Protocol data blocks conveying network protocol data. This value is always |
||
Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus all encapsulated Protocol data blocks. This field is followed by zero or more Protocol data blocks. |
||
Protocol data blocks describing a network protocol. See Protocol Data Block for a description of this data block. |
||
Initiates a List data block comprising Protocol data blocks conveying transport protocol data. This value is always |
||
Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus all encapsulated Protocol data blocks. This field is followed by zero or more transport protocol data blocks. |
||
Protocol data blocks describing a transport protocol. See Protocol Data Block for a description of this data block. |
||
Initiates a List data block comprising MAC Address data blocks. This value is always |
||
Number of bytes in the list, including the list header and all encapsulated MAC Address data blocks. |
||
Host MAC Address data blocks describing a host MAC address. See Host MAC Address 4.9+ for a description of this data block. |
||
UNIX timestamp that represents the last time the system detected host activity. |
||
True-false flag indicating whether the host is a mobile device. |
||
True-false flag indicating whether the host is a mobile device that is also jailbroken. |
||
VLAN identification number that indicates which VLAN the host is a member of. |
||
Initiates a String data block for the host client application data. This value is always |
||
Number of bytes in the String data block, including eight bytes for the string block type and length fields, plus the number of bytes in the host client application data. |
||
List of Client Application data blocks. See Full Host Client Application Data Block 5.0+ for a description of this data block. |
||
Initiates a String data block for the host NetBIOS name. This value is always |
||
Number of bytes in the String data block, including eight bytes for the string block type and length fields, plus the number of bytes in the NetBIOS name string. |
||
User Product Data Block 5.1+
The User Product data block conveys host input data imported from a third-party application, including third-party application string mappings. This data block is used in Scan Result Data Block 5.2+ and User Server and Operating System Messages. The User Product data block has a block type of 65 in the series 1 group of blocks for versions up to 4.7-4.10.1, a block type of 118 for 4.10.2-5.0.x, and a block type of 134 in the series 1 group of blocks for 5.1+. Block types 65 and 118 have the same structure.
Note An asterisk(*) next to a data block name in the following diagram indicates that multiple instances of the data block may occur.
The following diagram shows the format of the User Product data block:
The following table describes the components of the User Product data block.
|
|
|
|
|---|---|---|
Initiates a User Product data block. This value is |
||
Total number of bytes in the User Product data block, including eight bytes for the user product block type and length fields, plus the number of bytes in the user product data that follows. |
||
Identification number that maps to the source that imported the data. Depending on the source type, this may map to RNA, a user, a scanner, or a third-party application. |
||
Initiates a Generic List data block comprising IP Range Specification data blocks conveying IP address range data. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated IP Range Specification data blocks. |
||
IP Range Specification data blocks containing information about the IP address ranges for the user input. See IP Address Range Data Block for 5.2+ for a description of this data block. |
||
IANA protocol number or Ethertype. This is handled differently for Transport and Network layer protocols. Transport layer protocols are identified by the IANA protocol number. For example: Network layer protocols are identified by the decimal form of the IEEE Registration Authority Ethertype. For example: |
||
Indicates whether the user OS definition was deleted from the host: |
||
Initiates a String data block containing the custom vendor name specified in the user input. This value is always |
||
Number of bytes in the custom vendor String data block, including eight bytes for the block type and length fields, plus the number of bytes in the vendor name. |
||
Initiates a String data block containing the custom product name specified in the user input. This value is always |
||
Number of bytes in the custom product String data block, including eight bytes for the block type and length fields, plus the number of bytes in the product name. |
||
Initiates a String data block containing the custom version specified in the user input. This value is always |
||
Number of bytes in the custom version String data block, including eight bytes for the block type and length fields, plus the number of bytes in the version. |
||
The identifier for a specific revision of a server or operating system in the database. |
||
The FireSIGHT System application identifier for the application protocol on the host server specified in user input. |
||
The identifier for the vendor of a third-party operating system specified when the third-party operating system is mapped to a FireSIGHT System OS definition. |
||
The product identification string of a third-party operating system string specified when the third-party operating system string is mapped to a FireSIGHT System OS definition. |
||
Initiates a String data block containing the major version number of the FireSIGHT System operating system definition that a third-party operating system string in the user input is mapped to. This value is always |
||
Number of bytes in the major String data block, including eight bytes for the block type and length fields, plus the number of bytes in the version. |
||
Major version of the FireSIGHT System operating system definition that a third-party OS string is mapped to. |
||
Initiates a String data block containing the minor version number of the FireSIGHT System operating system definition that a third-party OS string is mapped to. This value is always |
||
Number of bytes in the minor String data block, including eight bytes for the block type and length fields, plus the number of bytes in the version. |
||
Minor version number of the FireSIGHT System operating system definition that a third-party OS string in the user input is mapped to. |
||
Initiates a String data block containing the revision number of the FireSIGHT System operating system definition that a third-party operating system string in the user input is mapped to. This value is always |
||
Number of bytes in the revision String data block, including eight bytes for the block type and length fields, plus the number of bytes in the revision number. |
||
Revision number of the FireSIGHT System operating system definition that a third-party OS string in the user input is mapped to. |
||
Initiates a String data block containing the last major version of the FireSIGHT System operating system definition that a third-party operating system string is mapped to. This value is always |
||
Number of bytes in the To Major String data block, including eight bytes for the block type and length fields, plus the number of bytes in the version. |
||
Last version number in a range of major version numbers of the FireSIGHT System operating system definition that a third-party OS string in the user input is mapped to. |
||
Initiates a String data block containing the last minor version of the FireSIGHT System operating system definition that a third-party operating system string is mapped to. This value is always |
||
Number of bytes in the To Minor String data block, including eight bytes for the block type and length fields, plus the number of bytes in the version. |
||
Last version number in a range of minor version numbers of the FireSIGHT System operating system definition that a third-party OS string in the user input is mapped to. |
||
Initiates a String data block containing the Last revision number of the FireSIGHT System operating system definition that a third-party OS string is mapped to. This value is always |
||
Number of bytes in the To Revision String data block, including eight bytes for the block type and length fields, plus the number of bytes in the revision number. |
||
Last revision number in a range of revision numbers of the FireSIGHT System operating system definitions that a third-party OS string in the user input is mapped to. |
||
Initiates a String data block containing the build number of the FireSIGHT System operating system that the third-party OS string is mapped. This value is always |
||
Number of bytes in the build String data block, including eight bytes for the block type and length fields, plus the number of bytes in the build number. |
||
Build number of the FireSIGHT System operating system that the third-party OS string in the user input is mapped to. |
||
Initiates a String data block containing the patch number of the FireSIGHT System operating system that the third-party OS string is mapped to. This value is always |
||
Number of bytes in the patch String data block, including eight bytes for the block type and length fields, plus the number of bytes in the patch number. |
||
Patch number of the FireSIGHT System operating system that the third-party OS string in the user input is mapped to. |
||
Initiates a String data block containing the extension number of the FireSIGHT System OS that the third-party operating system string is mapped. This value is always |
||
Number of bytes in the extension String data block, including eight bytes for the block type and length fields, plus the number of bytes in the extension number. |
||
Extension number of the FireSIGHT System operating system that the third-party OS string in the user input is mapped to. |
||
Contains the unique identification number for the operating system. |
||
Initiates a String data block containing the device hardware information in the user input. This value is always |
||
Number of bytes in the build String data block, including eight bytes for the block type and length fields, plus the number of bytes in the build number. |
||
A true-false flag indicating whether the operating system is running on a mobile device. |
||
A true-false flag indicating whether the mobile device operating system is jailbroken. |
||
Initiates a Generic List data block comprising Fix List data blocks conveying user input data regarding what fixes have been applied to hosts in the specified IP address ranges. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Fix List data blocks. |
||
Fix List data blocks containing information about fixes applied to the hosts. See Fix List Data Block for a description of this data block. |
User Data Blocks
User data blocks appear in user event messages. They are a subset of the series 1 data blocks. For information on the general format of series 1 data blocks, see Understanding Discovery (Series 1) Blocks.
Note The data block length field of the user data block header contains the number of bytes in the data block, including the eight bytes of the two data block header fields.
The following table lists the user data blocks that can appear in user event messages. Data blocks are listed by data block type. Current data blocks are the latest versions. Legacy blocks are supported but not produced by the current version of the FireSIGHT System.
|
|
|
|
|
|---|---|---|---|
Contains changes in login information for users detected by the system. See User Login Information Data Block 5.1+ for more information. The successor block type introduced for version 5.0 has the same structure as block type 73 but with different data in the fields. |
|||
Contains changes in user account information. See User Account Update Message Data Block for more information. |
|||
Contains changes in information for users detected by the system. See User Information Data Block for more information. The successor block type 120 introduced for version 5.0 has the same structure as block type 75. |
|||
Contains changes in information for users detected by the system. See User Information Data Block for more information. Supersedes block type 75. |
|||
Contains changes in login information for users detected by the system. See User Login Information Data Block for 5.0 - 5.0.2 for more information. Differs from block 73 in the content of the Protocol field, which stores the Version 5.0+ application ID for the application protocol ID detected in the event. The successor block introduced for version 5.1 has block type 127. |
|||
Contains changes in login information for users detected by the system. See User Login Information Data Block 5.1+ for more information. It supersedes block type 121. |
|||
Contains information about compromises. See for more information. |
User Account Update Message Data Block
The User Account Update Message data block conveys information about updates to a user’s account information.
The User Account Update Message data block has a block type of 74 in the series 1 group of blocks.
The following diagram shows the format of the User Account Update Message data block:
The following table describes the components of the User Account Update Message data block.
User Information Data Block
The User Information data block is used in User Modification messages and conveys information for a user detected, removed, or dropped. For more information, see User Modification Messages
The User Information data block has a block type of 75 in the series 1 group of blocks for version 4.7 - 4.10.x and a block type of 120 in the series 1 group of blocks for 5.0+. The structures are the same for block types 75 and 120.
The following diagram shows the format of the User Information data block:
The following table describes the components of the User Information data block.
User Login Information Data Block 5.1+
The User Login Information data block is used in User Information Update messages and conveys changes in login information for a detected user. For more information, see User Information Update Message Block.
The User Login Information data block has a block type of 73 for version 4.7 - 4.10.x, a block type of 121 in the series 1 group of blocks for version 5.0 - 5.0.2, and a block type of 127 in the series 1 group of blocks for version 5.1+.
The graphic below shows the format of the User Login Information data block:
The following table describes the components of the User Login Information data block.
|
|
|
|
|---|---|---|
Initiates a User Login Information data block. This value is |
||
Total number of bytes in the User Login Information data block, including eight bytes for the user login information block type and length fields, plus the number of bytes in the user login information data that follows. |
||
This field is reserved but no longer populated. The IPv4 address is stored in the IPv6 Address field. See IP Addresses for more information. |
||
Initiates a String data block containing the username for the user. This value is always |
||
Number of bytes in the username String data block, including eight bytes for the block type and length fields, plus the number of bytes in the username. |
||
The application ID for the application protocol used in the connection that the login information was derived from. |
||
Initiates a String data block containing the email address for the user. This value is always |
||
Number of bytes in the email address String data block, including eight bytes for the block type and length fields, plus the number of bytes in the email address. |
||
IPv6 address from the host where the user was detected logging in, in IP address octets. |
||
Initiates a String data block containing the Reported By value. This value is always |
||
Number of bytes in the Reported By String data block, including eight bytes for the block type and length fields, plus the number of bytes in the Reported By field. |
||
Discovery and Connection Event Series 2 Data Blocks
In the following table, the Data Block Status field indicates whether the block is current (the latest version) or legacy (used in an older version and can still be requested through eStreamer).
|
|
|
|
|
|---|---|---|---|
Used by access control rule metadata messages to map policy UUID and rule ID values to a descriptive string. See Access Control Rule Data Block. |
|||
Used by access control rule metadata messages to map access control rule reasons to a descriptive string. See Access Control Rule Reason Data Block 5.1+. |
|||
Used to store Security Intelligence information. See Security Intelligence Category Data Block 5.1+. |
Access Control Rule Data Block
The eStreamer service uses the Access Control Rule data block in access control rule metadata messages to map policy UUID and rule ID combinations to a descriptive string. The Access Control Rule data block has a block type of 15 in the series 2 group of blocks.
The following graphic shows the structure of the Access Control Rule data block.
The following table describes the fields in the Access Control Rule data block.
Access Control Rule Reason Data Block 5.1+
The eStreamer service uses the Access Control Rule Reason data block in Access Control Rule Reason metadata messages to map Access Control reasons to a descriptive string. The Access Control Rule Reason data block has a block type of 21 in the series 2 group of blocks.
The following graphic shows the structure of the Access Control Rule Reason data block.:
The following table describes the fields in the Access Control Rule Reason data block.
Security Intelligence Category Data Block 5.1+
The eStreamer service uses the Security Intelligence Category data block in access control rule metadata messages to stream Security Intelligence information. The Security Intelligence Category data block has a block type of 22 in the series 2 group of blocks.
The following graphic shows the structure of the Security Intelligence Category data block:
The following table describes the fields in the Security Intelligence Category data block.
Feedback