Data Structure Examples
This appendix contains data structure examples for selected intrusion, correlation, and discovery events. Each example is displayed in binary format to clearly display how each bit is set.
See the following sections for more information:
■
HREF="/c/en/us/td/docs/security/firesight/5311/api/estreamer/EventStreamerIntegrationGuide/AppAExamples.html#62939">Intrusion Event Data Structure Examples
■ HREF="/c/en/us/td/docs/security/firesight/5311/api/estreamer/EventStreamerIntegrationGuide/AppAExamples.html#66190">Discovery Data Structure Examples
Intrusion Event Data Structure Examples
This section contains examples of data structures that may be transmitted by eStreamer for intrusion events. The following examples are provided:
■ HREF="/c/en/us/td/docs/security/firesight/5311/api/estreamer/EventStreamerIntegrationGuide/AppAExamples.html#54389">Example of an Intrusion Event for the Defense Center 5.3 +
■ HREF="/c/en/us/td/docs/security/firesight/5311/api/estreamer/EventStreamerIntegrationGuide/AppAExamples.html#37784">Example of an Intrusion Impact Alert
■ HREF="/c/en/us/td/docs/security/firesight/5311/api/estreamer/EventStreamerIntegrationGuide/AppAExamples.html#49094">Example of a Packet Record
■ HREF="/c/en/us/td/docs/security/firesight/5311/api/estreamer/EventStreamerIntegrationGuide/AppAExamples.html#28253">Example of a Classification Record for 4.6.1+
■ HREF="/c/en/us/td/docs/security/firesight/5311/api/estreamer/EventStreamerIntegrationGuide/AppAExamples.html#86915">Example of a Priority Record
■ HREF="/c/en/us/td/docs/security/firesight/5311/api/estreamer/EventStreamerIntegrationGuide/AppAExamples.html#34810">Example of a Rule Message Record for 4.6.1+
■ HREF="/c/en/us/td/docs/security/firesight/5311/api/estreamer/EventStreamerIntegrationGuide/AppAExamples.html#76939">Example of a Version 4.0 Correlation Policy Violation Event
■ HREF="/c/en/us/td/docs/security/firesight/5311/api/estreamer/EventStreamerIntegrationGuide/AppAExamples.html#16570">Example of a Version 4.5 - 4.6.1 Correlation Event
■ HREF="/c/en/us/td/docs/security/firesight/5311/api/estreamer/EventStreamerIntegrationGuide/AppAExamples.html#29634">Example of a Version 4.10 Correlation Event
■ HREF="/c/en/us/td/docs/security/firesight/5311/api/estreamer/EventStreamerIntegrationGuide/AppAExamples.html#96719">Example of a Version 5.1+ User Event
Example of an Intrusion Event for the Defense Center 5.3 +
The following diagram shows an example event record:
A |
||||||||||||||||||||||||||||||||
B |
||||||||||||||||||||||||||||||||
C |
||||||||||||||||||||||||||||||||
D |
||||||||||||||||||||||||||||||||
E |
||||||||||||||||||||||||||||||||
F |
||||||||||||||||||||||||||||||||
G |
||||||||||||||||||||||||||||||||
H |
||||||||||||||||||||||||||||||||
I |
||||||||||||||||||||||||||||||||
J |
||||||||||||||||||||||||||||||||
K |
||||||||||||||||||||||||||||||||
L |
||||||||||||||||||||||||||||||||
M |
||||||||||||||||||||||||||||||||
N |
||||||||||||||||||||||||||||||||
O |
||||||||||||||||||||||||||||||||
P |
||||||||||||||||||||||||||||||||
Q |
||||||||||||||||||||||||||||||||
R |
||||||||||||||||||||||||||||||||
S |
||||||||||||||||||||||||||||||||
T |
||||||||||||||||||||||||||||||||
U |
||||||||||||||||||||||||||||||||
V |
||||||||||||||||||||||||||||||||
W |
||||||||||||||||||||||||||||||||
X |
||||||||||||||||||||||||||||||||
Y |
||||||||||||||||||||||||||||||||
Z |
||||||||||||||||||||||||||||||||
AA |
||||||||||||||||||||||||||||||||
AB |
||||||||||||||||||||||||||||||||
AC |
||||||||||||||||||||||||||||||||
AD |
||||||||||||||||||||||||||||||||
AE |
||||||||||||||||||||||||||||||||
AF |
||||||||||||||||||||||||||||||||
AG |
||||||||||||||||||||||||||||||||
AH |
||||||||||||||||||||||||||||||||
AI |
||||||||||||||||||||||||||||||||
AJ |
||||||||||||||||||||||||||||||||
AK |
||||||||||||||||||||||||||||||||
AL |
||||||||||||||||||||||||||||||||
In the preceding example, the following event information appears:
- The first two bytes of this line indicate the standard header value of 1. The second two bytes indicate that the message is a data message (message type four).
- This line indicates that the message that follows is 238 bytes long.
- This line indicates a record type value of 400, which represents an intrusion event record.
- This line indicates that the event record that follows is 222 bytes long.
- This line is the timestamp when the event was saved. In this case, it was saved on Wednesday, February 5, 2014 at 19:31:40.
- This line is reserved for future use and is populated with zeros.
- This line indicates that the block type is 41, which is the block type for Intrusion Event records.
- This line indicates that the data block is 222 bytes long.
- This line indicates that the event is collected from sensor number 2.
- This line indicates that the event identification number is 11761.
- This line indicates that the event occurred at second 1391628571.
- This line indicates that the event occurred at microsecond 950840.
- This line indicates that the rule ID number is 28069.
- This line indicates that the event was detected by generator ID number 1, the rules engine.
- This line indicates that the rule revision number is 1.
- This line indicates that the classification identification number is 35.
- This line indicates that the priority identification number is 1.
- This line indicates that the source IP address is 10.22.8.11. Note that this field can contain either IPv4 or IPv6 addresses.
- This line indicates that the destination IP address is 61.55.184.10. Note that this field can contain either IPv4 or IPv6 addresses.
- The first two bytes in this line indicate that the source port number is 65268, and the second two bytes indicate that the destination port number is 53.
- This first byte in this line indicates that UDP (17) is the protocol used in the event. The second byte is the impact flag, which indicates that the event is red (vulnerable) since the second bit is 1; that the event caused the managed event to drop the session, that the source destination host is potentially compromised, and that there is a vulnerability mapped to the client. The third byte in this line indicates that either the source or destination host is monitored by the system and is in the network map, indicating a priority 1 event (red). The last byte indicates that the event was blocked.
- This line contains the MPLS label, if present.
- The first two bytes in this line indicate that the VLAN ID is 2. The last two bytes are reserved and set to 0.
- This line contains the unique ID number for the intrusion policy.
- This line contains the internal identification number for the user. Since there is no applicable user, it is all zeros.
- This line contains the internal identification number for the web application. Since there is no web application, it is all zeros.
- This line contains the internal identification number for the client application, which is 2000000617.
- This line contains the internal identification number for the application protocol, which is 617.
- This line contains the unique identifier for the access control rule, which is 1.
- This line contains the unique identifier for the access control policy.
- This line contains the unique identifier for the ingress interface.
- This line contains unique identifier for the egress interface. Since this event was blocked, there is no egress interface and the field is populated with zeros.
- This line contains the unique identifier for the ingress security zone.
- This line contains the unique identifier for the egress security zone. Since this event was blocked, there is no egress interface and the field is populated with zeros.
- This line contains the Unix timestamp of the connection event associated with the intrusion event.
- The first two bytes in this line indicate the numerical ID of the Snort instance on the managed device that generated the connection event. The remaining two bytes indicate the value used to distinguish between connection events that happen during the same second.
- The first two bytes in this line indicate the code for the country of the source host. The remaining two bytes indicate the code for the country of the destination host.
- This line indicates the ID number of the compromise associated with this event, if any.
Example of an Intrusion Impact Alert
The following diagram shows an example intrusion impact alert record:
A |
||||||||||||||||||||||||||||||||
B |
||||||||||||||||||||||||||||||||
C |
||||||||||||||||||||||||||||||||
D |
||||||||||||||||||||||||||||||||
E |
||||||||||||||||||||||||||||||||
F |
||||||||||||||||||||||||||||||||
G |
||||||||||||||||||||||||||||||||
H |
||||||||||||||||||||||||||||||||
I |
||||||||||||||||||||||||||||||||
J |
||||||||||||||||||||||||||||||||
K |
||||||||||||||||||||||||||||||||
L |
||||||||||||||||||||||||||||||||
M |
||||||||||||||||||||||||||||||||
N |
||||||||||||||||||||||||||||||||
O |
||||||||||||||||||||||||||||||||
In the preceding example, the following information appears:
- The first two bytes of this line indicate the standard header value of 1. The second two bytes indicate that the message is a data message (message type four).
- This line indicates that the message that follows is 58 bytes long.
- This line indicates a record type value of 9, which represents an intrusion impact alert record.
- This line indicates that the data that follows is 50 bytes long.
- This line contains a value of 20, indicating that an intrusion impact alert data block follows.
- This line indicates that the length of the impact alert block, including the impact alert block header, is 50 bytes.
- This line indicates that the event identification number is 201256.
- This line indicates that the event is collected from device number 2.
- This line indicates that the event occurred at second 1087223700.
- This line indicates that 1 (red, vulnerable) is the impact level associated with the event.
- This line indicates that the IP address associated with the violation event is 172.16.1.22.
- This line indicates that there is no destination IP address associated with the violation (values are set to 0).
- This line indicates that a string block follows, containing a string block length and a text string which, in this case, contains the impact name. For more information about string blocks, see String Data Block.
- This line indicates that the total length of the string block, including the string block indicator and length is 18 bytes. This includes 10 bytes for the impact description and 8 bytes for the string header.
- This line indicates that the description of the impact is “Vulnerable.”
Example of a Packet Record
The following diagram shows an example packet record:
A |
||||||||||||||||||||||||||||||||
B |
||||||||||||||||||||||||||||||||
C |
||||||||||||||||||||||||||||||||
D |
||||||||||||||||||||||||||||||||
E |
||||||||||||||||||||||||||||||||
F |
||||||||||||||||||||||||||||||||
G |
||||||||||||||||||||||||||||||||
H |
||||||||||||||||||||||||||||||||
I |
||||||||||||||||||||||||||||||||
J |
||||||||||||||||||||||||||||||||
K |
||||||||||||||||||||||||||||||||
L |
||||||||||||||||||||||||||||||||
In the preceding example, the following packet information appears:
- The first two bytes of this line indicate the standard header value of 1. The second two bytes indicate that the message is a data message (message type four).
- This line indicates that the message that follows is 989 bytes long.
- This line indicates a record type value of 2, which represents a packet record.
- This line indicates that the packet record that follows is 981 bytes long.
- This line indicates that the event is collected from device number 3.
- This line indicates that the event identification number is 195430.
- This line indicates that the event occurred at second 1057259378.
- This line indicates that the packet was collected at second 1057259380.
- This line indicates that the packet was collected at microsecond 254365.
- This line indicates that the link type is 1 (Ethernet layer).
- This line indicates that the packet data that follows is 953 bytes long.
- This line and the following line show the actual payload data. Note that the actual data is 953 bytes and has been truncated for the sake of this example.
Example of a Classification Record for 4.6.1+
The following diagram shows an example classification record:
A |
||||||||||||||||||||||||||||||||
B |
||||||||||||||||||||||||||||||||
C |
||||||||||||||||||||||||||||||||
D |
||||||||||||||||||||||||||||||||
E |
||||||||||||||||||||||||||||||||
F |
||||||||||||||||||||||||||||||||
G |
||||||||||||||||||||||||||||||||
I |
||||||||||||||||||||||||||||||||
In the preceding example, the following event information appears:
- The first two bytes of the line indicate the standard header value of 1. The second two bytes indicate that the message is a data message (message type four).
- This line indicates that the message that follows is 92 bytes long.
- This line indicates a record type value of 67, which represents a classification record.
- This line indicates that the classification record that follows is 84 bytes long.
- This line indicates that the Classification ID is 35.
- The first two bytes of this line indicate that the classification name that follows it is 15 bytes long. The second two bytes begin the classification name itself, which, in this case, is “trojan-activity”.
- The first byte in this line is a continuation of the classification name described in F. The next two bytes in this line indicate that the classification description that follows it is 29 bytes long. The remaining bye begin the classification description, which, in this case, is “A Network Trojan was Detected.”
- This line indicates the classification ID number that acts as a unique identifier for the classification.
- This line indicates the classification revision ID number that acts as a unique identifier for the classification revision, which is null because there are no revisions to the classification.
Example of a Priority Record
The following example shows a sample priority record:
A |
||||||||||||||||||||||||||||||||
B |
||||||||||||||||||||||||||||||||
C |
||||||||||||||||||||||||||||||||
D |
||||||||||||||||||||||||||||||||
E |
||||||||||||||||||||||||||||||||
F |
||||||||||||||||||||||||||||||||
In the preceding example, the following event information appears:
- The first two bytes in this line indicate the standard header value of 1. The second two bytes indicate that the message is a data message (message type four).
- This line indicates that the message that follows is 16 bytes.
- This line indicates a record type value of 4, which represents a priority record.
- This line indicates that the priority record that follows is 8 bytes long.
- This line indicates that the priority ID is one.
- The first two bytes of this line indicate that there are four bytes included in the priority name. The second two bytes plus the two bytes on the following line show the priority name itself (“high”).
Example of a Rule Message Record for 4.6.1+
The following example shows a sample rule record:
A |
||||||||||||||||||||||||||||||||
B |
||||||||||||||||||||||||||||||||
C |
||||||||||||||||||||||||||||||||
D |
||||||||||||||||||||||||||||||||
E |
||||||||||||||||||||||||||||||||
F |
||||||||||||||||||||||||||||||||
G |
||||||||||||||||||||||||||||||||
H |
||||||||||||||||||||||||||||||||
J |
||||||||||||||||||||||||||||||||
K |
||||||||||||||||||||||||||||||||
In the preceding example, the following event information appears:
- The first two bytes of this line indicate the standard header value of 1. The second two bytes indicate that the message is a data message (message type four).
- This line indicates that the message that follows is 129 bytes.
- This line indicates a record type value of 66, which represents a rule message record.
- This line indicates that the rule message record that follows is 121 bytes long.
- This line indicates that the generator identification number is 1, the rules engine.
- This line indicates that the rule identification number is 28069.
- This line indicates that the rule revision number is 1.
- This line indicates that the rule identification number rendered to the Sourcefire 3D System is 28069.
- The first two bytes of this line indicate that there are 71 bytes included in the rule text name. The second two bytes begin the unique identifier number for the rule.
- The first two bytes of this line finish the unique identifier number of the rule. The next two bytes begin the unique identifier number for the revision of the rule.
- The first two bytes of this line finish the unique identifier number for the revision of the rule. The second two bytes begin the text of the rule message itself. The full text of the transmitted rule message is: “APP-DETECT DNS request for potential malware SafeGuard to domain 360.cn”.
Example of a Version 4.0 Correlation Policy Violation Event
The following diagram shows an example correlation policy violation record in Defense Center 4.0 format:
A |
||||||||||||||||||||||||||||||||
B |
||||||||||||||||||||||||||||||||
C |
||||||||||||||||||||||||||||||||
D |
||||||||||||||||||||||||||||||||
E |
||||||||||||||||||||||||||||||||
F |
||||||||||||||||||||||||||||||||
G |
||||||||||||||||||||||||||||||||
H |
||||||||||||||||||||||||||||||||
I |
||||||||||||||||||||||||||||||||
J |
||||||||||||||||||||||||||||||||
K |
||||||||||||||||||||||||||||||||
L |
||||||||||||||||||||||||||||||||
M |
||||||||||||||||||||||||||||||||
N |
||||||||||||||||||||||||||||||||
O |
||||||||||||||||||||||||||||||||
P |
||||||||||||||||||||||||||||||||
Q |
||||||||||||||||||||||||||||||||
R |
||||||||||||||||||||||||||||||||
S |
||||||||||||||||||||||||||||||||
T |
||||||||||||||||||||||||||||||||
U |
||||||||||||||||||||||||||||||||
V |
||||||||||||||||||||||||||||||||
W |
||||||||||||||||||||||||||||||||
X |
||||||||||||||||||||||||||||||||
Y |
||||||||||||||||||||||||||||||||
Z |
||||||||||||||||||||||||||||||||
AA |
||||||||||||||||||||||||||||||||
AB |
||||||||||||||||||||||||||||||||
AC |
||||||||||||||||||||||||||||||||
AD |
||||||||||||||||||||||||||||||||
AE |
||||||||||||||||||||||||||||||||
AF |
||||||||||||||||||||||||||||||||
AG |
||||||||||||||||||||||||||||||||
AH |
||||||||||||||||||||||||||||||||
AI |
||||||||||||||||||||||||||||||||
In the preceding example, the following information appears:
- The first two bytes of this line indicate the standard header value of 1. The second two bytes indicate that the message is a data message (message type four).
- This line indicates that the message that follows is 137 bytes long.
- This line indicates a record type value of 36, which represents a correlation policy violation record for Sourcefire 3D System 4.0.
- This line indicates that the data that follows is 129 bytes long.
- This line contains a value of 33, indicating that a correlation policy violation data block follows.
- This line indicates that the length of the policy violation block, including the policy violation block header, is 129 bytes.
- The first byte line indicates that the detection engine ID is 0, indicating that the correlation event was generated on the Defense Center. The last three bytes of this line and the first byte of the next line contains the policy event timestamp, 1,098,911,301, which is Wed, 27 Oct 2004 21:08:21 GMT.
- The last three bytes of this line and first byte of the next line indicate that the policy event ID number is 10.
- The last three bytes of this line and first byte of the next line indicate a policy ID of 4, which, in this case, maps to a custom correlation policy on the Defense Center.
- The last three bytes of this line and first byte of the next line indicate rule ID of 29, which, in this case, maps to a custom correlation policy rule on the Defense Center.
- The last three bytes of this line and first byte of the next line indicate a policy priority of 1.
- The last three bytes of this line and first byte of the next line contain a value of 0, which indicates the beginning of a string block for the policy violation event description.
- The last three bytes of this line and first byte of the next line indicate the length of the description. In this example, the length is 21 bytes, including the string block header and the 13 bytes in the event description. In an actual event, the length is typically much longer.
- The first byte of this line is a continuation of the string block length, followed by 13 bytes that contain the event description. The event description has been truncated for the sake of this example. In this example, the description is “ [1:2008:4] MI.” In the actual policy violation event that this example is based on, however, the description is much longer: “[ 1:2008:4] MISC CVS invalid user authentication response [Impact: Potentially Vulnerable] From sensor "is.sourcefire.com" at Thu Oct 28 17:07:19 2004 UTC [Classification: Misc Attack] [Priority: 2] {tcp} 10.1.1.24:2401-> 10.1.1.25:34174.”
- The third byte in this line has a value of one, which indicates that the type of event that caused the correlation policy violation is an intrusion event. The fourth byte in this line indicates the identification number of the device that generated the intrusion event, in this case, this is sensor 1.
- This line indicates that the signature ID for the rule triggered in the event is 2008.
- This line indicates that the generator ID for the rule that triggered in the event is 1, the intrusion Detection Engine.
- This line indicates that the intrusion event timestamp is 1,098,911,243, which means it was generated at Wed, 27 Oct 2004 21:07:23 GMT.
- This line indicates the microsecond the intrusion event was generated, 179,035.
- This line indicates that the ID assigned to the intrusion event is 17,828.
- This line indicates which of the fields that follow it are valid. Based on how the bits are set, impact flags, IP protocol, source IP, source port, destination IP, and destination port fields will have values.
- This line indicates the impact value assigned to the event. Based on how the bits are set, the impact is Orange—Potentially Vulnerable.
- The first byte in this line indicates that the IP protocol is 6 (TCP). The second two bytes show the network protocol, which is null. The last byte of this line and first three bytes of the next line begins the source IP string, which is 10.1.1.24.
- The first three bytes in this line finish the source IP started in line W and the last byte shows the host type, which is null.
- The first two bytes in this line indicate the VLAN ID, which is null. The second two bytes begin a four-byte fingerprint ID, which is also null.
- The first two bytes in this line complete the fingerprint ID, the second two bytes contain the source host criticality, which is null.
- The first two bytes of this line indicate the source port, 2401. The second two bytes begin the string block for the source host server, which has a value of 0.
- The first two bytes end the string block header and the second two bytes begin the string block length. The value of the string block length is 8, indicating that only the header appears and no server description string follows.
- The first two bytes complete the string block length. The second two bytes begin the destination IP address, which is 10.1.1.25.
- The first two bytes in this line complete the destination IP address. The third byte indicates the destination host type, which is null. The fourth byte begins the two byte destination VLAN ID, which is also null.
- The first byte in this line completes the VLAN ID, and the second three bytes begin the four-byte destination fingerprint ID, which is null.
- The first byte completes the destination fingerprint ID, the second two bytes contain the destination host criticality (which is null), and the last byte begins the two byte destination port (34174).
- The first byte completes the destination port, and the last three bytes begin a four byte string block, which has a value of 0.
- The first byte contains the last byte of the string header, and the last three bytes begin a four byte string length. The value here is 8, because no destination server is included in the event.
Example of a Version 4.5 - 4.6.1 Correlation Event
The following diagram shows an example correlation event record in Defense Center 4.5 - 4.6.1format:
A |
||||||||||||||||||||||||||||||||
B |
||||||||||||||||||||||||||||||||
C |
||||||||||||||||||||||||||||||||
D |
||||||||||||||||||||||||||||||||
E |
||||||||||||||||||||||||||||||||
F |
||||||||||||||||||||||||||||||||
G |
||||||||||||||||||||||||||||||||
H |
||||||||||||||||||||||||||||||||
I |
||||||||||||||||||||||||||||||||
J |
||||||||||||||||||||||||||||||||
K |
||||||||||||||||||||||||||||||||
L |
||||||||||||||||||||||||||||||||
M |
||||||||||||||||||||||||||||||||
N |
||||||||||||||||||||||||||||||||
O |
||||||||||||||||||||||||||||||||
P |
||||||||||||||||||||||||||||||||
Q |
||||||||||||||||||||||||||||||||
R |
||||||||||||||||||||||||||||||||
S |
||||||||||||||||||||||||||||||||
T |
||||||||||||||||||||||||||||||||
U |
||||||||||||||||||||||||||||||||
V |
||||||||||||||||||||||||||||||||
W |
||||||||||||||||||||||||||||||||
X |
||||||||||||||||||||||||||||||||
Y |
||||||||||||||||||||||||||||||||
Z |
||||||||||||||||||||||||||||||||
AA |
||||||||||||||||||||||||||||||||
AB |
||||||||||||||||||||||||||||||||
AC |
||||||||||||||||||||||||||||||||
AD |
||||||||||||||||||||||||||||||||
AE |
||||||||||||||||||||||||||||||||
AF |
||||||||||||||||||||||||||||||||
AG |
||||||||||||||||||||||||||||||||
In the preceding example, the following information appears:
- The first two bytes of this line indicate the standard header value of 1. The second two bytes indicate that the message is a data message (message type four).
- This line indicates that the message that follows is 153 bytes long.
- This line indicates a record type value of 65, which represents a correlation event record for Sourcefire 3D System 4.5.
- This line indicates that the data that follows is 145 bytes long.
- This line contains a value of 52, indicating that a correlation event data block follows.
- This line indicates that the length of the correlation event block, including the correlation event block header, is 145 bytes.
- This line indicates that the detection engine ID is 0, indicating that the correlation event was generated on the Defense Center.
- This line contains the event timestamp, 1,098,911,301, which is Wed, 27 Oct 2004 21:08:21 GMT.
- This line indicates that the event ID number is 10.
- This line indicates a policy ID of 4, which, in this case, maps to a custom correlation policy on the Defense Center.
- This line indicates a rule ID of 29, which, in this case, maps to a custom correlation policy rule on the Defense Center.
- This line indicates a policy priority of 1.
- This line contains a value of 0, which indicates the beginning of a string block for the policy violation event description.
- This line indicates the length of the description. In this example, the length is 19 bytes, including the string block header and the 11 bytes in the event description. In an actual event, the length is typically much longer.
- These three lines contain the 11-byte event description, followed by the event type. The event description has been truncated for the sake of this example. In this example, the description is “ [1:2008:4] .” In the actual policy violation event that this example is based on, however, the description is much longer: “ [1:2008:4] MISC CVS invalid user authentication response [Impact: Potentially Vulnerable] From sensor "is.sourcefire.com" at Thu Oct 28 17:07:19 2004 UTC [Classification: Misc Attack] [Priority: 2] {tcp} 10.1.1.24:2401-> 10.1.1.25:34174.” The fourth byte in the third line has a value of one, which indicates that the type of event that caused the policy violation is an intrusion event.
- This line indicates the identification number of the device that generated the intrusion event, in this case, this is sensor 1.
- This line indicates that the signature ID for the rule triggered in the event is 2008.
- This line indicates that the generator ID for the rule that triggered in the event is 1, the intrusion detection engine.
- This line indicates that the intrusion event timestamp is 1,098,911,243, which means it was generated at Wed, 27 Oct 2004 21:07:23 GMT.
- This line indicates the microsecond the intrusion event was generated, 179,035.
- This line indicates that the ID assigned to the intrusion event is 17,828.
- This line indicates which of the fields that follow it are valid. Based on how the bits are set, impact flags, IP protocol, source IP, source port, destination IP, and destination port fields will have values.
- This line indicates the impact value assigned to the event. Based on how the bits are set, the impact is Orange—Potentially Vulnerable.
- The first byte in this line indicates that the IP protocol is 6 (TCP). The second two bytes show the network protocol, which is null. The last byte of this line and first three bytes of the next line begins the source IP string, which is 10.1.1.24.
- The first three bytes in this line finish the source IP started in line W and the last byte shows the host type, which is null.
- The first two bytes in this line indicate the VLAN ID, which is null. The second two bytes and the next three lines contain the first 14 bytes of a 16-byte fingerprint UUID, which is also null.
- The first two bytes in this line complete the fingerprint UUID, the second two bytes contain the source host criticality, which is null.
- The first two bytes of this line indicate the source port, 2401. The second two bytes indicate the server ID for the source host server, which has a value of 0.
- This line contains the destination IP address, which is 10.1.1.25.
- The first byte in this line indicates the destination host type, which is null. The second and third bytes indicate the two byte destination VLAN ID, which is also null. The fourth byte and the next three lines contain the first 13 bytes of a 16-byte fingerprint UUID, which is also null.
- The first three bytes in this line complete the 16-byte destination fingerprint ID, which is null. The fourth byte begins the destination host criticality (which is null).
- The first byte in this line completes the destination host criticality (which is null). The next two bytes contain the two byte destination port (34174). The last byte begins the destination server ID, which is null.
- The first byte in this line completes the destination server ID, which is null.
Example of a Version 4.10 Correlation Event
The following diagram shows an example correlation event record in Defense Center 4.10 format:
A |
||||||||||||||||||||||||||||||||
B |
||||||||||||||||||||||||||||||||
C |
||||||||||||||||||||||||||||||||
D |
||||||||||||||||||||||||||||||||
E |
||||||||||||||||||||||||||||||||
F |
||||||||||||||||||||||||||||||||
G |
||||||||||||||||||||||||||||||||
H |
||||||||||||||||||||||||||||||||
I |
||||||||||||||||||||||||||||||||
J |
||||||||||||||||||||||||||||||||
K |
||||||||||||||||||||||||||||||||
L |
||||||||||||||||||||||||||||||||
M |
||||||||||||||||||||||||||||||||
N |
||||||||||||||||||||||||||||||||
O |
||||||||||||||||||||||||||||||||
P |
||||||||||||||||||||||||||||||||
Q |
||||||||||||||||||||||||||||||||
R |
||||||||||||||||||||||||||||||||
S |
||||||||||||||||||||||||||||||||
T |
||||||||||||||||||||||||||||||||
U |
||||||||||||||||||||||||||||||||
V |
||||||||||||||||||||||||||||||||
W |
||||||||||||||||||||||||||||||||
X |
||||||||||||||||||||||||||||||||
Y |
||||||||||||||||||||||||||||||||
Z |
||||||||||||||||||||||||||||||||
AA |
||||||||||||||||||||||||||||||||
AB |
||||||||||||||||||||||||||||||||
AC |
||||||||||||||||||||||||||||||||
AD |
||||||||||||||||||||||||||||||||
AE |
||||||||||||||||||||||||||||||||
AF |
||||||||||||||||||||||||||||||||
AG |
||||||||||||||||||||||||||||||||
AH |
||||||||||||||||||||||||||||||||
AI |
||||||||||||||||||||||||||||||||
In the preceding example, the following information appears:
- The first two bytes of this line indicate the standard header value of 1. The second two bytes indicate that the message is a data message (message type four).
- This line indicates that the message that follows is 153 bytes long.
- This line indicates a record type value of 112, which represents a correlation event record for Sourcefire 3D System 4.10.
- This line indicates that the data that follows is 145 bytes long.
Note that bit 23 was not set in the request, so Timestamp data is not included in the example.
- This line contains a value of 107, indicating that a correlation event data block follows.
- This line indicates that the length of the correlation event block, including the correlation event block header, is 145 bytes.
- This line indicates that the detection engine ID is 0, indicating that the correlation event was generated on the Defense Center.
- This line contains the correlation event timestamp, 1,098,911,301, which is Wed, 27 Oct 2004 21:08:21 GMT.
- This line indicates that the correlation event ID number is 10.
- This line indicates a policy ID of 4, which, in this case, maps to a custom correlation policy on the Defense Center.
- This line indicates a rule ID of 29, which, in this case, maps to a custom correlation policy rule on the Defense Center.
- This line indicates a policy priority of 1.
- This line contains a value of 0, which indicates the beginning of a string block for the event description.
- This line indicates the length of the description. In this example, the length is 19 bytes, including the string block header and the 11 bytes in the event description. In an actual event, the length is typically much longer.
- These three lines contain the 11-byte event description, followed by the event type. The event description has been truncated for the sake of this example. In this example, the description is “ [1:2008:4] .” In the actual policy violation event that this example is based on, however, the description is much longer: “[ 1:2008:4] MISC CVS invalid user authentication response [Impact: Potentially Vulnerable] From sensor "is.sourcefire.com" at Thu Oct 28 17:07:19 2004 UTC [Classification: Misc Attack] [Priority: 2] {tcp} 10.1.1.24:2401-> 10.1.1.25:34174.” The fourth byte in the third line has a value of one, which indicates that the type of event that caused the policy violation is an intrusion event.
- This line indicates the identification number of the detection engine that generated the intrusion event, in this case, this is detection engine 1.
- This line indicates that the signature ID for the rule triggered in the event is 2008.
- This line indicates that the generator ID for the rule that triggered in the event is 1, the intrusion detection engine.
- This line indicates that the intrusion event timestamp is 1,098,911,243, which means it was generated at Wed, 27 Oct 2004 21:07:23 GMT.
- This line indicates the microsecond the intrusion event was generated, 179,035.
- This line indicates that the ID assigned to the intrusion event is 17,828.
- This line indicates which of the fields that follow it are valid. Based on how the bits are set, impact flags, IP protocol, source IP, source port, destination IP, and destination port fields will have values.
- The first byte in this line indicates the impact value assigned to the event. Based on how the bits are set, the impact is Orange—Potentially Vulnerable. The second byte in this line indicates that the IP protocol is 6 (TCP). The last two bytes show the network protocol, which is null.
- The line indicates the source IP string, which is 10.1.1.24.
- The first byte in this line indicates the host type, which is null. The second and third bytes in this line indicate the VLAN ID, which is null. The last byte and the next three lines contain the first 13 bytes of a 16-byte fingerprint UUID, which is also null.
- The first three bytes in this line complete the fingerprint UUID. The last byte begins the source host criticality, which is null.
- The first byte of this line completes the source host criticality. The last three bytes begin the source user ID, which has a value of 9.
- The first byte of this line completes the source user ID. The second and third bytes indicate the source port, 2401. The last byte begins the server ID for the source host server, which has a value of 0.
- This line completes the server ID. The last byte in this line begins the destination IP address, which is 10.1.1.25.
- The first three bytes in this line complete the destination IP address. The last byte indicates the destination host type, which is null.
- The first two bytes in this line indicate the two byte destination VLAN ID, which is also null. The third and fourth byte and the next three lines contain the first 14 bytes of a 16-byte fingerprint UUID, which is also null.
- The first two bytes in this line complete the 16-byte destination fingerprint ID, which is null. The third and fourth byte indicates the destination host criticality (which is null).
- This line indicates the destination user ID, which has a value of 20.
- The first two bytes of this line contain the two byte destination port (34174). The last two bytes contain the destination server ID, which is null.
- The first two bytes in this line indicate the destination server ID, which is null. The third byte indicates whether the packet was blocked.
Example of a Version 5.1+ User Event
The following diagram shows an example user event record in Defense Center 5.1+ format:
A |
||||||||||||||||||||||||||||||||
B |
||||||||||||||||||||||||||||||||
C |
||||||||||||||||||||||||||||||||
D |
||||||||||||||||||||||||||||||||
E |
||||||||||||||||||||||||||||||||
F |
||||||||||||||||||||||||||||||||
G |
||||||||||||||||||||||||||||||||
H |
||||||||||||||||||||||||||||||||
I |
||||||||||||||||||||||||||||||||
J |
||||||||||||||||||||||||||||||||
K |
||||||||||||||||||||||||||||||||
L |
||||||||||||||||||||||||||||||||
M |
||||||||||||||||||||||||||||||||
N |
||||||||||||||||||||||||||||||||
O |
||||||||||||||||||||||||||||||||
P |
||||||||||||||||||||||||||||||||
Q |
||||||||||||||||||||||||||||||||
R |
||||||||||||||||||||||||||||||||
S |
||||||||||||||||||||||||||||||||
T |
||||||||||||||||||||||||||||||||
U |
||||||||||||||||||||||||||||||||
V |
||||||||||||||||||||||||||||||||
W |
||||||||||||||||||||||||||||||||
X |
||||||||||||||||||||||||||||||||
Y |
||||||||||||||||||||||||||||||||
Z |
||||||||||||||||||||||||||||||||
AA |
||||||||||||||||||||||||||||||||
AB |
||||||||||||||||||||||||||||||||
AC |
||||||||||||||||||||||||||||||||
In the preceding example, the following information appears:
- The first two bytes of this line indicate the standard header value of 1. The second two bytes indicate that the message is a data message (message type four).
- This line indicates that the message that follows is 153 bytes long.
- This line indicates a record type value of 95, which represents a user information update message block.
- This line indicates that the data that follows is 137 bytes long.
- This line contains the archive timestamp. It is included since bit 23 was set. The timestamp is a Unix timestamp, stored as seconds since 1/1/1970. This time stamp is 1,391,789,354, which is Mon Feb 3 19:43:49 2014.
- This line contains zeros and is reserved for future use.
- This line indicates that the length of the correlation event block, including the correlation event block header, is 145 bytes.
- This line indicates that the detection engine ID is 0, indicating that the correlation event was generated on the Defense Center.
- This line contains the correlation event timestamp, 1,098,911,301, which is Wed, 27 Oct 2004 21:08:21 GMT.
- This line indicates that the correlation event ID number is 10.
- This line indicates a policy ID of 4, which, in this case, maps to a custom correlation policy on the Defense Center.
- This line indicates a rule ID of 29, which, in this case, maps to a custom correlation policy rule on the Defense Center.
- This line indicates a policy priority of 1.
- This line contains a value of 0, which indicates the beginning of a string block for the event description.
- This line indicates the length of the description. In this example, the length is 19 bytes, including the string block header and the 11 bytes in the event description. In an actual event, the length is typically much longer.
- These three lines contain the 11-byte event description, followed by the event type. The event description has been truncated for the sake of this example. In this example, the description is “ [1:2008:4] .” In the actual policy violation event that this example is based on, however, the description is much longer: “[ 1:2008:4] MISC CVS invalid user authentication response [Impact: Potentially Vulnerable] From sensor "is.sourcefire.com" at Thu Oct 28 17:07:19 2004 UTC [Classification: Misc Attack] [Priority: 2] {tcp} 10.1.1.24:2401-> 10.1.1.25:34174.” The fourth byte in the third line has a value of one, which indicates that the type of event that caused the policy violation is an intrusion event.
- This line indicates the identification number of the detection engine that generated the intrusion event, in this case, this is detection engine 1.
- This line indicates that the signature ID for the rule triggered in the event is 2008.
- This line indicates that the generator ID for the rule that triggered in the event is 1, the intrusion detection engine.
- This line indicates that the intrusion event timestamp is 1,098,911,243, which means it was generated at Wed, 27 Oct 2004 21:07:23 GMT.
- This line indicates the microsecond the intrusion event was generated, 179,035.
- This line indicates that the ID assigned to the intrusion event is 17,828.
- This line indicates which of the fields that follow it are valid. Based on how the bits are set, impact flags, IP protocol, source IP, source port, destination IP, and destination port fields will have values.
- The first byte in this line indicates the impact value assigned to the event. Based on how the bits are set, the impact is Orange—Potentially Vulnerable. The second byte in this line indicates that the IP protocol is 6 (TCP). The last two bytes show the network protocol, which is null.
- The line indicates the source IP string, which is 10.1.1.24.
- The first byte in this line indicates the host type, which is null. The second and third bytes in this line indicate the VLAN ID, which is null. The last byte and the next three lines contain the first 13 bytes of a 16-byte fingerprint UUID, which is also null.
- The first three bytes in this line complete the fingerprint UUID. The last byte begins the source host criticality, which is null.
- The first byte of this line completes the source host criticality. The last three bytes begin the source user ID, which has a value of 9.
- The first byte of this line completes the source user ID. The second and third bytes indicate the source port, 2401. The last byte begins the server ID for the source host server, which has a value of 0.
- This line completes the server ID. The last byte in this line begins the destination IP address, which is 10.1.1.25.
- The first three bytes in this line complete the destination IP address. The last byte indicates the destination host type, which is null.
- The first two bytes in this line indicate the two byte destination VLAN ID, which is also null. The third and fourth byte and the next three lines contain the first 14 bytes of a 16-byte fingerprint UUID, which is also null.
- The first two bytes in this line complete the 16-byte destination fingerprint ID, which is null. The third and fourth byte indicates the destination host criticality (which is null).
Discovery Data Structure Examples
This section contains examples of data structures that may be transmitted by eStreamer for discovery events. The following examples are provided:
Example of a New Network Protocol Message
■ HREF="/c/en/us/td/docs/security/firesight/5311/api/estreamer/EventStreamerIntegrationGuide/AppAExamples.html#92055">Example of a New TCP Server Message
Example of a New Network Protocol Message
The following diagram illustrates a sample new network protocol message for 3.0+:
Standard Message Header |
||||||||||||||||||||||||||||||||||||
Example of a New TCP Server Message
The following diagram illustrates a sample new TCP server message for 3.0:
| Server Banner (HTTP/1.1 414 Reque) -Server banner shortened for example, typically 256B. |
||||||||||||||||||||||||||||||||||||
Feedback