Understanding Legacy Data Structures

Legacy Intrusion Data Structures
Legacy Malware Event Data Structures
Legacy Discovery Data Structures
Legacy Connection Data Structures
Legacy File Event Data Structures
Legacy Correlation Event Data Structures
Legacy Host Data Structures
Legacy Metadata Structures
- Detection Engine Record for 4.6.1 4.10.x

This appendix contains information about data structures supported by eStreamer at previous versions of Sourcefire 3D System products.

If your client uses event stream requests with bits set to request data in older version formats, you can use the information in this appendix to identify the data structures of the data messages you receive.

Note that prior to version 5.0, separate detection engines were assigned IDs. For version 5.0+, devices are assigned IDs. Based on the version, data structures reflect this.

This appendix describes only data structures from version 4.9 or later of the Sourcefire 3D System. If you require documentation for structures from earlier data structure versions, contact Sourcefire Customer Support.

See the following sections for more information:

Legacy Intrusion Data Structures

■ HREF="/c/en/us/td/docs/security/firesight/5311/api/estreamer/EventStreamerIntegrationGuide/AppBLegacyDataStructures.html#73394">Legacy Malware Event Data Structures

■ HREF="/c/en/us/td/docs/security/firesight/5311/api/estreamer/EventStreamerIntegrationGuide/AppBLegacyDataStructures.html#91178">Legacy Discovery Data Structures

■ HREF="/c/en/us/td/docs/security/firesight/5311/api/estreamer/EventStreamerIntegrationGuide/AppBLegacyDataStructures.html#52333">Legacy Connection Data Structures

■ HREF="/c/en/us/td/docs/security/firesight/5311/api/estreamer/EventStreamerIntegrationGuide/AppBLegacyDataStructures.html#69534">Legacy File Event Data Structures

■ HREF="/c/en/us/td/docs/security/firesight/5311/api/estreamer/EventStreamerIntegrationGuide/AppBLegacyDataStructures.html#82774">Legacy Correlation Event Data Structures

■ HREF="/c/en/us/td/docs/security/firesight/5311/api/estreamer/EventStreamerIntegrationGuide/AppBLegacyDataStructures.html#67057">Legacy Host Data Structures

Legacy Intrusion Data Structures

Intrusion Event (IPv4) Record for 4.9 - 4.10.x

■ HREF="/c/en/us/td/docs/security/firesight/5311/api/estreamer/EventStreamerIntegrationGuide/AppBLegacyDataStructures.html#67457">Intrusion Event (IPv6) Record for 4.10.2.3

■ HREF="/c/en/us/td/docs/security/firesight/5311/api/estreamer/EventStreamerIntegrationGuide/AppBLegacyDataStructures.html#54997">Intrusion Event (IPv4) Record 5.0.x - 5.1

■ HREF="/c/en/us/td/docs/security/firesight/5311/api/estreamer/EventStreamerIntegrationGuide/AppBLegacyDataStructures.html#97688">Intrusion Event (IPv6) Record 5.0.x - 5.1

■ HREF="/c/en/us/td/docs/security/firesight/5311/api/estreamer/EventStreamerIntegrationGuide/AppBLegacyDataStructures.html#12231">Intrusion Event Record 5.2.x

■ HREF="/c/en/us/td/docs/security/firesight/5311/api/estreamer/EventStreamerIntegrationGuide/AppBLegacyDataStructures.html#29338">Intrusion Event Record 5.1.1.x

Intrusion Event (IPv4) Record for 4.9 - 4.10.x

The fields in the intrusion event (IPv4) record are shaded in the following graphic. The record type is 104 for version 4.9+, where VLAN IDs are included. The table following the graphic includes details on the fields.

You request intrusion event records by setting the intrusion event flag—bit 6 in the Request Flags field—in the request message. If you enable bit 23, an extended event header is included in the record.

Events are uniquely identified by event ID, detection device ID, and event second.

Byte	0								1								2								3
Bit	0	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15	16	17	18	19	20	21	22	23	24	25	26	27	28	29	30	31
	Header Version (1)																Message Type (4)
	Message Length
	Record Type (104)
	Record Length
	eStreamer Server Timestamp (in events, only if bit 23 is set)
	Reserved for Future Use (in events, only if bit 23 is set)
	Detection Engine ID
	Event ID
	Event Second
	Event Microsecond
	Rule ID (Signature ID)
	Generator ID
	Rule Revision
	Classification ID
	Priority ID
	Source IPv4 Address
	Destination IPv4 Address
	Source Port/ICMP Type																Destination Port/ICMP Code
	IP Protocol ID								Impact Flags								Impact								Blocked
	Reserved
	VLAN ID																Pad

The Intrusion Event (IPv4) Record 4.9 - 4.10.x Fields describes each intrusion event record data field.

Intrusion Event (IPv4) Record 4.9 - 4.10.x Fields
Field	Data Type	Description
Detection Engine ID	unit32	Contains the detection engine identification number.
Event ID	uint32	Event identification number.
Event Second	uint32	UNIX timestamp (seconds since 01/01/1970) of the event’s detection.
Event Microsecond	uint32	Microsecond (one millionth of a second) increment of the timestamp of the event’s detection.
Rule ID (Signature ID)	uint32	Rule identification number that corresponds with the event.
Generator ID	uint32	Identification number of the Sourcefire 3D System preprocessor that generated the event.
Rule Revision	uint32	Rule revision number.
Classification ID	uint32	Identification number of the event classification message.
Priority ID	uint32	Identification number of the priority associated with the event.
Source IPv4 Address	uint8[4]	Source IPv4 address used in the event, in address octets.
Destination IPv4 Address	uint8[4]	Destination IPv4 address used in the event, in address octets.
Source Port/ICMP Type	uint16	If the event protocol type is TCP or UDP, this indicates the source port number. If the protocol type is ICMP, this indicates the ICMP type.
Destination Port/ICMP Code	uint16	If the event protocol type is TCP or UDP, this indicates the destination port number. If the protocol type is ICMP, this indicates the ICMP code.
IP Protocol Number	uint8	IANA-specified protocol number. For example: 0 — IP 1 — ICMP 6 — TCP 17 — UDP and so on.
Impact Flags	bits[8]	Impact flag value of the event. The low-order seven bits are used to indicate the impact level. Values are: 0x01 — Source or destination host is in a network monitored by the system (bit 0). 0x02 — Source or destination host exists in the network map (bit 1). 0x04 — Source or destination host is running a server on the port in the event (if TCP or UDP) or uses the IP protocol (bit 2). 0x08 — There is a vulnerability mapped to the operating system of the source or destination host in the event (bit 3). 0x10 — There is a vulnerability mapped to the server detected in the event (bit 4). 0x20 — The event caused the sensor to drop the session (used only when the sensor is running in inline mode) (bit 5). Corresponds to blocked status in Inline Result column in the Sourcefire 3D System web interface. 0x40 — The rule that generated this event contains rule metadata setting the impact flag to red (bit 6). The source or destination host is potentially compromised by a virus, trojan, or other piece of malicious software. The following impact level values map to specific priorities on the Defense Center. An X indicates the value can be 0 or 1: gray (0, unknown): 0X00000 red (1, vulnerable): XXX1XXX , XX1XXXX , 1XXXXXX orange (2, potentially vulnerable): 0X00111 yellow (3, currently not vulnerable): 0X00011 blue (4, unknown target): 0X00001
Impact	uint8	Impact flag value of the event. Values are: 1 — Red (vulnerable) 2 — Orange (potentially vulnerable) 3 — Yellow (currently not vulnerable) 4 — Blue (unknown target) 5 — Gray (unknown impact)
Blocked	uint8	Value indicating whether the event was blocked. 0 — not blocked 1 — blocked 2 — would be blocked (but not permitted by configuration)
Reserved	uint32	Reserved. The display value is MPLS Label:0.
VLAN ID	uint16	Indicates the ID of the VLAN where the packet originated. (Applies to 4.9+ events only.)
Pad	uint16	Reserved for future use.

Intrusion Event (IPv6) Record for 4.10.2.3

The fields in the intrusion event (IPv6) record are shaded in the following graphic. The record type is 105 for version 4.10.2.3, where VLAN IDs are included. The table following the graphic includes details on the fields.

Events are uniquely identified by event ID, detection device ID, and event second.

Byte	0								1								2								3
Bit	0	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15	16	17	18	19	20	21	22	23	24	25	26	27	28	29	30	31
	Header Version (1)																Message Type (4)
	Message Length
	Record Type (105)
	Record Length
	eStreamer Server Timestamp (in events, only if bit 23 is set)
	Reserved for Future Use (in events, only if bit 23 is set)
	Detection Engine ID
	Event ID
	Event Second
	Event Microsecond
	Rule ID (Signature ID)
	Generator ID
	Rule Revision
	Classification ID
	Priority ID
	Source IPv6 Address
	Source IPv6 Address, continued
	Source IPv6 Address, continued
	Source IPv6 Address, continued
	Destination IPv6 Address
	Destination IPv6 Address, continued
	Destination IPv6 Address, continued
	Destination IPv6 Address, continued
	Source Port/ICMP Type																Destination Port/ICMP Code
	IP Protocol ID								Impact Flags								Impact								Blocked
	Reserved
	VLAN ID																Pad

The Intrusion Event (IPv6) Record 4.10.2.3+ Fields describes each intrusion event record data field.

Intrusion Event (IPv6) Record 4.10.2.3+ Fields
Field	Data Type	Description
Detection Engine ID	unit32	Contains the detection engine identification number.
Event ID	uint32	Event identification number.
Event Second	uint32	UNIX timestamp (seconds since 01/01/1970) of the event’s detection.
Event Microsecond	uint32	Microsecond (one millionth of a second) increment of the timestamp of the event’s detection.
Rule ID (Signature ID)	uint32	Rule identification number that corresponds with the event.
Generator ID	uint32	Identification number of the Sourcefire 3D System preprocessor that generated the event.
Rule Revision	uint32	Rule revision number.
Classification ID	uint32	Identification number of the event classification message.
Priority ID	uint32	Identification number of the priority associated with the event.
Source IPv6 Address	uint16[8]	Source IPv6 address used in the event, in address octets.
Destination IPv6 Address	uint16[8]	Destination IPv6 address used in the event, in address octets.
Source Port/ICMP Type	uint16	If the event protocol type is TCP or UDP, this indicates the source port number. If the protocol type is ICMP, this indicates the ICMP type.
Destination Port/ICMP Code	uint16	If the event protocol type is TCP or UDP, this indicates the destination port number. If the protocol type is ICMP, this indicates the ICMP code.
IP Protocol Number	uint8	IANA-specified protocol number. For example: 0 — IP 1 — ICMP 6 — TCP 17 — UDP and so on.
Impact Flags	bits[8]	Impact flag value of the event. The low-order seven bits are used to indicate the impact level. Values are: 0x01 — Source or destination host is in a network monitored by the system (bit 0). 0x02 — Source or destination host exists in the network map (bit 1). 0x04 — Source or destination host is running a server on the port in the event (if TCP or UDP) or uses the IP protocol (bit 2). 0x08 — There is a vulnerability mapped to the operating system of the source or destination host in the event (bit 3). 0x10 — There is a vulnerability mapped to the server detected in the event (bit 4). 0x20 — The event caused the sensor to drop the session (used only when the sensor is running in inline mode) (bit 5). Corresponds to blocked status in Inline Result column in the Sourcefire 3D System web interface. 0x40 — The rule that generated this event contains rule metadata setting the impact flag to red (bit 6). If the rule is provided by the Sourcefire Vulnerability Research Team (VRT), the source or destination host is potentially compromised by a virus, trojan, or other piece of malicious software. The following impact level values map to specific priorities on the Defense Center. An X indicates the value can be 0 or 1: gray (0, unknown): 0X00000 red (1, vulnerable): XXX1XXX , XX1XXXX , 1XXXXXX orange (2, potentially vulnerable): 0X00111 yellow (3, currently not vulnerable): 0X00011 blue (4, unknown target): 0X00001
Impact	uint8	Impact flag value of the event. Values are: 1 — Red (vulnerable) 2 — Orange (potentially vulnerable) 3 — Yellow (currently not vulnerable) 4 — Blue (unknown target) 5 — Gray (unknown impact)
Blocked	uint8	Value indicating whether the event was blocked. 0 — not blocked 1 — blocked 2 — would be blocked (but not permitted by configuration)
Reserved	uint32	Reserved. The display value is MPLS Label:0.
VLAN ID	uint16	Indicates the ID of the VLAN where the packet originated. (Applies to 4.9+ events only.)
Pad	uint16	Reserved for future use.

Intrusion Event (IPv4) Record 5.0.x - 5.1

The fields in the intrusion event (IPv4) record are shaded in the following graphic. The record type is 207.

You request intrusion event records by setting the intrusion event flag or the extended requests flag in the request message. See Request Flags and Submitting Extended Requests.

For version 5.0.x - 5.1 intrusion events, the event ID, the managed device ID, and the event second form a unique identifier.

Byte

Bit

Header Version (1)

Message Type (4)

Message Length

Record Type (207)

Record Length

eStreamer Server Timestamp (in events, only if bit 23 is set)

Reserved for Future Use (in events, only if bit 23 is set)

Device ID

Event ID

Event Second

Event Microsecond

Rule ID (Signature ID)

Generator ID

Rule Revision

Classification ID

Priority ID

Source IPv4 Address

Destination IPv4 Address

Source Port

Destination Port

IP Protocol ID

Impact Flags

Impact

Blocked

MPLS Label

VLAN ID

Pad

Policy UUID

Policy UUID, continued

User ID

Web Application ID

Client Application ID

Application Protocol ID

Access Control Rule ID

Access Control Policy UUID

Access Control Policy UUID, continued

Interface Ingress UUID

Interface Ingress UUID, continued

Interface Egress UUID

Interface Egress UUID, continued

Security Zone Ingress UUID

Security Zone Ingress UUID, continued

Security Zone Egress UUID

Security Zone Egress UUID, continued

The Intrusion Event (IPv4) Record Fields describes each intrusion event record data field.

Intrusion Event (IPv4) Record Fields
Field	Data Type	Description
Device ID	unit32	Contains the identification number of the detecting managed device. You can obtain the managed device name by requesting Version 3 or 4 metadata. See Managed Device Record Metadata for more information.
Event ID	uint32	Event identification number.
Event Second	uint32	UNIX timestamp (seconds since 01/01/1970) of the event’s detection.
Event Microsecond	uint32	Microsecond (one millionth of a second) increment of the timestamp of the event’s detection.
Rule ID (Signature ID)	uint32	Rule identification number that corresponds with the event.
Generator ID	uint32	Identification number of the Sourcefire 3D System preprocessor that generated the event.
Rule Revision	uint32	Rule revision number.
Classification ID	uint32	Identification number of the event classification message.
Priority ID	uint32	Identification number of the priority associated with the event.
Source IPv4 Address	uint8[4]	Source IPv4 address used in the event, in address octets.
Destination IPv4 Address	uint8[4]	Destination IPv4 address used in the event, in address octets.
Source Port	uint16	The source port number if the event protocol type is TCP or UDP.
Destination Port	uint16	The destination port number if the event protocol type is TCP or UDP.
IP Protocol Number	uint8	IANA-specified protocol number. For example: 0 — IP 1 — ICMP 6 — TCP 17 — UDP and so on.
Impact Flags	bits[8]	Impact flag value of the event. The low-order eight bits indicate the impact level. Values are: 0x01 (bit 0) — Source or destination host is in a network monitored by the system. 0x02 (bit 1) — Source or destination host exists in the network map. 0x04 (bit 2) — Source or destination host is running a server on the port in the event (if TCP or UDP) or uses the IP protocol. 0x08 (bit 3) — There is a vulnerability mapped to the operating system of the source or destination host in the event. 0x10 (bit 4) — There is a vulnerability mapped to the server detected in the event. 0x20 (bit 5) — The event caused the managed device to drop the session (used only when the device is running in inline, switched, or routed deployment). Corresponds to blocked status in the Sourcefire 3D System web interface. 0x40 (bit 6) — The rule that generated this event contains rule metadata setting the impact flag to red. The source or destination host is potentially compromised by a virus, trojan, or other piece of malicious software. 0x80 (bit 7) — There is a vulnerability mapped to the client detected in the event. The following impact level values map to specific priorities on the Defense Center. An X indicates the value can be 0 or 1: gray (0, unknown): 00X00000 red (1, vulnerable): XXXX1XXX, XXX1XXXX, X1XXXXXX, 1XXXXXXX orange (2, potentially vulnerable): 00X00111 yellow (3, currently not vulnerable): 00X00011 blue (4, unknown target): 00X00001
Impact	uint8	Impact flag value of the event. Values are: 1 — Red (vulnerable) 2 — Orange (potentially vulnerable) 3 — Yellow (currently not vulnerable) 4 — Blue (unknown target) 5 — Gray (unknown impact)
Blocked	uint8	Value indicating whether the event was blocked. 0 — not blocked 1 — blocked 2 — would be blocked (but not permitted by configuration)
MPLS Label	uint32	MPLS label.
VLAN ID	uint16	Indicates the ID of the VLAN where the packet originated.
Pad	uint16	Reserved for future use.
Policy UUID	uint8[16]	A policy ID number that acts as a unique identifier for the intrusion policy.
User ID	uint32	The internal identification number for the user, if applicable.
Web Application ID	uint32	The internal identification number for the web application, if applicable.
Client Application ID	uint32	The internal identification number for the client application, if applicable.
Application Protocol ID	uint32	The internal identification number for the application protocol, if applicable.
Access Control Rule ID	uint32	A rule ID number that acts as a unique identifier for the access control rule.
Access Control Policy UUID	uint8[16]	A policy ID number that acts as a unique identifier for the access control policy.
Ingress Interface UUID	uint8[16]	An interface ID number that acts as a unique identifier for the ingress interface.
Egress Interface UUID	uint8[16]	An interface ID number that acts as a unique identifier for the egress interface.
Ingress Security Zone UUID	uint8[16]	A zone ID number that acts as a unique identifier for the ingress security zone.
Egress Security Zone UUID	uint8[16]	A zone ID number that acts as a unique identifier for the egress security zone.

Intrusion Event (IPv6) Record 5.0.x - 5.1

The fields in the intrusion event (IPv6) record are shaded in the following graphic. The record type is 208.

You request intrusion event records by setting the intrusion event flag or the extended requests flag in the request message. See Request Flags and Submitting Extended Requests.

For version 5.0.x - 5.1 intrusion events, the event ID, the managed device ID, and the event second form a unique identifier.

Byte

Bit

Header Version (1)

Message Type (4)

Message Length

Record Type (208)

Record Length

eStreamer Server Timestamp (in events, only if bit 23 is set)

Reserved for Future Use (in events, only if bit 23 is set)

Device ID

Event ID

Event Second

Event Microsecond

Rule ID (Signature ID)

Generator ID

Rule Revision

Classification ID

Priority ID

Source IPv6 Address

Source IPv6 Address, continued

Destination IPv6 Address

Destination IPv6 Address, continued

Source Port/ICMP Type

Destination Port/ICMP Code

IP Protocol ID

Impact Flags

Impact

Blocked

MPLS Label

VLAN ID

Pad

Policy UUID

Policy UUID, continued

User ID

Web Application ID

Client Application ID

Application Protocol ID

Access Control Rule ID

Access Control Policy UUID

Access Control Policy UUID, continued

Interface Ingress UUID

Interface Ingress UUID, continued

Interface Egress UUID

Interface Egress UUID, continued

Security Zone Ingress UUID

Security Zone Ingress UUID, continued

Security Zone Egress UUID

Security Zone Egress UUID, continued

The Intrusion Event (IPv6) Record Fields describes each intrusion event record data field.

Intrusion Event (IPv6) Record Fields
Field	Data Type	Description
Device ID	unit32	Contains the identification number of the detecting device. You can obtain the managed device name by requesting Version 3 or 4 metadata. See Managed Device Record Metadata for more information.
Event ID	uint32	Event identification number.
Event Second	uint32	UNIX timestamp (seconds since 01/01/1970) of the event’s detection.
Event Microsecond	uint32	Microsecond (one millionth of a second) increment of the timestamp of the event’s detection.
Rule ID (Signature ID)	uint32	Rule identification number that corresponds with the event.
Generator ID	uint32	Identification number of the Sourcefire 3D System preprocessor that generated the event.
Rule Revision	uint32	Rule revision number.
Classification ID	uint32	Identification number of the event classification message.
Priority ID	uint32	Identification number of the priority associated with the event.
Source IPv6 Address	uint8[16]	Source IPv6 address used in the event, in address octets.
Destination IPv6 Address	uint8[16]	Destination IPv6 address used in the event, in address octets.
Source Port/ICMP Type	uint16	The source port number if the event protocol type is TCP or UDP. If the protocol type is ICMP, this indicates the ICMP type.
Destination Port/ICMP Code	uint16	The destination port number if the event protocol type is TCP or UDP. If the protocol type is ICMP, this indicates the ICMP code.
IP Protocol Number	uint8	IANA-specified protocol number. For example: 0 — IP 1 — ICMP 6 — TCP 17 — UDP and so on.
Impact Flags	bits[8]	Impact flag value of the event. The low-order eight bits indicate the impact level. Values are: 0x01 (bit 0) — Source or destination host is in a network monitored by the system. 0x02 (bit 1) — Source or destination host exists in the network map. 0x04 (bit 2) — Source or destination host is running a server on the port in the event (if TCP or UDP) or uses the IP protocol. 0x08 (bit 3) — There is a vulnerability mapped to the operating system of the source or destination host in the event. 0x10 (bit 4) — There is a vulnerability mapped to the server detected in the event. 0x20 (bit 5) — The event caused the managed device to drop the session (used only when the device is running in inline, switched, or routed deployment). Corresponds to blocked status in the Sourcefire 3D System web interface. 0x40 (bit 6) — The rule that generated this event contains rule metadata setting the impact flag to red. The source or destination host is potentially compromised by a virus, trojan, or other piece of malicious software. 0x80 (bit 7) — There is a vulnerability mapped to the client detected in the event. The following impact level values map to specific priorities on the Defense Center. An X indicates the value can be 0 or 1: gray (0, unknown): 00X00000 red (1, vulnerable): XXXX1XXX, XXX1XXXX, X1XXXXXX, 1XXXXXXX orange (2, potentially vulnerable): 00X00111 yellow (3, currently not vulnerable): 00X00011 blue (4, unknown target): 00X00001
Impact	uint8	Impact flag value of the event. Values are: 1 — Red (vulnerable) 2 — Orange (potentially vulnerable) 3 — Yellow (currently not vulnerable) 4 — Blue (unknown target) 5 — Gray (unknown impact)
Blocked	uint8	Value indicating whether the event was blocked. 0 — not blocked 1 — blocked 2 — would be blocked (but not permitted by configuration)
MPLS Label	uint32	MPLS label. (Applies to 4.9+ events only.)
VLAN ID	uint16	Indicates the ID of the VLAN where the packet originated. (Applies to 4.9+ events only.)
Pad	uint16	Reserved for future use.
Policy UUID	uint8[16]	A policy ID number that acts as a unique identifier for the intrusion policy.
User ID	uint32	The internal identification number for the user, if applicable.
Web Application ID	uint32	The internal identification number for the web application, if applicable.
Client Application ID	uint32	The internal identification number for the client application, if applicable.
Application Protocol ID	uint32	The internal identification number for the application protocol, if applicable.
Access Control Rule ID	uint32	A rule ID number that acts as a unique identifier for the access control rule.
Access Control Policy UUID	uint8[16]	A policy ID number that acts as a unique identifier for the access control policy.
Ingress Interface UUID	uint8[16]	An interface ID number that acts as a unique identifier for the ingress interface.
Egress Interface UUID	uint8[16]	An interface ID number that acts as a unique identifier for the egress interface.
Ingress Security Zone UUID	uint8[16]	A zone ID number that acts as a unique identifier for the ingress security zone.
Egress Security Zone UUID	uint8[16]	A zone ID number that acts as a unique identifier for the egress security zone.

Intrusion Event Record 5.2.x

The fields in the intrusion event record are shaded in the following graphic. The record type is 400 and the block type is 34.

You can request 5.2.x intrusion events from eStreamer only by extended request, for which you request event type code 12 and version code 5 in the Stream Request message (see Submitting Extended Requests for information about submitting extended requests).

For version 5.2.x intrusion events, the event ID, the managed device ID, and the event second form a unique identifier. The connection second, connection instance, and connection counter together form a unique identifier for the connection event associated with the intrusion event.

Byte

Bit

Header Version (1)

Message Type (4)

Message Length

Record Type (400)

Record Length

eStreamer Server Timestamp (in events, only if bit 23 is set)

Reserved for Future Use (in events, only if bit 23 is set)

Block Type (34)

Block Length

Device ID

Event ID

Event Second

Event Microsecond

Rule ID (Signature ID)

Generator ID

Rule Revision

Classification ID

Priority ID

Source IP Address

Source IP Address, continued

Destination IP Address

Destination IP Address, continued

Source Port or ICMP Type

Destination Port or ICMP Code

IP Protocol ID

Impact Flags

Impact

Blocked

MPLS Label

VLAN ID

Pad

Policy UUID

Policy UUID, continued

User ID

Web Application ID

Client Application ID

Application Protocol ID

Access Control Rule ID

Access Control Policy UUID

Access Control Policy UUID, continued

Interface Ingress UUID

Interface Ingress UUID, continued

Interface Egress UUID

Interface Egress UUID, continued

Security Zone Ingress UUID

Security Zone Ingress UUID, continued

Security Zone Egress UUID

Security Zone Egress UUID, continued

Connection Timestamp

Connection Instance ID

Connection Counter

Source Country

Destination Country

The Malware Event Data Block for 5.2.x Fields describes each intrusion event record data field.

Intrusion Event Record 5.2.x Fields
Field	Data Type	Description
Block Type	unint32	Initiates an Intrusion Event data block. This value is always 34.
Block Length	unint32	Total number of bytes in the Intrusion Event data block, including eight bytes for the Intrusion Event block type and length fields, plus the number of bytes of data that follows.
Device ID	unit32	Contains the identification number of the detecting managed device. You can obtain the managed device name by requesting Version 3 or 4 metadata. See Managed Device Record Metadata for more information.
Event ID	uint32	Event identification number.
Event Second	uint32	UNIX timestamp (seconds since 01/01/1970) of the event’s detection.
Event Microsecond	uint32	Microsecond (one millionth of a second) increment of the timestamp of the event’s detection.
Rule ID (Signature ID)	uint32	Rule identification number that corresponds with the event.
Generator ID	uint32	Identification number of the Sourcefire 3D System preprocessor that generated the event.
Rule Revision	uint32	Rule revision number.
Classification ID	uint32	Identification number of the event classification message.
Priority ID	uint32	Identification number of the priority associated with the event.
Source IP Address	uint8[16]	Source IPv4 or IPv6 address used in the event.
Destination IP Address	uint8[16]	Destination IPv4 or IPv6 address used in the event.
Source Port or ICMP Type	uint16	The source port number if the event protocol type is TCP or UDP, or the ICMP type if the event is caused by ICMP traffic.
Destination Port or ICMP Code	uint16	The destination port number if the event protocol type is TCP or UDP, or the ICMP code if the event is caused by ICMP traffic.
IP Protocol Number	uint8	IANA-specified protocol number. For example: 0 — IP 1 — ICMP 6 — TCP 17 — UDP and so on.
Impact Flags	bits[8]	Impact flag value of the event. The low-order eight bits indicate the impact level. Values are: 0x01 (bit 0) — Source or destination host is in a network monitored by the system. 0x02 (bit 1) — Source or destination host exists in the network map. 0x04 (bit 2) — Source or destination host is running a server on the port in the event (if TCP or UDP) or uses the IP protocol. 0x08 (bit 3) — There is a vulnerability mapped to the operating system of the source or destination host in the event. 0x10 (bit 4) — There is a vulnerability mapped to the server detected in the event. 0x20 (bit 5) — The event caused the managed device to drop the session (used only when the device is running in inline, switched, or routed deployment). Corresponds to blocked status in the Sourcefire 3D System web interface. 0x40 (bit 6) — The rule that generated this event contains rule metadata setting the impact flag to red. The source or destination host is potentially compromised by a virus, trojan, or other piece of malicious software. 0x80 (bit 7) — There is a vulnerability mapped to the client detected in the event. (version 5.0+ only) The following impact level values map to specific priorities on the Defense Center. An X indicates the value can be 0 or 1: gray (0, unknown): 00X00000 red (1, vulnerable): XXXX1XXX, XXX1XXXX, X1XXXXXX, 1XXXXXXX (version 5.0+ only) orange (2, potentially vulnerable): 00X0011X yellow (3, currently not vulnerable): 00X0001X blue (4, unknown target): 00X00001
Impact	uint8	Impact flag value of the event. Values are: 1 — Red (vulnerable) 2 — Orange (potentially vulnerable) 3 — Yellow (currently not vulnerable) 4 — Blue (unknown target) 5 — Gray (unknown impact)
Blocked	uint8	Value indicating whether the event was blocked. 0 — not blocked 1 — blocked 2 — would be blocked (but not permitted by configuration)
MPLS Label	uint32	MPLS label.
VLAN ID	uint16	Indicates the ID of the VLAN where the packet originated.
Pad	uint16	Reserved for future use.
Policy UUID	uint8[16]	A policy ID number that acts as a unique identifier for the intrusion policy.
User ID	uint32	The internal identification number for the user, if applicable.
Web Application ID	uint32	The internal identification number for the web application, if applicable.
Client Application ID	uint32	The internal identification number for the client application, if applicable.
Application Protocol ID	uint32	The internal identification number for the application protocol, if applicable.
Access Control Rule ID	uint32	A rule ID number that acts as a unique identifier for the access control rule.
Access Control Policy UUID	uint8[16]	A policy ID number that acts as a unique identifier for the access control policy.
Ingress Interface UUID	uint8[16]	An interface ID number that acts as a unique identifier for the ingress interface.
Egress Interface UUID	uint8[16]	An interface ID number that acts as a unique identifier for the egress interface.
Ingress Security Zone UUID	uint8[16]	A zone ID number that acts as a unique identifier for the ingress security zone.
Egress Security Zone UUID	uint8[16]	A zone ID number that acts as a unique identifier for the egress security zone.
Connection Timestamp	uint32	UNIX timestamp (seconds since 01/01/1970) of the connection event associated with the intrusion event.
Connection Instance ID	uint16	Numerical ID of the Snort instance on the managed device that generated the connection event.
Connection Counter	uint16	Value used to distinguish between connection events that happen during the same second.
Source Country	uint16	Code for the country of the source host.
Destination Country	uint 16	Code for the country of the destination host.

Intrusion Event Record 5.1.1.x

The fields in the intrusion event record are shaded in the following graphic. The record type is 400 and the block type is 25.

You can request 5.1.1.x intrusion events from eStreamer only by extended request, for which you request event type code 12 and version code 4 in the Stream Request message (see Submitting Extended Requests for information about submitting extended requests).

For version 5.1.1.x intrusion events, the event ID, the managed device ID, and the event second form a unique identifier. The connection second, connection instance, and connection counter together form a unique identifier for the connection event associated with the intrusion event.

Byte

Bit

Header Version (1)

Message Type (4)

Message Length

Record Type (400)

Record Length

eStreamer Server Timestamp (in events, only if bit 23 is set)

Reserved for Future Use (in events, only if bit 23 is set)

Block Type (25)

Block Length

Device ID

Event ID

Event Second

Event Microsecond

Rule ID (Signature ID)

Generator ID

Rule Revision

Classification ID

Priority ID

Source IP Address

Source IP Address, continued

Destination IP Address

Destination IP Address, continued

Source Port/ICMP Type

Destination Port/ICMP Code

IP Protocol ID

Impact Flags

Impact

Blocked

MPLS Label

VLAN ID

Pad

Policy UUID

Policy UUID, continued

User ID

Web Application ID

Client Application ID

Application Protocol ID

Access Control Rule ID

Access Control Policy UUID

Access Control Policy UUID, continued

Interface Ingress UUID

Interface Ingress UUID, continued

Interface Egress UUID

Interface Egress UUID, continued

Security Zone Ingress UUID

Security Zone Ingress UUID, continued

Security Zone Egress UUID

Security Zone Egress UUID, continued

Connection Timestamp

Connection Instance ID

Connection Counter

The Intrusion Event Record 5.1.1 Fields describes each intrusion event record data field.

Intrusion Event Record 5.1.1 Fields
Field	Data Type	Description
Block Type	unint32	Initiates an Intrusion Event data block. This value is always 25.
Block Length	unint32	Total number of bytes in the Intrusion Event data block, including eight bytes for the Intrusion Event block type and length fields, plus the number of bytes of data that follows.
Device ID	unit32	Contains the identification number of the detecting managed device. You can obtain the managed device name by requesting Version 3 or 4 metadata. See Managed Device Record Metadata for more information.
Event ID	uint32	Event identification number.
Event Second	uint32	UNIX timestamp (seconds since 01/01/1970) of the event’s detection.
Event Microsecond	uint32	Microsecond (one millionth of a second) increment of the timestamp of the event’s detection.
Rule ID (Signature ID)	uint32	Rule identification number that corresponds with the event.
Generator ID	uint32	Identification number of the Sourcefire 3D System preprocessor that generated the event.
Rule Revision	uint32	Rule revision number.
Classification ID	uint32	Identification number of the event classification message.
Priority ID	uint32	Identification number of the priority associated with the event.
Source IP Address	uint8[16]	Source IPv4 or IPv6 address used in the event.
Destination IP Address	uint8[16]	Destination IPv4 or IPv6 address used in the event.
Source Port/ICMP Type	uint16	The source port number if the event protocol type is TCP or UDP, or the ICMP type if the event is caused by ICMP traffic.
Destination Port/ICMP Code	uint16	The destination port number if the event protocol type is TCP or UDP, or the ICMP code if the event is caused by ICMP traffic.
IP Protocol Number	uint8	IANA-specified protocol number. For example: 0 — IP 1 — ICMP 6 — TCP 17 — UDP and so on.
Impact Flags	bits[8]	Impact flag value of the event. The low-order eight bits indicate the impact level. Values are: 0x01 (bit 0) — Source or destination host is in a network monitored by the system. 0x02 (bit 1) — Source or destination host exists in the network map. 0x04 (bit 2) — Source or destination host is running a server on the port in the event (if TCP or UDP) or uses the IP protocol. 0x08 (bit 3) — There is a vulnerability mapped to the operating system of the source or destination host in the event. 0x10 (bit 4) — There is a vulnerability mapped to the server detected in the event. 0x20 (bit 5) — The event caused the managed device to drop the session (used only when the device is running in inline, switched, or routed deployment). Corresponds to blocked status in the Sourcefire 3D System web interface. 0x40 (bit 6) — The rule that generated this event contains rule metadata setting the impact flag to red. The source or destination host is potentially compromised by a virus, trojan, or other piece of malicious software. 0x80 (bit 7) — There is a vulnerability mapped to the client detected in the event. The following impact level values map to specific priorities on the Defense Center. An X indicates the value can be 0 or 1: gray (0, unknown): 00X00000 red (1, vulnerable): XXXX1XXX, XXX1XXXX, X1XXXXXX, 1XXXXXXX orange (2, potentially vulnerable): 00X00111 yellow (3, currently not vulnerable): 00X00011 blue (4, unknown target): 00X00001
Impact	uint8	Impact flag value of the event. Values are: 1 — Red (vulnerable) 2 — Orange (potentially vulnerable) 3 — Yellow (currently not vulnerable) 4 — Blue (unknown target) 5 — Gray (unknown impact)
Blocked	uint8	Value indicating whether the event was blocked. 0 — not blocked 1 — blocked 2 — would be blocked (but not permitted by configuration)
MPLS Label	uint32	MPLS label.
VLAN ID	uint16	Indicates the ID of the VLAN where the packet originated.
Pad	uint16	Reserved for future use.
Policy UUID	uint8[16]	A policy ID number that acts as a unique identifier for the intrusion policy.
User ID	uint32	The internal identification number for the user, if applicable.
Web Application ID	uint32	The internal identification number for the web application, if applicable.
Client Application ID	uint32	The internal identification number for the client application, if applicable.
Application Protocol ID	uint32	The internal identification number for the application protocol, if applicable.
Access Control Rule ID	uint32	A rule ID number that acts as a unique identifier for the access control rule.
Access Control Policy UUID	uint8[16]	A policy ID number that acts as a unique identifier for the access control policy.
Ingress Interface UUID	uint8[16]	An interface ID number that acts as a unique identifier for the ingress interface.
Egress Interface UUID	uint8[16]	An interface ID number that acts as a unique identifier for the egress interface.
Ingress Security Zone UUID	uint8[16]	A zone ID number that acts as a unique identifier for the ingress security zone.
Egress Security Zone UUID	uint8[16]	A zone ID number that acts as a unique identifier for the egress security zone.
Connection Timestamp	uint32	UNIX timestamp (seconds since 01/01/1970) of the connection event associated with the intrusion event.
Connection Instance ID	uint16	Numerical ID of the Snort instance on the managed device that generated the connection event.
Connection Counter	uint16	Value used to distinguish between connection events that happen during the same second.

Legacy Malware Event Data Structures

■ HREF="/c/en/us/td/docs/security/firesight/5311/api/estreamer/EventStreamerIntegrationGuide/AppBLegacyDataStructures.html#66120">Malware Event Data Block 5.1

■ HREF="/c/en/us/td/docs/security/firesight/5311/api/estreamer/EventStreamerIntegrationGuide/AppBLegacyDataStructures.html#94677">Malware Event Data Block 5.1.1.x

Malware Event Data Block 5.2.x

Malware Event Data Block 5.1

The eStreamer service uses the malware event data block to store information on malware events. These events contain information on malware detected or quarantined within a cloud, the detection method, and hosts and users affected by the malware. The malware event data block has a block type of 16 in the series 2 group of blocks. You request the event as part of the malware event record by setting the malware event flag—bit 30 in the request flags field—in the request message with an event version of 1 and an event code of 101.

The following graphic shows the structure of the malware event data block:

Byte

Bit

Malware Event Block Type (16)

Malware Event Block Length

Agent UUID

Agent UUID, continued

Cloud UUID

Cloud UUID, continued

Timestamp

Event Type ID

Event Subtype ID

Host IP Address

Detection Name

Host IP Address, cont.

Detector ID

String Block Type (0)

String Block Type (0), cont.

String Block Length

String Block Length, cont.

Detection Name...

User

String Block Type (0)

String Block Length

User...

File Name

String Block Type (0)

String Block Length

File Name...

File Path

String Block Type (0)

String Block Length

File Path...

File SHA

Hash

String Block Type (0)

String Block Length

File SHA Hash...

File Size

File Type

File Timestamp

Parent File

Name

File Timestamp, cont.

String Block Type (0)

String Block Type (0), cont.

String Block Length

String Block Length, cont.

Parent File Name...

Parent File

SHA Hash

String Block Type (0)

String Block Length

Parent File SHA Hash...

Event

Description

String Block Type (0)

String Block Length

Event Description...

The Malware Event Data Block Fields describes the fields in the malware event data block.

Malware Event Data Block Fields
Field	Data Type	Description
Malware Event Block Type	uint32	Initiates a malware event data block. This value is always 16.
Malware Event Block Length	uint32	Total number of bytes in the malware event data block, including eight bytes for the malware event block type and length fields, plus the number of bytes of data that follows.
Agent UUID	uint8[16]	The internal unique ID of the FireAMP agent reporting the malware event.
Cloud UUID	uint8[16]	The internal unique ID of the malware awareness network from which the malware event originated.
Timestamp	uint32	The malware event generation timestamp.
Event Type ID	uint32	The internal ID of the malware event type.
Event Subtype ID	uint8	The internal ID of the action that led to malware detection.
Host IP Address	uint32	The host IP address associated with the malware event.
Detector ID	uint8	The internal ID of the detection technology that detected the malware.
String Block Type	uint32	Initiates a String data block containing the detection name. This value is always 0.
String Block Length	uint32	The number of bytes included in the Detection Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the Detection Name field.
Detection Name	string	The name of the detected or quarantined malware.
String Block Type	uint32	Initiates a String data block containing the username. This value is always 0.
String Block Length	uint32	The number of bytes included in the User String data block, including eight bytes for the block type and header fields plus the number of bytes in the User field.
User	string	The user of the computer where the Sourcefire Agent is installed and where the malware event occurred. Note that these users are not tied to user discovery.
String Block Type	uint32	Initiates a String data block containing the file name. This value is always 0.
String Block Length	uint32	The number of bytes included in the File Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the File Name field.
File Name	string	The name of the detected or quarantined file.
String Block Type	uint32	Initiates a String data block containing the file path. This value is always 0.
String Block Length	uint32	The number of bytes included in the File Path String data block, including eight bytes for the block type and header fields plus the number of bytes in the File Path field.
File Path	string	The file path, not including the file name, of the detected or quarantined file.
String Block Type	uint32	Initiates a String data block containing the file SHA hash. This value is always 0.
String Block Length	uint32	The number of bytes included in the File SHA Hash String data block, including eight bytes for the block type and header fields plus the number of bytes in the File SHA Hash field.
File SHA Hash	string	The SHA-256 hash value of the detected or quarantined file.
File Size	uint32	The size in bytes of the detected or quarantined file.
File Type	uint8	The file type of the detected or quarantined file.
File Timestamp	uint32	The creation timestamp of the detected or quarantined file.
String Block Type	uint32	Initiates a String data block containing the parent file name. This value is always 0.
String Block Length	uint32	The number of bytes included in the Parent File Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the Parent File Name field.
Parent File Name	string	The name of the file accessing the detected or quarantined file when detection occurred.
String Block Type	uint32	Initiates a String data block containing the parent file SHA hash. This value is always 0.
String Block Length	uint32	The number of bytes included in the Parent File SHA Hash String data block, including eight bytes for the block type and header fields plus the number of bytes in the Parent File SHA Hash field.
Parent File SHA Hash	string	The SHA-256 hash value of the parent file accessing the detected or quarantined file when detection occurred.
String Block Type	uint32	Initiates a String data block containing the event description. This value is always 0.
String Block Length	uint32	The number of bytes included in the Event Description String data block, including eight bytes for the block type and header fields plus the number of bytes in the Event Description field.
Event Description	string	The additional event information associated with the event type.

Malware Event Data Block 5.1.1.x

The eStreamer service uses the malware event data block to store information on malware events. These events contain information on malware detected or quarantined within a cloud, the detection method, and hosts and users affected by the malware. The malware event data block has a block type of 24 in the series 2 group of blocks. You request the event as part of the malware event record by setting the malware event flag—bit 30 in the request flags field—in the request message with an event version of 2 and an event code of 101.

The following graphic shows the structure of the malware event data block:

Byte

Bit

Malware Event Block Type (24)

Malware Event Block Length

Agent UUID

Agent UUID, continued

Cloud UUID

Cloud UUID, continued

Malware Event Timestamp

Event Type ID

Event Subtype ID

Host IP Address

Detection Name

Host IP Address, cont.

Detector ID

String Block Type (0)

String Block Type (0), cont.

String Block Length

String Block Length, cont.

Detection Name...

User

String Block Type (0)

String Block Length

User...

File Name

String Block Type (0)

String Block Length

File Name...

File Path

String Block Type (0)

String Block Length

File Path...

File SHA

Hash

String Block Type (0)

String Block Length

File SHA Hash...

File Size

File Type

File Timestamp

Parent File

Name

File Timestamp, cont.

String Block Type (0)

String Block Type (0), cont.

String Block Length

String Block Length, cont.

Parent File Name...

Parent File

SHA Hash

String Block Type (0)

String Block Length

Parent File SHA Hash...

Event

Description

String Block Type (0)

String Block Length

Event Description...

Device ID

Connection Instance

Connection Counter

Connection Event Timestamp

Direction

Source IP Address

Source IP Address, continued

Source IP Address, continued

Source IP Address, continued

Source IP, cont.

Destination IP Address

Destination IP Address, continued

Destination IP Address, continued

Destination IP Address, continued

Destination IP, cont

Application ID

App. ID, cont.

User ID

User ID, cont.

Access Control Policy UUID

Access Control Policy UUID, continued

Access Control Policy UUID, continued

Access Control Policy UUID, continued

URI

AC Pol UUID, cont.

Disposition

Retro. Disposition

Str. Block Type (0)

String Block Type (0), continued

String Block Length

String Block Length, continued

URI...

Source Port

Destination Port

The Malware Event Data Block for 5.1.1.x Fields describes the fields in the malware event data block.

Malware Event Data Block for 5.1.1.x Fields
Field	Data Type	Description
Malware Event Block Type	uint32	Initiates a malware event data block. This value is always 24.
Malware Event Block Length	uint32	Total number of bytes in the malware event data block, including eight bytes for the malware event block type and length fields, plus the number of bytes of data that follows.
Agent UUID	uint8[16]	The internal unique ID of the FireAMP agent reporting the malware event.
Cloud UUID	uint8[16]	The internal unique ID of the malware awareness network from which the malware event originated.
Malware Event Timestamp	uint32	The malware event generation timestamp.
Event Type ID	uint32	The internal ID of the malware event type.
Event Subtype ID	uint8	The internal ID of the action that led to malware detection.
Host IP Address	uint32	The host IP address associated with the malware event.
Detector ID	uint8	The internal ID of the detection technology that detected the malware.
String Block Type	uint32	Initiates a String data block containing the detection name. This value is always 0.
String Block Length	uint32	The number of bytes included in the Detection Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the Detection Name field.
Detection Name	string	The name of the detected or quarantined malware.
String Block Type	uint32	Initiates a String data block containing the username. This value is always 0.
String Block Length	uint32	The number of bytes included in the User String data block, including eight bytes for the block type and header fields plus the number of bytes in the User field.
User	string	The user of the computer where the Sourcefire Agent is installed and where the malware event occurred. Note that these users are not tied to user discovery.
String Block Type	uint32	Initiates a String data block containing the file name. This value is always 0.
String Block Length	uint32	The number of bytes included in the File Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the File Name field.
File Name	string	The name of the detected or quarantined file.
String Block Type	uint32	Initiates a String data block containing the file path. This value is always 0.
String Block Length	uint32	The number of bytes included in the File Path String data block, including eight bytes for the block type and header fields plus the number of bytes in the File Path field.
File Path	string	The file path, not including the file name, of the detected or quarantined file.
String Block Type	uint32	Initiates a String data block containing the file SHA hash. This value is always 0.
String Block Length	uint32	The number of bytes included in the File SHA Hash String data block, including eight bytes for the block type and header fields plus the number of bytes in the File SHA Hash field.
File SHA Hash	string	The rendered string of the SHA-256 hash value of the detected or quarantined file.
File Size	uint32	The size in bytes of the detected or quarantined file.
File Type	uint8	The file type of the detected or quarantined file.
File Timestamp	uint32	UNIX timestamp (seconds since 01/01/1970) of the creation of the detected or quarantined file.
String Block Type	uint32	Initiates a String data block containing the parent file name. This value is always 0.
String Block Length	uint32	The number of bytes included in the Parent File Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the Parent File Name field.
Parent File Name	string	The name of the file accessing the detected or quarantined file when detection occurred.
String Block Type	uint32	Initiates a String data block containing the parent file SHA hash. This value is always 0.
String Block Length	uint32	The number of bytes included in the Parent File SHA Hash String data block, including eight bytes for the block type and header fields plus the number of bytes in the Parent File SHA Hash field.
Parent File SHA Hash	string	The SHA-256 hash value of the parent file accessing the detected or quarantined file when detection occurred.
String Block Type	uint32	Initiates a String data block containing the event description. This value is always 0.
String Block Length	uint32	The number of bytes included in the Event Description String data block, including eight bytes for the block type and header fields plus the number of bytes in the Event Description field.
Event Description	string	The additional event information associated with the event type.
Device ID	uint32	ID for the device that generated the event.
Connection Instance	uint16	Snort instance on the device that generated the event. Used to link the event with a connection or IDS event.
Connection Counter	uint16	Value used to distinguish between connection events that happen during the same second.
Connection Event Timestamp	uint32	Timestamp of the connection event.
Direction	uint8	Indicates whether the file was uploaded or downloaded. Can have the following values: 1 — Download 2 — Upload Currently the value depends on the protocol (for example, if the connection is HTTP it is a download).
Source IP Address	uint8[16]	IPv4 or IPv6 address for the source of the connection.
Destination IP Address	uint8[16]	IPv4 or IPv6 address for the destination of the connection.
Application ID	uint32	ID number that maps to the application using the file transfer.
User ID	uint32	Identification number for the user logged into the destination host, as identified by the system.
Access Control Policy UUID	uint8[16]	Identification number that acts as a unique identifier for the access control policy that triggered the event.
Disposition	uint8	The malware status of the file. Possible values include: 1 — CLEAN — The file is clean and does not contain malware. 2 — UNKNOWN — It is unknown whether the file contains malware. 3 — MALWARE — The file contains malware. 4 — CACHE_MISS — The software was unable to send a request to the Sourcefire cloud for a disposition. 5 — NO_CLOUD_RESP — The Sourcefire cloud services did not respond to the request.
Retrospective Disposition	uint8	Disposition of the file if the disposition is updated. If the disposition is not updated, this field contains the same value as the Disposition field. The possible values are the same as the Disposition field.
String Block Type	uint32	Initiates a String data block containing the URI. This value is always 0.
String Block Length	uint32	The number of bytes included in the URI data block, including eight bytes for the block type and header fields plus the number of bytes in the URI field.
URI	string	URI of the connection.
Source Port	uint16	Port number for the source of the connection.
Destination Port	uint16	Port number for the destination of the connection.

Malware Event Data Block 5.2.x

The eStreamer service uses the malware event data block to store information on malware events. These events contain information on malware detected or quarantined within a cloud, the detection method, and hosts and users affected by the malware. The malware event data block has a block type of 33 in the series 2 group of blocks. You request the event as part of the malware event record by setting the malware event flag—bit 30 in the request flags field—in the request message with an event version of 3 and an event code of 101.

The following graphic shows the structure of the malware event data block:

Byte

Bit

Malware Event Block Type (33)

Malware Event Block Length

Agent UUID

Agent UUID, continued

Cloud UUID

Cloud UUID, continued

Malware Event Timestamp

Event Type ID

Detection Name

Event Subtype ID

Detector ID

String Block Type (0)

String Block Type (0), cont.

String Block Length

String Block Length, cont.

Detection Name...

User

String Block Type (0)

String Block Length

User...

File Name

String Block Type (0)

String Block Length

File Name...

File Path

String Block Type (0)

String Block Length

File Path...

File SHA

Hash

String Block Type (0)

String Block Length

File SHA Hash...

File Size

File Type

File Timestamp

Parent File

Name

String Block Type (0)

String Block Length

Parent File Name...

Parent File

SHA Hash

String Block Type (0)

String Block Length

Parent File SHA Hash...

Event

Description

String Block Type (0)

String Block Length

Event Description...

Device ID

Connection Instance

Connection Counter

Connection Event Timestamp

Direction

Source IP Address

Source IP Address, continued

Source IP Address, continued

Source IP Address, continued

Source IP, cont.

Destination IP Address

Destination IP Address, continued

Destination IP Address, continued

Destination IP Address, continued

Destination IP, cont

Application ID

App. ID, cont.

User ID

User ID, cont.

Access Control Policy UUID

Access Control Policy UUID, continued

Access Control Policy UUID, continued

Access Control Policy UUID, continued

URI

AC Pol UUID, cont.

Disposition

Retro. Disposition

Str. Block Type (0)

String Block Type (0), continued

String Block Length

String Block Length, continued

URI...

Source Port

Destination Port

Source Country

Destination Country

Web Application ID

Client Application ID

Action

Protocol

The Malware Event Data Block for 5.2.x Fields describes the fields in the malware event data block.

Malware Event Data Block for 5.2.x Fields
Field	Data Type	Description
Malware Event Block Type	uint32	Initiates a malware event data block. This value is always 33.
Malware Event Block Length	uint32	Total number of bytes in the malware event data block, including eight bytes for the malware event block type and length fields, plus the number of bytes of data that follows.
Agent UUID	uint8[16]	The internal unique ID of the FireAMP agent reporting the malware event.
Cloud UUID	uint8[16]	The internal unique ID of the malware awareness network from which the malware event originated.
Malware Event Timestamp	uint32	The malware event generation timestamp.
Event Type ID	uint32	The internal ID of the malware event type.
Event Subtype ID	uint8	The internal ID of the action that led to malware detection.
Detector ID	uint8	The internal ID of the detection technology that detected the malware.
String Block Type	uint32	Initiates a String data block containing the detection name. This value is always 0.
String Block Length	uint32	The number of bytes included in the Detection Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the Detection Name field.
Detection Name	string	The name of the detected or quarantined malware.
String Block Type	uint32	Initiates a String data block containing the username. This value is always 0.
String Block Length	uint32	The number of bytes included in the User String data block, including eight bytes for the block type and header fields plus the number of bytes in the User field.
User	string	The user of the computer where the Sourcefire Agent is installed and where the malware event occurred. Note that these users are not tied to user discovery.
String Block Type	uint32	Initiates a String data block containing the file name. This value is always 0.
String Block Length	uint32	The number of bytes included in the File Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the File Name field.
File Name	string	The name of the detected or quarantined file.
String Block Type	uint32	Initiates a String data block containing the file path. This value is always 0.
String Block Length	uint32	The number of bytes included in the File Path String data block, including eight bytes for the block type and header fields plus the number of bytes in the File Path field.
File Path	string	The file path, not including the file name, of the detected or quarantined file.
String Block Type	uint32	Initiates a String data block containing the file SHA hash. This value is always 0.
String Block Length	uint32	The number of bytes included in the File SHA Hash String data block, including eight bytes for the block type and header fields plus the number of bytes in the File SHA Hash field.
File SHA Hash	string	The rendered string of the SHA-256 hash value of the detected or quarantined file.
File Size	uint32	The size in bytes of the detected or quarantined file.
File Type	uint32	The file type of the detected or quarantined file.
File Timestamp	uint32	UNIX timestamp (seconds since 01/01/1970) of the creation of the detected or quarantined file.
String Block Type	uint32	Initiates a String data block containing the parent file name. This value is always 0.
String Block Length	uint32	The number of bytes included in the Parent File Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the Parent File Name field.
Parent File Name	string	The name of the file accessing the detected or quarantined file when detection occurred.
String Block Type	uint32	Initiates a String data block containing the parent file SHA hash. This value is always 0.
String Block Length	uint32	The number of bytes included in the Parent File SHA Hash String data block, including eight bytes for the block type and header fields plus the number of bytes in the Parent File SHA Hash field.
Parent File SHA Hash	string	The SHA-256 hash value of the parent file accessing the detected or quarantined file when detection occurred.
String Block Type	uint32	Initiates a String data block containing the event description. This value is always 0.
String Block Length	uint32	The number of bytes included in the Event Description String data block, including eight bytes for the block type and header fields plus the number of bytes in the Event Description field.
Event Description	string	The additional event information associated with the event type.
Device ID	uint32	ID for the device that generated the event.
Connection Instance	uint16	Snort instance on the device that generated the event. Used to link the event with a connection or IDS event.
Connection Counter	uint16	Value used to distinguish between connection events that happen during the same second.
Connection Event Timestamp	uint32	Timestamp of the connection event.
Direction	uint8	Indicates whether the file was uploaded or downloaded. Can have the following values: 1 — Download 2 — Upload Currently the value depends on the protocol (for example, if the connection is HTTP it is a download).
Source IP Address	uint8[16]	IPv4 or IPv6 address for the source of the connection.
Destination IP Address	uint8[16]	IPv4 or IPv6 address for the destination of the connection.
Application ID	uint32	ID number that maps to the application using the file transfer.
User ID	uint32	Identification number for the user logged into the destination host, as identified by the system.
Access Control Policy UUID	uint8[16]	Identification number that acts as a unique identifier for the access control policy that triggered the event.
Disposition	uint8	The malware status of the file. Possible values include: 1 — CLEAN — The file is clean and does not contain malware. 2 — NEUTRAL — It is unknown whether the file contains malware. 3 — MALWARE — The file contains malware. 4 — CACHE_MISS — The software was unable to send a request to the Sourcefire cloud for a disposition, or the Sourcefire cloud services did not respond to the request.
Retrospective Disposition	uint8	Disposition of the file if the disposition is updated. If the disposition is not updated, this field contains the same value as the Disposition field. The possible values are the same as the Disposition field.
String Block Type	uint32	Initiates a String data block containing the URI. This value is always 0.
String Block Length	uint32	The number of bytes included in the URI data block, including eight bytes for the block type and header fields plus the number of bytes in the URI field.
URI	string	URI of the connection.
Source Port	uint16	Port number for the source of the connection.
Destination Port	uint16	Port number for the destination of the connection.
Source Country	uint16	Code for the country of the source host.
Destination Country	uint 16	Code for the country of the destination host.
Web Application ID	uint32	The internal identification number of the detected web application, if applicable.
Client Application ID	uint32	The internal identification number of the detected client application, if applicable.
Action	uint8	The action taken on the file based on the file type. Can have the following values: 1 — Detect 2 — Block 3 — Malware Cloud Lookup 4 — Malware Block 5 — Malware Whitelist
Protocol	uint8	IANA protocol number specified by the user. For example: 1 — ICMP 4 — IP 6 — TCP 17 — UDP This is currently only TCP.

Legacy Discovery Data Structures

Legacy Discovery Event Header

■ HREF="/c/en/us/td/docs/security/firesight/5311/api/estreamer/EventStreamerIntegrationGuide/AppBLegacyDataStructures.html#32203">Legacy Server Data Blocks

■ HREF="/c/en/us/td/docs/security/firesight/5311/api/estreamer/EventStreamerIntegrationGuide/AppBLegacyDataStructures.html#85326">Legacy Client Application Data Blocks

■ HREF="/c/en/us/td/docs/security/firesight/5311/api/estreamer/EventStreamerIntegrationGuide/AppBLegacyDataStructures.html#63275">Legacy Scan Result Data Blocks

■ HREF="/c/en/us/td/docs/security/firesight/5311/api/estreamer/EventStreamerIntegrationGuide/AppBLegacyDataStructures.html#92108">Legacy Vulnerability Blocks

■ HREF="/c/en/us/td/docs/security/firesight/5311/api/estreamer/EventStreamerIntegrationGuide/AppBLegacyDataStructures.html#61295">Legacy Host Profile Data Blocks

Legacy OS Fingerprint Data Blocks

Legacy Discovery Event Header

Discovery Event Header 4.8.0.2-5.1.1.x

Discovery and connection event messages contain a discovery event header. It conveys the type and subtype of the event, the time the event occurred, the device on which the event occurred, and the structure of the event data in the message. This header is followed by the actual host discovery, user, or connection event data. The structures associated with the different event type/subtype values are described in Host Discovery Structures by Event Type.

The event type and event subtype fields of the discovery event header identify the structure of the transmitted event message. Once the structure of the event data block is determined, your program can parse the message appropriately.

The shaded rows in the following diagram illustrate the format of the discovery event header.

Byte	0								1								2								3
Bit	0	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15	16	17	18	19	20	21	22	23	24	25	26	27	28	29	30	31
	Header Version (1)																Message Type (4)
	Message Length
	Record Type
	Record Length
	eStreamer Server Timestamp (in events, only if bit 23 is set)
	Reserved for Future Use (in events, only if bit 23 is set)
Discovery Event Header	Device ID
	IP Address
	MAC Address
	MAC Address, continued																Reserved for future use
	Event Second
	Event Microsecond
	Reserved (Internal)								Event Type
	Event Subtype
	File Number (Internal Use Only)
	File Position (Internal Use Only)

The Discovery Event Header Fields describes the discovery event header.

Discovery Event Header Fields
Field	Data Types	Description
Device ID	uint32	ID number of the device that generated the discovery event. You can obtain the metadata for the device by requesting Version 3 and 4 metadata. See Managed Device Record Metadata for more information.
IP Address	uint32	IP address of the host involved in the event.
MAC Address	uint8[6]	MAC address of the host involved in the event.
Reserved for future use	byte[2]	Two bytes of padding with values set to 0.
Event Second	uint32	UNIX timestamp (seconds since 01/01/1970) that the system generated the event.
Event Microsecond	uint32	Microsecond (one millionth of a second) increment that the system generated the event.
Reserved (Internal)	byte	Internal data from Sourcefire and can be disregarded.
Event Type	uint32	Event type (1000 for new events, 1001 for change events, 1002 for user input events, 1050 for full host profile). See Host Discovery Structures by Event Type for a list of available event types.
Event Subtype	uint32	Event subtype. See Host Discovery Structures by Event Type for a list of available event subtypes.
File Number	byte[4]	Serial file number. This field is for Sourcefire internal use and can be disregarded.
File Position	byte[4]	Event’s position in the serial file. This field is for Sourcefire internal use and can be disregarded.

Legacy Server Data Blocks

For more information, see the following sections:

■ HREF="/c/en/us/td/docs/security/firesight/5311/api/estreamer/EventStreamerIntegrationGuide/AppBLegacyDataStructures.html#63182">Host Server Data Block for Version 4.9.0.x

■ HREF="/c/en/us/td/docs/security/firesight/5311/api/estreamer/EventStreamerIntegrationGuide/AppBLegacyDataStructures.html#99496">Web Application Data Block for 4.9.1 - 4.10.x

■ HREF="/c/en/us/td/docs/security/firesight/5311/api/estreamer/EventStreamerIntegrationGuide/AppBLegacyDataStructures.html#98018">Host Server Data Block for 4.9.1.x

■ HREF="/c/en/us/td/docs/security/firesight/5311/api/estreamer/EventStreamerIntegrationGuide/AppBLegacyDataStructures.html#67253">Full Server Data Block for 4.9.0.x

■ HREF="/c/en/us/td/docs/security/firesight/5311/api/estreamer/EventStreamerIntegrationGuide/AppBLegacyDataStructures.html#63363">Full Server Data Block for 4.9.1.x

■ HREF="/c/en/us/td/docs/security/firesight/5311/api/estreamer/EventStreamerIntegrationGuide/AppBLegacyDataStructures.html#27596">Server Information Data Block for 4.9.1 and Earlier

■ HREF="/c/en/us/td/docs/security/firesight/5311/api/estreamer/EventStreamerIntegrationGuide/AppBLegacyDataStructures.html#81706">Attribute Address Data Block for 4.5.x - 5.1.1.x

Host Server Data Block for Version 4.9.0.x

Server data for this data block for 4.9.0.x is encapsulated in lists of server information blocks rather than through individual fields, allowing for multiple servers.

The Host Server data block has a block type of 89.

An asterisk(*) next to a data block name in the following diagram indicates that multiple instances of the data block may occur.

The following diagram shows the format of the Host Server data block:

Byte	0								1								2								3
Bit	0	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15	16	17	18	19	20	21	22	23	24	25	26	27	28	29	30	31
	Server Block Type (89)
	Server Block Length
	Port																Hits
	Hits, continued																Last Used
Server Information Blocks	Last Used, cont.																Generic List Block Type (31)
	Generic List Block Type (31)																Generic List Block Length
	Generic List Block Length																Server Information Data Blocks...
	Server Information Data Blocks...
	List Block Type (11)
	List Block Length
Svc Subtype	Sub-Server Block Type (1) *
	Sub-Serve Block Length
	Sub-Serve Data...
	Confidence

The Host Server Data 4.9.0.x Fields describes the fields of the Host Server data block:

Host Server Data 4.9.0.x Fields
Field	Data Type	Description
Host Server Block Type	uint32	Initiates a Host Server data block. This value is always 89.
Host Server Block Length	uint32	Total number of bytes in the Host Server data block, including the eight bytes in the Host Server block type and length fields plus the number of bytes of data that follows.
Port	uint16	Port number on which the server runs.
Hits	uint32	Number of hits the server has received.
Last Used	uint32	UNIX timestamp that represents the last time the system detected the server in use.
Generic List Block Type	uint32	Initiates a Generic List data block. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List block and encapsulated data blocks. This number includes the eight bytes of the generic list block header fields plus the number of bytes in all of the encapsulated data blocks.
Server Information Data Blocks	variable	Encapsulated Server Information data blocks up to the maximum number of bytes in the list block length.
List Block Type	uint32	Initiates a list of Sub-Server data blocks. This value is always 11.
List Block Length	uint32	Number of bytes in the List data block, including eight bytes for the list block type and length fields plus the number of bytes in the encapsulated Sub-Server data blocks that follow.
Sub-Server Block Type	uint32	Initiates the first Sub-Server data block. This data block can be followed by other Sub-Server data blocks up to the limit defined in the list block length field.
Sub-Server Block Length	uint32	Total number of bytes in each Sub-Server data block, including the eight bytes in the Sub-Server block type and length fields plus the number of bytes of data that follows.
Sub-Server Data	variable	Sub-server data as documented in Sub-Server Data Block.
Confidence	uint32	System confidence percentage.

Web Application Data Block for 4.9.1 - 4.10.x

The web application data block has a block type of 97. Identity data blocks are used in Host Server, Full Server, Host Client Application, and Connection Statistics data blocks. The data block describes the web application type and application ID from HTTP client requests detected by the system.

For more information on the data blocks that incorporate this data block, see the following sections:

Host Server Data Block for Version 4.9.0.x

■ HREF="/c/en/us/td/docs/security/firesight/5311/api/estreamer/EventStreamerIntegrationGuide/AppBLegacyDataStructures.html#67253">Full Server Data Block for 4.9.0.x

■ HREF="/c/en/us/td/docs/security/firesight/5311/api/estreamer/EventStreamerIntegrationGuide/AppBLegacyDataStructures.html#49325">Host Client Application Data Block for 3.5 - 4.9.0.x

■ HREF="/c/en/us/td/docs/security/firesight/5311/api/estreamer/EventStreamerIntegrationGuide/AppBLegacyDataStructures.html#66412">Connection Statistics Data Block for 4.7 - 4.9.0.x

The following diagram shows the format of a Web Application data block 4.9.1+.

Byte	0								1								2								3
Bit	0	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15	16	17	18	19	20	21	22	23	24	25	26	27	28	29	30	31
	Web Application Data Block Type (97)
	Web Application Data Block Length
	Web Application Data Type
	Web Application Data ID

The Web Application Data Block Fields describes the fields of the Web Application data block:

Web Application Data Block Fields
Field	Data Type	Description
Web Application Data Block Type	uint32	Initiates the Web Application data block. This value is always 97.
Web Application Data Block Length	uint32	Number of bytes in the Web Application data block. This value should always be sixteen bytes for the data block type and length fields and the source type and ID fields.
Web Application ID	uint32	Indicates the ID of the web application.

Host Server Data Block for 4.9.1.x

The Host Server data block conveys information about servers identified by the system, including the server port, the frequency of use, last use, and confidence, as well as lists of server information blocks and Sub-Server blocks for the host for the event. Host Server data blocks are contained in messages for new TCP and UDP servers and changes to TCP and UDP servers. For more information, see Server Messages. Starting in 4.9.1, the data block includes a list of Web Application data blocks. Note that the Host Server data block has a block type of 98.

An asterisk(*) next to a data block name in the following diagram indicates that multiple instances of the data block may occur.

The following diagram shows the format of the Host Server data block:

Byte	0								1								2								3
Bit	0	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15	16	17	18	19	20	21	22	23	24	25	26	27	28	29	30	31
	Server Block Type (98)
	Server Block Length
	Port																Hits
	Hits, continued																Last Used
Server Information Blocks	Last Used, cont.																Generic List Block Type (31)
	Generic List Block Type (31)																Generic List Block Length
	Generic List Block Length																Server Information Data Blocks...
	Server Information Data Blocks...
	List Block Type (11)																																Scan Subtype List
	List Block Length
Svc Subtype	Sub-Server Block Type (1) *
	Sub-Server Block Length
	Sub-Server Data...
	Confidence
Web App’s	Generic List Block Type (31)
	Generic List Block Length
	Web Application Data...

The Host Server Data 4.9.0.x Fields describes the fields of the Host Server data block:

Host Server Data Fields 4.9.1.x
Field	Data Type	Description
Host Server Block Type	uint32	Initiates a Host Server data block. This value is always 98.
Host Server Block Length	uint32	Total number of bytes in the Host Server data block, including the eight bytes in the Host Server block type and length fields, plus the number of bytes of data that follows.
Port	uint16	Port number where the server runs.
Hits	uint32	Number of hits the server has received.
Last Used	uint32	UNIX timestamp that represents the last time the system detected the server in use.
Generic List Block Type	uint32	Initiates a Generic List data block. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List block and encapsulated data blocks. This number includes the eight bytes of the generic list block header fields, plus the number of bytes in all of the encapsulated data blocks.
Server Information Data Blocks	variable	Encapsulated Server Information data blocks up to the maximum number of bytes in the list block length.
List Block Type	uint32	Initiates a list of Sub-Server data blocks. This value is always 11.
List Block Length	uint32	Number of bytes in the List data block, including eight bytes for the list block type and length fields, plus the number of bytes in the encapsulated Sub-Server data blocks that follow.
Sub-Server Block Type	uint32	Initiates the first Sub-Server data block. This data block can be followed by other Sub-Server data blocks up to the limit defined in the list block length field.
Sub-Server Block Length	uint32	Total number of bytes in each Sub-Server data block, including the eight bytes in the Sub-Server block type and length fields, plus the number of bytes of data that follows.
Sub-Server Data	variable	Sub-server data as documented in Sub-Server Data Block.
Confidence	uint32	System confidence percentage.
Generic List Block Type	uint32	Initiates a Generic List data block. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List block and encapsulated Web Application data blocks. This number includes the eight bytes of the generic list block header fields, plus the number of bytes in all of the encapsulated Web Application data blocks.
Web Application Data Blocks	variable	Encapsulated Web Application data blocks up to the maximum number of bytes in the list block length.

Full Server Data Block for 4.9.0.x

The Full Server data block conveys information about a server, including the server port, the frequency of use and most recent update, server ID, vendor, product, and version, confidence of data accuracy, Sourcefire and third-party vulnerabilities related to that server for the host for the event, and source type and source identification. A Full Server data block for each TCP and UDP server on the host in the event is included in a list in the Full Host Profile data block. Changes for the 4.9.0.x data block include new source type and source ID fields and a 32-bit server ID field. The Full Server data block has a block type of 90.

An asterisk(*) next to a data block name in the following diagram indicates that multiple instances of the data block may occur.

The following diagram shows the format of the Full Server data block:

:

Byte	0								1								2								3
Bit	0	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15	16	17	18	19	20	21	22	23	24	25	26	27	28	29	30	31
	Full Server Block Type (90)
	Full Server Block Length
	Port																Hits
Servers - Sourcefire	Hits, continued																Generic List Block Type (31)
	Generic List Block Type, continued																Generic List Block Length
	Generic List Block Length, continued																Server Information Data Blocks*
Servers - User	Generic List Block Type (31)
	Generic List Block Length
	Server Information Data Blocks*
Servers - Scanner	Generic List Block Type (31)
	Generic List Block Length
	Server Information Data Blocks*
Servers - Application	Generic List Block Type (31)
	Generic List Block Length
	Server Information Data Blocks*
	Server Confidence
	BLOB Block Type (10)
	BLOB Block Length
	Server Banner Data...
VDB Vuln	Generic List Block Type (31)
	Generic List Block Length
	(VDB) Host Vulnerability Data Blocks*...
VDB 3rd Party Vuln	Generic List Block Type (31)
	Generic List Block Length
	(FireSIGHT for Third Party) Host Vulnerability Data Blocks*...
3rd Party Vuln	Generic List Block Type (31)
	Generic List Block Length
	(Third Party Scan) Host Vulnerability Data Blocks*...
	List Block Type (11)
	List Block Length
Full Svc Subtype	Full Sub-Server Block Type (1) *
	Sub-Server Block Length
	Sub-Server Data...

The Full Server Data Block 4.9.0.x Fields describes the components of the Full Server data block.

Full Server Data Block 4.9.0.x Fields
Field	Data Type	Description
Full Server Block Type	uint32	Initiates a Full Server data block. This value is always 90.
Full Server Block Length	uint32	Total number of bytes in the Full Server data block, including eight bytes for the full server block type and length fields plus the number of bytes of full server data that follows.
Port	uint16	Server port number.
Hits	uint32	Number of hits the server has received.
Generic List Block Type	uint32	Initiates a Generic List data block comprising server information data blocks conveying server data added by the system. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated server information data blocks.
Server Information Data Blocks *	variable	Server information data blocks containing information about servers on a host identified by the system. See Server Information Data Block for 4.9.1 and Earlier for a description of this data block.
Generic List Block Type	uint32	Initiates a Generic List data block comprising server information data blocks conveying server data added by a user. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated server information data blocks.
Server Information Data Blocks *	variable	Server information data blocks containing information about servers on a host added by a user. See Server Information Data Block for 4.9.1 and Earlier for a description of this data block.
Generic List Block Type	uint32	Initiates a Generic List data block comprising server information data blocks conveying server data added by a scanner. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated server information data blocks.
Server Information Data Blocks *	variable	Server information data blocks containing information about servers on a host added by a scanner. See Server Information Data Block for 4.9.1 and Earlier for a description of this data block.
Generic List Block Type	uint32	Initiates a Generic List data block comprising server information data blocks conveying server data added by an application. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated server information data blocks.
Server Information Data Blocks *	variable	Server information data blocks containing information about servers on a host added by an application. See Server Information Data Block for 4.9.1 and Earlier for a description of this data block.
Server Confidence	uint32	Percentage of confidence of the system in its correct identification of the server.
BLOB Block Type	uint32	Initiates the BLOB data block, that contains banner data. This value is always 10.
BLOB Block Length	uint32	Total number of bytes in the BLOB data block, including eight bytes for the block type and length fields plus the number of bytes in the banner.
Server Banner Data	byte[ N ]	First N bytes of the packet involved in the server event, where N is equal to or less than 256.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Host Vulnerability data blocks conveying VDB host vulnerability data for vulnerabilities identified by a third party scanner. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated Host Vulnerability data blocks.
(VDB) Host Vulnerability Data Blocks *	variable	Host Vulnerability data blocks containing information about host vulnerabilities identified by Sourcefire. See Host Vulnerability Data Block 4.9.0+ for a description of this data block.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Host Vulnerability data blocks conveying host vulnerability data generated by a third party scanner. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated Host Vulnerability data blocks.
Third Party Scan (VDB) Host Vulnerability Data Blocks *	variable	Host Vulnerability data blocks containing information about VDB vulnerability data for vulnerabilities identified by a third party scanner. See Host Vulnerability Data Block 4.9.0+ for a description of this data block.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Host Vulnerability data blocks conveying third party host vulnerability data generated by a third party scanner. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated Host Vulnerability data blocks.
Third Party Scan Host Vulnerability Data Blocks *	variable	Host Vulnerability data blocks containing the original third party vulnerability data for vulnerabilities identified by a third party scanner. See Host Vulnerability Data Block 4.9.0+ for a description of this data block.
List Block Type	uint32	Initiates a List data block comprising Full Sub-Server data blocks conveying server subtype data. This value is always 11.
List Block Length	uint32	Number of bytes in the list. This number includes the eight bytes of the list block type and length fields plus all encapsulated Server data blocks. This field is followed by zero or more Full Sub-Server data blocks.
Full Sub-Server Block Type	uint32	Initiates the first Full Sub-Server data block. This data block can be followed by other Full Sub-Server data blocks up to the limit defined in the list block length field.
Full Sub-Server Block Length	uint32	Total number of bytes in each Full Sub-Server data block, including the eight bytes in the Full Sub-Server block type and length fields plus the number of bytes of data that follows.
Full Sub-Server Data Blocks *	uint32	Full Sub-Server data blocks containing sub-server information for the server. See Full Server Data Block for 4.9.1.x for a description of this data block.

Full Server Data Block for 4.9.1.x

The Full Server data block conveys information about a server, including the server port, the frequency of use and most recent update, server ID, vendor, product, and version, confidence of data accuracy, Sourcefire and third-party vulnerabilities related to that server for the host for the event, and source type and source identification. A Full Server data block for each TCP and UDP server on the host in the event is included in a list in the Full Host Profile data block. The 4.9.1+ data block includes a new list of Web Application data blocks. The Full Server data block has a block type of 99.

An asterisk(*) next to a data block name in the following diagram indicates that multiple instances of the data block may occur.

The following diagram shows the format of the Full Server data block:

::

Byte	0								1								2								3
Bit	0	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15	16	17	18	19	20	21	22	23	24	25	26	27	28	29	30	31
	Full Server Block Type (99)
	Full Server Block Length
	Port																Hits
Servers - VDB	Hits, continued																Generic List Block Type (31)
	Generic List Block Type, continued																Generic List Block Length
	Generic List Block Length, continued																Server Information Data Blocks*
Servers - User	Generic List Block Type (31)
	Generic List Block Length
	Server Information Data Blocks*
Servers - Scanner	Generic List Block Type (31)
	Generic List Block Length
	Server Information Data Blocks*
Servers - Application	Generic List Block Type (31)
	Generic List Block Length
	Server Information Data Blocks*
	Server Confidence
	BLOB Block Type (10)
	BLOB Block Length
	Server Banner Data...
VDB Vuln	Generic List Block Type (31)
	Generic List Block Length
	(VDB) Host Vulnerability Data Blocks*...
VDB 3rd Party Vuln	Generic List Block Type (31)
	Generic List Block Length
	(FireSIGHT for Third Party) Host Vulnerability Data Blocks*...
3rd Party Vuln	Generic List Block Type (31)
	Generic List Block Length
	(Third Party Scan) Host Vulnerability Data Blocks*...
	List Block Type (11)
	List Block Length
Full Svc Subtype	Full Sub-Server Block Type (51) *
	Sub-Server Block Length
	Sub-Server Data...
Web App’s	Web Application Block Type (97)*
	Web Application Block Length
	Web Application Data...

The Full Server Data Block 4.9.0.x Fields describes the components of the Full Server data block.

Full Server Data Block 4.9.1.x Fields
Field	Data Type	Description
Full Server Block Type	uint32	Initiates a Full Server data block. This value is always 99.
Full Server Block Length	uint32	Total number of bytes in the Full Server data block, including eight bytes for the full server block type and length fields, plus the number of bytes of full server data that follows.
Port	uint16	Server port number.
Hits	uint32	Number of hits the server has received.
Generic List Block Type	uint32	Initiates a Generic List data block comprising server information data blocks conveying server data added by the system. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated server information data blocks.
Server Information Data Blocks *	variable	Server information data blocks containing information about servers identified on a host. See Server Information Data Block for 4.9.1 and Earlier for a description of this data block.
Generic List Block Type	uint32	Initiates a Generic List data block comprising server information data blocks conveying server data added by a user. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated server information data blocks.
Server Information Data Blocks *	variable	Server information data blocks containing information about servers on a host added by a user. See Server Information Data Block for 4.9.1 and Earlier for a description of this data block.
Generic List Block Type	uint32	Initiates a Generic List data block comprising server information data blocks conveying server data added by a scanner. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated server information data blocks.
Server Information Data Blocks *	variable	Server information data blocks containing information about servers on a host added by a scanner. See Server Information Data Block for 4.9.1 and Earlier for a description of this data block.
Generic List Block Type	uint32	Initiates a Generic List data block comprising server information data blocks conveying server data added by an application. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated server information data blocks.
Server Information Data Blocks *	variable	Server information data blocks containing information about servers on a host added by an application. See Server Information Data Block for 4.9.1 and Earlier for a description of this data block.
Server Confidence	uint32	Percentage of confidence of the system in its correct identification of the server.
BLOB Block Type	uint32	Initiates the BLOB data block, that contains banner data. This value is always 10.
BLOB Block Length	uint32	Total number of bytes in the BLOB data block, including eight bytes for the block type and length fields, plus the number of bytes in the banner.
Server Banner Data	byte[ N ]	First N bytes of the packet involved in the server event, where N is equal to or less than 256.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Host Vulnerability data blocks conveying VDB host vulnerability data for vulnerabilities identified by a third party scanner. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated Host Vulnerability data blocks.
(VDB) Host Vulnerability Data Blocks *	variable	Host Vulnerability data blocks containing information about host vulnerabilities identified by Sourcefire. See Host Vulnerability Data Block 4.9.0+ for a description of this data block.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Host Vulnerability data blocks conveying third party host vulnerability data generated by a third party scanner. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated Host Vulnerability data blocks.
Third Party Scan (VDB) Host Vulnerability Data Blocks *	variable	Host Vulnerability data blocks containing information about VDB vulnerability data for vulnerabilities identified by a third party scanner. See Host Vulnerability Data Block 4.9.0+ for a description of this data block.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Host Vulnerability data blocks conveying vulnerability data generated by a third party scanner. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated Host Vulnerability data blocks.
Third Party Scan Host Vulnerability Data Blocks *	variable	Host Vulnerability data blocks containing the original third party vulnerability data for vulnerabilities identified by a third party scanner. See Host Vulnerability Data Block 4.9.0+ for a description of this data block.
List Block Type	uint32	Initiates a List data block comprising Full Server Subtype data blocks conveying sub-server data. This value is always 11.
List Block Length	uint32	Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus all encapsulated Server data blocks. This field is followed by zero or more Full Sub-Server data blocks.
Full Sub-Server Block Type	uint32	Initiates the first Full Sub-Server data block. This data block can be followed by other Full Sub-Server data blocks up to the limit defined in the list block length field.
Full Sub-Server Block Length	uint32	Total number of bytes in each Sub-Server data block, including the eight bytes in the Full Sub-Server block type and length fields, plus the number of bytes of data that follows.
Full Sub-Server Data Blocks *	variable	Full Sub-Server data blocks containing sub-servers for the server. See Full Server Data Block for 4.9.1.x for a description of this data block.
Generic List Block Type	uint32	Initiates a Generic List data block. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List block and encapsulated Web Application data blocks. This number includes the eight bytes of the generic list block header fields, plus the number of bytes in all of the encapsulated Web Application data blocks.
Web Application Data Blocks	variable	Encapsulated Web Application data blocks up to the maximum number of bytes in the list block length.

Server Information Data Block for 4.9.1 and Earlier

The Server Information data block conveys information about a server, including the server ID, server vendor and version, and source information. The Server Information data block has a block type of 88. Server information data blocks are conveyed in lists within host server and full server data blocks. For more information see Host Server Data Block for Version 4.9.0.x and Full Server Data Block for 4.9.0.x.

The following diagram shows the format of the Server Information data block:

Byte	0								1								2								3
Bit	0	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15	16	17	18	19	20	21	22	23	24	25	26	27	28	29	30	31
	Server Information Block Type (88)
	Server Information Block Length
	Server ID
	String Block Type (0)
	String Block Length
	Server Vendor Name String...
	String Block Type (0)
	String Block Length
	Server Version String...
	Last Used
	Source Type
	Source ID

The Server Information Data Block 4.9.1 and Earlier Fields describes the components of the Server Information data block.

Server Information Data Block 4.9.1 and Earlier Fields
Field	Data Type	Description
Server Information Block Type	uint32	Initiates a Server Information data block. This value is always 88.
Server Information Block Length	uint32	Total number of bytes in the Server Information data block, including eight bytes for the Server Information block type and length fields, four bytes for the server ID, eight bytes for the vendor name block type and length, another four for the vendor name, eight bytes for the version string block type and length, another four for the version string, and four bytes each for the last used, source type, and source ID fields.
Server ID	uint32	Indicates the ID of the server identified in the data block.
String Block Type	uint32	Initiates a String data block containing the server vendor’s name. This value is always 0.
String Block Length	uint32	Number of bytes in the vendor name String data block, including eight bytes for the block type and length fields, plus the number of bytes in the server vendor name.
Server Vendor Name	string	Name of the server vendor.
String Block Type	uint32	Initiates a String data block that contains the server version. This value is always 0.
String Block Length	uint32	Number of bytes in the server version String data block, including eight bytes for the block type and length fields, plus the number of bytes in the server version.
Server Version	string	Server version.
Last Time Used	uint32	Indicates when the server information was last used in traffic.
Source Type	uint32	Indicates the type (Sourcefire, user, application, or scanner) of the source that supplied the server information.
Source ID	uint32	Indicates the ID of the source that supplied the server information.

Attribute Address Data Block for 4.5.x - 5.1.1.x

The Attribute Address data block contains an attribute list item and is used within an Attribute Definition data block. It has a block type of 38.

The following diagram shows the basic structure of an Attribute Address data block:

Byte	0								1								2								3
Bit	0	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15	16	17	18	19	20	21	22	23	24	25	26	27	28	29	30	31
	Attribute Address Block Type (38)
	Attribute Address Block Length
	Attribute ID
	IP Address
	Bits

The Attribute Address Data Block Fields describes the fields of the Attribute Address data block.

Attribute Address Data Block Fields
Field	Data Type	Description
Attribute Address Block Type	uint32	Initiates an Attribute Address data block. This value is always 38.
Attribute Address Block Length	uint32	Number of bytes in the Attribute Address data block, including eight bytes for the attribute address block type and length, plus the number of bytes in the attribute address data that follows.
Attribute ID	uint32	Identification number of the affected attribute, if applicable.
IP Address	uint8[4]	IP address of the host, if the address was automatically assigned, in IP address octets.
Bits	uint32	Contains the significant bits used to calculate the netmask if an IP address was automatically assigned.

Legacy Client Application Data Blocks

For more information, see the following sections:

Host Client Application Data Block for 3.5 - 4.9.0.x

■ HREF="/c/en/us/td/docs/security/firesight/5311/api/estreamer/EventStreamerIntegrationGuide/AppBLegacyDataStructures.html#92433">Host Client Application Data Block for 4.9.1 - 4.10.x

■ HREF="/c/en/us/td/docs/security/firesight/5311/api/estreamer/EventStreamerIntegrationGuide/AppBLegacyDataStructures.html#61869">User Client Application Data Block for 5.1 and earlier

Host Client A pplication Data Block for 3.5 - 4.9.0.x

The Client Application data block for 3.5 - 4.9.0.x describes a client application and is used within legacy New Client Application events (event type 1001, subtype 7) and Client Application Timeout events (event type 1001, subtype 20). It has a block type of 42.

The following diagram shows the basic structure of a Client Application data block:

Byte	0								1								2								3
Bit	0	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15	16	17	18	19	20	21	22	23	24	25	26	27	28	29	30	31
	Client Application Block Type (42)
	Client Application Block Length
	Hits
	Last Used
	Type ID
	ID
Version	String Block Type (0)
	String Block Length
	Version...

The Client Application Data Block 3.5 - 4.9.0.x Fields describes the fields of the Client Application data block.

Client Application Data Block 3.5 - 4.9.0.x Fields
Field	Data Type	Description
Client Application Block Type	uint32	Initiates a Host Client Application data block. This value is always 42.
Client Application Block Length	uint32	Number of bytes in the Client Application data block, including eight bytes for the client application block type and length, plus the number of bytes in the client application data that follows.
Hits	uint32	Number of times the system has detected the client application in use.
Last Used	uint32	UNIX timestamp that represents the last time the system detected the client in use.
Type ID	uint32	Identification number of the detected client application type, if applicable.
ID	uint32	Identification number of the detected client application, if applicable.
String Block Type	uint32	Initiates a String data block for the client application version. This value is always 0.
String Block Length	uint32	Number of bytes in the String data block for the client application name, including eight bytes for the string block type and length plus the number of bytes in the client application version.
Version	string	Client application version.

Host Client A pplication Data Block for 4.9.1 - 4.10.x

The Client Application data block for 4.9.1 - 4.10.x describes a client application and is used within New Client Application events (event type 1001, subtype 7) and Client Application Timeout events (event type 1001, subtype 20). The Client Application data block for 4.9.1 - 4.10.x has a block type of 100. Its successor, introduced for 5.0+, has a block type of 122.

The following diagram shows the basic structure of a Client Application data block:

Byte	0								1								2								3
Bit	0	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15	16	17	18	19	20	21	22	23	24	25	26	27	28	29	30	31
	Client Application Block Type (100)
	Client Application Block Length
	Hits
	Last Used
	Type ID
	ID
Version	String Block Type (0)
	String Block Length
	Version...
	Generic List Block Type (31)
	Generic List Block Length
Web App’s	Web Application Block Type (97)*
	Web Application Block Length
	Web Application Data...

The Client Application Data Block for 4.9.1 - 4.10.x Fields describes the fields of the Client Application data block.

Client Application Data Block for 4.9.1 - 4.10.x Fields
Field	Data Type	Description
Client Application Block Type	uint32	Initiates a Host Client Application data block. This value is always 100.
Client Application Block Length	uint32	Number of bytes in the Client Application data block, including eight bytes for the client application block type and length, plus the number of bytes in the client application data that follows.
Hits	uint32	Number of times the system has detected the client application in use.
Last Used	uint32	UNIX timestamp that represents the last time the system detected the client in use.
Type ID	uint32	Identification number of the detected client application type, if applicable.
ID	uint32	Identification number of the detected client application, if applicable.
String Block Type	uint32	Initiates a String data block for the client application version. This value is always 0.
String Block Length	uint32	Number of bytes in the String data block for the client application name, including eight bytes for the string block type and length, plus the number of bytes in the client application version.
Version	string	Client application version.
Generic List Block Type	uint32	Initiates a Generic List data block. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List block and encapsulated Web Application data blocks. This number includes the eight bytes of the generic list block header fields, plus the number of bytes in all of the encapsulated Web Application data blocks.
Web Application Data Blocks	variable	Encapsulated Web Application data blocks up to the maximum number of bytes in the list block length. For information on the encapsulated Web Application data blocks, see Web Application Data Block for 4.9.1 - 4.10.x.

User Client Application Data Block for 5.1 and earlier

The User Client Application data block contains information about the source of the client application data, the identification number for the user who added the data, and the lists of IP address range data blocks. The User Client Application data block has a block type of 59.

The following diagram shows the basic structure of a User Client Application data block:

Byte	0								1								2								3
Bit	0	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15	16	17	18	19	20	21	22	23	24	25	26	27	28	29	30	31
	User Client Application Block Type (59)
	User Client Application Block Length
IP Address Ranges	Generic List Block Type (31)
	Generic List Block Length
	IP Range Specification Data Blocks*
	Application Protocol ID
	CLient Application ID
Version	String Block Type (0)
	String Block Length
	Version...

The User Client Application Data Block Fields describes the fields of the User Client Application data block.

User Client Application Data Block Fields
Field	Number of Bytes	Description
User Client Application Block Type	uint32	Initiates a User Client Application data block. This value is always 59.
User Client Application Block Length	uint32	Total number of bytes in the User Client Application data block, including eight bytes for the user client application block type and length fields, plus the number of bytes of user client application data that follows.
Generic List Block Type	uint32	Initiates a Generic List data block comprising IP Range Specification data blocks conveying IP address range data. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated IP Range Specification data blocks.
IP Range Specification Data Blocks *	variable	IP Range Specification data blocks containing information about the IP address ranges for the user input. See User Server Data Block for a description of this data block.
Application Protocol ID	uint32	The internal identification number for the application protocol, if applicable.
Client Application ID	uint32	The internal identification number of the detected client application, if applicable.
String Block Type	uint32	Initiates a String data block that contains the client application version. This value is always 0.
String Block Length	uint32	Number of bytes in the client application version String data block, including the string block type and length fields, plus the number of bytes in the version.
Version	string	Client application version.

Legacy Scan Result Data Blocks

For more information, see the following sections:

Generic Scan Results Data Block for 4.9.1.x and earlier

■ HREF="/c/en/us/td/docs/security/firesight/5311/api/estreamer/EventStreamerIntegrationGuide/AppBLegacyDataStructures.html#12259">Scan Result Data Block for 4.6.1 - 4.9.1.x

■ HREF="/c/en/us/td/docs/security/firesight/5311/api/estreamer/EventStreamerIntegrationGuide/AppBLegacyDataStructures.html#97453">Scan Result Data Block 4.10.0 - 5.1.1.x

■ HREF="/c/en/us/td/docs/security/firesight/5311/api/estreamer/EventStreamerIntegrationGuide/AppBLegacyDataStructures.html#38218">Scan Vulnerability Data Block for 4.9 - 4.9.1.x

User Product Data Block for 4.10.x, 5.0 - 5.0.x

Generic Scan Results Data Block for 4.9.1.x and earlier

The Generic Scan Results data block contains scan results and is used in the Scan Result Data Block for 4.6.1 - 4.9.1.x. The Generic Scan Results data block has a block type of 71.

The following diagram shows the basic structure of a Generic Scan Results data block:

Byte	0								1								2								3
Bit	0	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15	16	17	18	19	20	21	22	23	24	25	26	27	28	29	30	31
	Generic Scan Results Data Block Type (71)
	Generic Scan Results Block Length
	Port																Protocol
Scan Result Subtype	String Block Type (0)
	String Block Length
	Scan Result Subtype String...
Scan Result Value	String Block Type (0)
	String Block Length
	Scan Result Value...

The Generic Scan Result Data Block for 4.9.1.x and earlier Fields describes the fields of the Generic Scan Results data block.

Generic Scan Result Data Block for 4.9.1.x and earlier Fields
Field	Number of Bytes	Description
Generic Scan Results Data Block Type	uint32	Initiates a Generic Scan Results data block. This value is always 71.
Generic Scan Results Block Length	uint32	Total number of bytes in the Generic Scan Results data block, including eight bytes for the generic scan results block type and length fields, plus the number of bytes of scan results data that follows.
Port	uint16	Port used by the sub-server affected by the vulnerabilities in the results.
Protocol	uint16	Network protocol. For example: 1 — ICMP 4 — IP 6 — TCP 17 — UDP and so on.
String Block Type	uint32	Initiates a String data block that contains the sub-server. This value is always 0.
String Block Length	uint32	Number of bytes in the sub-server String data block, including eight bytes for the block type and length fields, plus the number of bytes in the sub-server.
Scan Result Subtype	string	Scan result subtype.
String Block Type	uint32	Initiates a String data block that contains the value. This value is always 0.
String Block Length	uint32	Number of bytes in the value String data block, including eight bytes for the block type and length fields, plus the number of bytes in the value.
Scan result value	string	Scan result value.

Scan Result Data Block for 4.6.1 - 4.9.1.x

The Scan Result data block describes a vulnerability and is used within Add Scan Result events (event type 1002, subtype 11). The Scan Result data block has a block type of 72.

The following diagram shows the format of a Scan Result data block:

Byte	0								1								2								3
Bit	0	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15	16	17	18	19	20	21	22	23	24	25	26	27	28	29	30	31
	Scan Result Block Type (72)
	Scan Result Block Length
	User ID
	Scan Type
	IP Address
	Port																Protocol
	List Block Type (11)																																Scan Vulnerability List
	List Block Length
Vulnerability List	Scan Vulnerability Block Type (44)
	Scan Vulnerability Block Length
	Vulnerability Data*...
	List Block Type (11)																																Generic Scan Results List
	List Block Length
Scan Results List	Generic Scan Results Block Type (71)
	Generic Scan Results Block Length
	Generic Scan Results*...
User Product List	Generic List Block Type (31)
	Generic List Block Length
	User Product Data Blocks*...

The Scan Result Data Block for 4.6.1 - 4.9.1.x Fields describes the fields of the Scan Result data block.

Scan Result Data Block for 4.6.1 - 4.9.1.x Fields
Field	Data Type	Description
Scan Result Block Type	uint32	Initiates a Scan Result data block. This value is always 72.
Scan Result Block Length	uint32	Number of bytes in the Scan Vulnerability data block, including eight bytes for the scan vulnerability block type and length fields, plus the number of bytes of scan vulnerability data that follows.
User ID	uint32	Contains the user identification number for the user who imported the scan result or ran the scan that produced the scan result.
Scan Type	uint32	Indicates how the results were added to the sensor. Values include: Nessus — 1 Nmap — 2
IP Address	uint32	IP address of the host affected by the vulnerabilities in the result, in IP address octets.
Port	uint16	Port used by the sub-server affected by the vulnerabilities in the results.
Protocol	uint16	Network protocol. For example: 1 — ICMP 4 — IP 6 — TCP 17 — UDP and so on.
List Block Type	uint32	Initiates a List data block comprising Scan Vulnerability data blocks conveying transport protocol data. This value is always 11.
List Block Length	uint32	Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus all encapsulated Scan Vulnerability data blocks. This field is followed by zero or more Scan Vulnerability data blocks.
Scan Vulnerability Block Type	uint32	Initiates a Scan Vulnerability data block describing a vulnerability detected during a scan. This value is always 44.
Scan Vulnerability Block Length	uint32	Number of bytes in the Scan Vulnerability data block, including eight bytes for the scan vulnerability block type and length fields, plus the number of bytes in the scan vulnerability data that follows.
Vulnerability Data*	variable	Information relating to each vulnerability.
List Block Type	uint32	Initiates a List data block comprising Scan Vulnerability data blocks conveying transport scan vulnerability data. This value is always 11.
List Block Length	uint32	Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus all encapsulated Scan Vulnerability data blocks. This field is followed by zero or more Scan Vulnerability data blocks.
Generic Scan Results Block Type	uint32	Initiates a Generic Scan Results data block describing server and operating system data detected during a scan. This value is always 71.
Generic Scan Results Block Length	uint32	Number of bytes in the Generic Scan Results data block, including eight bytes for the generic scan results block type and length fields, plus the number of bytes in the scan result data that follows.
Generic Scan Results Data*	variable	Information relating to each scan result.
Generic List Block Type	uint32	Initiates a Generic List data block comprising User Product data blocks conveying host input data from a third party application. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated User Product data blocks.
User Product Data Blocks *	variable	User Product data blocks with a block type of 65 containing host input data. See User Product Data Block for 4.10.x, 5.0 - 5.0.x for a description of this data block.

Scan Result Data Block 4.10.0 - 5.1.1.x

The Scan Result data block describes a vulnerability and is used within Add Scan Result events (event type 1002, subtype 11). The Scan Result data block has a block type of 102.

The following diagram shows the format of a Scan Result data block:

Byte	0								1								2								3
Bit	0	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15	16	17	18	19	20	21	22	23	24	25	26	27	28	29	30	31
	Scan Result Block Type (102)
	Scan Result Block Length
	User ID
	Scan Type
	IP Address
	Port																Protocol
	Flag																List Block Type (11)																Scan Vulnerability List
	List Block Type (11)																List Block Length
Vulnerability List	List Block Length																Scan Vulnerability Block Type (109)
	Scan Vulnerability Block Type (109)																Scan Vulnerability Block Length
	Scan Vulnerability Block Length																Vulnerability Data...
	List Block Type (11)																																Generic Scan Results List
	List Block Length
Scan Results List	Generic Scan Results Block Type (108)
	Generic Scan Results Block Length
	Generic Scan Results...
User Product List	Generic List Block Type (31)
	Generic List Block Length
	User Product Data Blocks*

The Scan Result Data Block Fields describes the fields of the Scan Result data block.

Scan Result Data Block Fields
Field	Data Type	Description
Scan Result Block Type	uint32	Initiates a Scan Result data block. This value is always 102.
Scan Result Block Length	uint32	Number of bytes in the Scan Vulnerability data block, including eight bytes for the scan vulnerability block type and length fields, plus the number of bytes of scan vulnerability data that follows.
User ID	uint32	Contains the user identification number for the user who imported the scan result or ran the scan that produced the scan result.
Scan Type	uint32	Indicates how the results were added to the system.
IP Address	uint32	IP address of the host affected by the vulnerabilities in the result, in IP address octets.
Port	uint16	Port used by the sub-server affected by the vulnerabilities in the results.
Protocol	uint16	IANA protocol number. For example: 1 — ICMP 4 — IP 6 — TCP 17 — UDP and so on.
Flag	uint16	Reserved
List Block Type	uint32	Initiates a List data block comprising Scan Vulnerability data blocks conveying transport Scan Vulnerability data. This value is always 11.
List Block Length	uint32	Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus all encapsulated Scan Vulnerability data blocks. This field is followed by zero or more Scan Vulnerability data blocks.
Scan Vulnerability Block Type	uint32	Initiates a Scan Vulnerability data block describing a vulnerability detected during a scan. This value is always 109.
Scan Vulnerability Block Length	uint32	Number of bytes in the Scan Vulnerability data block, including eight bytes for the scan vulnerability block type and length fields, plus the number of bytes in the scan vulnerability data that follows.
Vulnerability Data	string	Information relating to each vulnerability.
List Block Type	uint32	Initiates a List data block comprising Scan Vulnerability data blocks conveying transport Scan Vulnerability data. This value is always 11.
List Block Length	uint32	Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus all encapsulated Scan Vulnerability data blocks. This field is followed by zero or more Scan Vulnerability data blocks.
Generic Scan Results Block Type	uint32	Initiates a Generic Scan Results data block describing server and operating system data detected during a scan. This value is always 108.
Generic Scan Results Block Length	uint32	Number of bytes in the Generic Scan Results data block, including eight bytes for the generic scan results block type and length fields, plus the number of bytes in the scan result data that follows.
Generic Scan Results Data	string	Information relating to each scan result.
Generic List Block Type	uint32	Initiates a Generic List data block comprising User Product data blocks conveying host input data from a third party application. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated User Product data blocks.
User Product Data Blocks *	variable	User Product data blocks containing host input data. See User Product Data Block 5.1+ for a description of this data block.

Scan Vulnerability Data Block for 4.9 - 4.9.1.x

The Scan Vulnerability data block describes a vulnerability and is used within Scan Result data blocks, that in turn are used in Add Scan Result events (event type 1002, subtype 11). For more information, see Scan Result Data Block for 4.6.1 - 4.9.1.x and Add Scan Result Messages. The Scan Vulnerability data block has a block type of 86.

The following diagram shows the format of a Scan Vulnerability data block:

Byte	0								1								2								3
Bit	0	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15	16	17	18	19	20	21	22	23	24	25	26	27	28	29	30	31
	Scan Vulnerability Block Type (86)
	Scan Vulnerability Block Length
	Port																Protocol
ID	String Block Type (0)
	String Block Length
	ID
Name	String Block Type (0)
	String Block Length
	Vulnerability Name...
Description	String Block Type (0)
	String Block Length
	Description...
Bugtraq ID	List Block Type (11)
	List Block Length
	Integer Data Blocks (Bugtraq IDs)...
CVE ID	List Block Type (11)
	List Block Length
	CVE ID...

The Scan Vulnerability Data Block for 4.9 - 4.9.1.x Fields describes the fields of the Scan Vulnerability data block.

Scan Vulnerability Data Block for 4.9 - 4.9.1.x Fields
Field	Data Type	Description
Scan Vulnerability Block Type	uint32	Initiates a Scan Vulnerability data block. This value is always 86.
Scan Vulnerability Block Length	uint32	Number of bytes in the Scan Vulnerability data block, including eight bytes for the scan vulnerability block type and length fields, plus the number of bytes of scan vulnerability data that follows.
Port	uint16	Port used by the sub-server affected by the vulnerability.
Protocol	uint16	Network protocol. For example: 1 — ICMP 4 — IP 6 — TCP 17 — UDP and so on.
String Block Type	uint32	Initiates a String data block for the ID.
String Block Length	uint32	Number of bytes in the String data block for the ID, including eight bytes for the string block type and length, plus the number of bytes in the ID.
ID	string	The ID for the reported vulnerability as specified by the scan utility that detected it. For a vulnerability detected by a Nessus scan, for example, this field indicates the Nessus ID.
String Block Type	uint32	Initiates a String data block for the vulnerability name.
String Block Length	uint32	Number of bytes in the String data block for the vulnerability name, including eight bytes for the string block type and length, plus the number of bytes in the vulnerability name.
Name	string	Name of the vulnerability.
String Block Type	uint32	Initiates a String data block for the vulnerability description.
String Block Length	uint32	Number of bytes in the String data block for the vulnerability description, including eight bytes for the string block type and length, plus the number of bytes in the vulnerability description.
Description	string	Description of the vulnerability.
String Block Type	uint32	Initiates a String data block for the vulnerability name.
String Block Length	uint32	Number of bytes in the String data block for the vulnerability name, including eight bytes for the string block type and length, plus the number of bytes in the vulnerability name.
Bugtraq ID	string	Contains zero or more Integer (INT32) data blocks that form a list of Bugtraq identification numbers.
List Block Type	uint32	Initiates a List data block for the list of Common Vulnerability Exposure (CVE) identification numbers.
List Block Length	uint32	Number of bytes in the List data block for the CVE identification number, including eight bytes for the string block type and length, plus the number of bytes in the CVE identification number.
CVE ID	string	Contains zero or more String Information data blocks that form a list of CVE identification numbers.

User Product Data Block for 4.10.x, 5.0 - 5.0.x

The User Product data block conveys host input data imported from a third party application, including third party application string mappings. This data block is used in Scan Result Data Block 5.2+. The User Product data block has a block type of 65 for 4.10.x, and a block type of 118 for 5.0 - 5.0.x. The block types have the same structure.

An asterisk(*) next to a data block name in the following diagram indicates that multiple instances of the data block may occur.

The following diagram shows the format of the User Product data block:

Byte

Bit

User Product Data Block Type (65 | 118)

User Product Block Length

Source ID

Source Type

IP Address

Ranges

Generic List Block Type (31)

Generic List Block Length

IP Range Specification Data Blocks*

Port

Protocol

Drop User Product

Custom

Vendor String

String Block Type (0)

String Block Length

Custom Vendor String...

Custom

Product String

String Block Type (0)

String Block Length

Custom Product String...

Custom

Version String

String Block Type (0)

String Block Length

Custom Version String...

Software ID

Server ID

Vendor ID

Product ID

Major Version

String

String Block Type (0)

String Block Length

Major Version String...

Minor Version

String

String Block Type (0)

String Block Length

Minor Version String...

Revision

String

String Block Type (0)

String Block Length

Revision String...

To Major

String

String Block Type (0)

String Block Length

To Major Version String...

To Minor

String

String Block Type (0)

String Block Length

To Minor Version String...

To Revision

String

String Block Type (0)

String Block Length

To Revision String...

Build String

String Block Type (0)

String Block Length

Build String...

Patch String

String Block Type (0)

String Block Length

Patch String...

Extension

String

String Block Type (0)

String Block Length

Extension String...

OS UUID

Operating System UUID

Operating System UUID cont.

List of Fixes

Generic List Block Type (31)

Generic List Block Length

Fix List Data Blocks*

The User Product Data Block Fields for 4.10.x, 5.0-5.0.x describes the components of the User Product data block.

User Product Data Block Fields for 4.10.x, 5.0-5.0.x
Field	Data Type	Description
User Product Data Block Type	uint32	Initiates a User Product data block. This value is 65 for version 4.10.x and 118 for version 5.0 - 5.0.x.
User Product Block Length	uint32	Total number of bytes in the User Product data block, including eight bytes for the user product block type and length fields, plus the number of bytes in the user product data that follows.
Source ID	uint32	Identification number of the source that imported the data.
Source Type	uint32	The source type of the source that supplied the data.
Generic List Block Type	uint32	Initiates a Generic List data block comprising IP Range Specification data blocks conveying IP address range data. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated IP Range Specification data blocks.
IP Range Specification Data Blocks *	variable	IP Range Specification data blocks containing information about the IP address ranges for the user input. See IP Address Range Data Block for 5.2+ for a description of this data block.
Port	uint16	Port specified by the user.
Protocol	uint16	IANA protocol number specified by the user. For example: 1 — ICMP 4 — IP 6 — TCP 17 — UDP and so on.
Drop User Product	uint32	Indicates whether the user OS definition was deleted from the host: 0 — No 1 — Yes
String Block Type	uint32	Initiates a String data block containing the custom vendor name specified in the user input. This value is always 0.
String Block Length	uint32	Number of bytes in the custom vendor String data block, including eight bytes for the block type and length fields, plus the number of bytes in the vendor name.
Custom Vendor Name	string	The custom vendor name specified in the user input.
String Block Type	uint32	Initiates a String data block containing the custom product name specified in the user input. This value is always 0.
String Block Length	uint32	Number of bytes in the custom product String data block, including eight bytes for the block type and length fields, plus the number of bytes in the product name.
Custom Product Name	string	The custom product name specified in the user input.
String Block Type	uint32	Initiates a String data block containing the custom version specified in the user input. This value is always 0.
String Block Length	uint32	Number of bytes in the custom version String data block, including eight bytes for the block type and length fields, plus the number of bytes in the version.
Custom Version	string	The custom version specified in the user input.
Software ID	uint32	The identifier for a specific revision of a server or operating system in the Sourcefire database.
Server ID	uint32	The Sourcefire application identifier for the application protocol on the host server specified in user input.
Vendor ID	uint32	The identifier for the vendor of a third party operating system specified when the third party operating system is mapped to a Sourcefire 3D operating system definition.
Product ID	uint32	The product identification string of a third party operating system string specified when the third party operating system string is mapped to a Sourcefire 3D operating system definition.
String Block Type	uint32	Initiates a String data block containing the major version number of the Sourcefire 3D operating system definition that a third party operating system string in the user input is mapped to. This value is always 0.
String Block Length	uint32	Number of bytes in the major String data block, including eight bytes for the block type and length fields, plus the number of bytes in the version.
Major Version	string	Major version of the Sourcefire 3D operating system definition that a third party operating system string is mapped to.
String Block Type	uint32	Initiates a String data block containing the minor version number of the Sourcefire 3D operating system definition that a third party operating system string is mapped to. This value is always 0.
String Block Length	uint32	Number of bytes in the minor String data block, including eight bytes for the block type and length fields, plus the number of bytes in the version.
Minor Version	string	Minor version number of the Sourcefire 3D operating system definition that a third party operating system string in the user input is mapped to.
String Block Type	uint32	Initiates a String data block containing the revision number of the Sourcefire operating system definition that a third party operating system string in the user input is mapped to. This value is always 0.
String Block Length	uint32	Number of bytes in the revision String data block, including eight bytes for the block type and length fields, plus the number of bytes in the revision number.
Revision	string	Revision number of the Sourcefire 3D operating system definition that a third party operating system string in the user input is mapped to.
String Block Type	uint32	Initiates a String data block containing the last major version of the Sourcefire 3D operating system definition that a third party operating system string is mapped to. This value is always 0.
String Block Length	uint32	Number of bytes in the To Major String data block, including eight bytes for the block type and length fields, plus the number of bytes in the version.
To Major	string	Last version number in a range of major version numbers of the Sourcefire 3D operating system definition that a third party operating system string in the user input is mapped to.
String Block Type	uint32	Initiates a String data block containing the last minor version of the Sourcefire 3D operating system definition that a third party operating system string is mapped to. This value is always 0.
String Block Length	uint32	Number of bytes in the To Minor String data block, including eight bytes for the block type and length fields, plus the number of bytes in the version.
To Minor	string	Last version number in a range of minor version numbers of the Sourcefire 3D operating system definition that a third party operating system string in the user input is mapped to.
String Block Type	uint32	Initiates a String data block containing the Last revision number of the Sourcefire 3D operating system definition that a third party operating system string is mapped to. This value is always 0.
String Block Length	uint32	Number of bytes in the To Revision String data block, including eight bytes for the block type and length fields, plus the number of bytes in the revision number.
To Revision	string	Last revision number in a range of revision numbers of the Sourcefire 3D operating system definitions that a third party operating system string in the user input is mapped to.
String Block Type	uint32	Initiates a String data block containing the build number of the Sourcefire 3D operating system that the third party operating system string is mapped. This value is always 0.
String Block Length	uint32	Number of bytes in the build String data block, including eight bytes for the block type and length fields, plus the number of bytes in the build number.
Build	string	Build number of the Sourcefire 3D operating system that the third party operating system string in the user input is mapped to.
String Block Type	uint32	Initiates a String data block containing the patch number of the Sourcefire 3D operating system that the third party operating system string is mapped to. This value is always 0.
String Block Length	uint32	Number of bytes in the patch String data block, including eight bytes for the block type and length fields, plus the number of bytes in the patch number.
Patch	string	Patch number of the Sourcefire 3D operating system that the third party operating system string in the user input is mapped to.
String Block Type	uint32	Initiates a String data block containing the extension number of the Sourcefire 3D operating system that the third party operating system string is mapped. This value is always 0.
String Block Length	uint32	Number of bytes in the extension String data block, including eight bytes for the block type and length fields, plus the number of bytes in the extension number.
Extension	string	Extension number of the Sourcefire 3D operating system that the third party operating system string in the user input is mapped to.
UUID	uint8 [x16]	Contains the unique identification number for the operating system.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Fix List data blocks conveying user input data regarding what fixes have been applied to hosts in the specified IP address ranges. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated Fix List data blocks.
Fix List Data Blocks *	variable	Fix List data blocks containing information about fixes applied to the hosts. See Fix List Data Block for a description of this data block.

Legacy Vulnerability Blocks

See the following sections for more information:

■ HREF="/c/en/us/td/docs/security/firesight/5311/api/estreamer/EventStreamerIntegrationGuide/AppBLegacyDataStructures.html#44881">User Vulnerability Data Block 4.7 - 4.10.x

User Vulnerability Data Block 4.7 - 4.10.x

The User Vulnerability data block describes a vulnerability and is used within User Vulnerability Change data blocks, which in turn are used in User Set Valid Vulnerabilities events (event type 1002, subtype 1) and User Set Invalid Vulnerabilities events (event type 1002, subtype 2). The User Vulnerability data block has a block type of 79. For more information on User Vulnerability Change data blocks, see User Vulnerability Change Data Block 4.7+.

The following diagram shows the format of a User Vulnerability data block:

Byte	0								1								2								3
Bit	0	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15	16	17	18	19	20	21	22	23	24	25	26	27	28	29	30	31
	User Vulnerability Block Type (79)
	User Vulnerability Block Length
IP Range Spec Blocks	Generic List Block Type (31)
	Generic List Block Length
	IP Range Specification Data Blocks...*
	Port																Protocol
	Vulnerability ID
UUID	UUID
	UUID cont.
	UUID cont.
	UUID cont.
	String Block Type (0)
	String Block Length
	Vulnerability String...

The User Vulnerability Data Block Fields describes the fields of the User Vulnerability data block:

User Vulnerability Data Block Fields
Field	Data Type	Description
User Vulnerability Block Type	uint32	Initiates a User Vulnerability data block. This value is always 22.
User Vulnerability Block Length	uint32	Number of bytes in the User Vulnerability data block, including eight bytes for the user vulnerability block type and length fields, plus the number of bytes of user vulnerability data that follows.
Generic List Block Type	uint32	Initiates a Generic List data block comprising IP Range Specification data blocks conveying IP address range data. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated IP Range Specification data blocks.
IP Range Specification Data Blocks *	variable	IP Range Specification data blocks containing information about the IP address ranges for the user input. See IP Address Range Data Block for 5.2+ for a description of this data block.
Port	uint16	Port used by the sub-server affected by the vulnerability.
Protocol	uint16	The IANA protocol number. For example: 1 — ICMP 4 — IP 6 — TCP 17 — UDP and so on.
Vulnerability ID	uint32	Sourcefire vulnerability ID.
UUID	uint8 [16]	Contains the unique identification number for the vulnerability.
String Block Type	uint32	Initiates a String data block for the vulnerability name.
String Block Length	uint32	Number of bytes in the String data block for the vulnerability name, including eight bytes for the string block type and length, plus the number of bytes in the vulnerability name.
Vulnerability Name	string	Vulnerability name.

Legacy User Login Data Blocks

See the following sections for more information:

User Login Information Data Block for 5.0 - 5.0.2

The User Login Information data block is used in User Information Update messages and conveys changes in login information for a detected user. For more information, see User Information Update Message Block.

The User Login Information data block has a block type of 121 for version 5.0 - 5.0.2.

The graphic below shows the format of the User Login Information data block:

Byte	0								1								2								3
Bit	0	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15	16	17	18	19	20	21	22	23	24	25	26	27	28	29	30	31
	User Login Information Block Type (121)
	User Login Information Block Length
	Timestamp
	IP Address
User Name	String Block Type (0)
	String Block Length
	User Name...
	User ID
	Application ID
Email	String Block Type (0)
	String Block Length
	Email...

The User Login Information Data Block Fields 5.0 - 5.0.2 describes the components of the User Login Information data block.

User Login Information Data Block Fields 5.0 - 5.0.2
Field	Data Type	Description
User Login Information Block Type	uint32	Initiates a User Login Information data block. This value is 121 for version 5.0 - 5.0.2.
User Login Information Block Length	uint32	Total number of bytes in the User Login Information data block, including eight bytes for the user login information block type and length fields, plus the number of bytes in the user login information data that follows.
Timestamp	uint32	Timestamp of the event.
IP Address	uint8[4]	IP address from the host where the user was detected logging in, in IP address octets.
String Block Type	uint32	Initiates a String data block containing the username for the user. This value is always 0.
String Block Length	uint32	Number of bytes in the username String data block, including eight bytes for the block type and length fields, plus the number of bytes in the username.
Username	string	The user name for the user.
User ID	uint32	Identification number of the user.
Application ID	uint32	The application ID for the application protocol used in the connection that the login information was derived from.
String Block Type	uint32	Initiates a String data block containing the email address for the user. This value is always 0.
String Block Length	uint32	Number of bytes in the email address String data block, including eight bytes for the block type and length fields, plus the number of bytes in the email address.
Email	string	The email address for the user.

Legacy Host Profile Data Blocks

See the following sections for more information:

Host Profile Data Block for 4.9.x - 5.0.2

The following diagram shows the format of a Host Profile data block in 4.9 to 5.0.2. The Host Profile data block also does not include a host criticality value, but does include a VLAN presence indicator. In addition, a Host Profile data block can convey a NetBIOS name for the host. This Host Profile data block has a block type of 91.

An asterisk(*) next to a block type field in the following diagram indicates the message may contain zero or more instances of the series 1 data block.

Byte	0								1								2								3
Bit	0	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15	16	17	18	19	20	21	22	23	24	25	26	27	28	29	30	31
	Host Profile Block Type (91)
	Host Profile Block Length
	IP Address
Server Fingerprints	Hops								Primary/Secondary								Generic List Block Type (31)
	Generic List Block Type, continued																Generic List Block Length
	Generic List Block Length, continued																Server Fingerprint Data Blocks*
Client Fingerprints	Generic List Block Type (31)
	Generic List Block Length
	Client Fingerprint Data Blocks*
SMB Fingerprints	Generic List Block Type (31)
	Generic List Block Length
	SMB Fingerprint Data Blocks*
DHCP Fingerprints	Generic List Block Type (31)
	Generic List Block Length
	DHCP Fingerprint Data Blocks*
	List Block Type (11)																																List of TCP Servers
	List Block Length
TCP Server Block*	Server Block Type (36)
	Server Block Length
	TCP Server Data...
	List Block Type (11)																																List of UDP Servers
	List Block Length
UDP Server Block*	Server Block Type (36)*
	Server Block Length
	UDP Server Data...
	List Block Type (11)																																List of Network Protocols
	List Block Length
Network Protocol Block*	Protocol Block Type (4)*
	Protocol Block Length
	Network Protocol Data...
	List Block Type (11)																																List of Transport Protocols
	List Block Length
Transport Protocol Block*	Protocol Block Type (4)*
	Protocol Block Length
	Transport Protocol Data...
	List Block Type (11)																																List of MAC Addresses
	List Block Length
MAC Address Block*	MAC Address Block Type (95)*
	MAC Address Block Length
	MAC Address Data...
	Host Last Seen
	Host Type
	VLAN Presence								VLAN ID																VLAN Type
	VLAN Priority								Generic List Block Type (31)																								List of Client Applications
	Generic List Block Type, continued								Generic List Block Length
Client App Data	Generic List Block Length, continued								Client Application Block Type (112)*
	Client App Block Type (29)*, con’t								Client Application Block Length
	Client Application Block Length, con’t								Client Application Data...
NetBIOS Name	String Block Type (0)
	String Block Length
	NetBIOS String Data...

The Host Profile Data Block for 4.9 - 5.0.2 Fields describes the fields of the host profile data block returned by version 4.9 to version 5.0.2.

Host Profile Data Block for 4.9 - 5.0.2 Fields
Field	Data Type	Description
Host Profile Block Type	uint32	Initiates the Host Profile data block for 4.9 to 5.0.2. This data block has a block type of 91.
Host Profile Block Length	uint32	Number of bytes in the Host Profile data block, including eight bytes for the host profile block type and length fields, plus the number of bytes included in the host profile data that follows.
IP Address	uint8[4]	IP address of the host described in the profile, in IP address octets.
Hops	uint8	Number of hops from the host to the device.
Primary/ Secondary	uint8	Indicates whether the host is in the primary or secondary network of the device that detected it: 0 — host is in the primary network. 1 — host is in the secondary network.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using a server fingerprint. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks.
Operating System Fingerprint (Server Fingerprint) Data Blocks *	variable	Operating System Fingerprint data blocks containing information about the operating system on a host identified using a server fingerprint. See Operating System Fingerprint Data Block for 4.9.x - 5.0.2 for a description of this data block.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using a client fingerprint. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks.
Operating System Fingerprint (Client Fingerprint) Data Blocks *	variable	Operating System Fingerprint data blocks containing information about the operating system on a host identified using a client fingerprint. See Operating System Fingerprint Data Block for 4.9.x - 5.0.2 for a description of this data block.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using an SMB fingerprint. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks.
Operating System Fingerprint (SMB Fingerprint) Data Blocks *	variable	Operating System Fingerprint data blocks containing information about the operating system on a host identified using an SMB fingerprint. See Operating System Fingerprint Data Block for 4.9.x - 5.0.2 for a description of this data block.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using a DHCP fingerprint. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks.
Operating System Fingerprint (DHCP Fingerprint) Data Blocks *	variable	Operating System Fingerprint data blocks containing information about the operating system on a host identified using a DHCP fingerprint. See Operating System Fingerprint Data Block for 4.9.x - 5.0.2 for a description of this data block.
List Block Type	uint32	Initiates a List data block comprising Server data blocks conveying TCP server data. This value is always 11.
List Block Length	uint32	Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus all encapsulated Server data blocks. This field is followed by zero or more Server data blocks.
Server Block Type	uint32	Initiates a Server data block. This value is always 89.
Server Block Length	uint32	Number of bytes in the Server data block, including eight bytes for the server block type and length fields, plus the number of bytes of TCP server data that follows.
TCP Server Data	variable	Data fields describing a TCP server, as documented in Host Server Data Block for Version 4.9.0.x.
List Block Type	uint32	Initiates a List data block comprising Server data blocks conveying UDP server data. This value is always 11.
List Block Length	uint32	Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus all encapsulated Server data blocks. This field is followed by zero or more Server data blocks.
Server Block Type	uint32	Initiates a Server data block describing a UDP server. This value is always 89.
Server Block Length	uint32	Number of bytes in the Server data block, including eight bytes for the server block type and length fields, plus the number of bytes of UDP server data that follows.
UDP Server Data	variable	Data fields describing a UDP server, as documented in Host Server Data Block for Version 4.9.0.x.
List Block Type	uint32	Initiates a List data block comprising Protocol data blocks conveying network protocol data. This value is always 11.
List Block Length	uint32	Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus all encapsulated Protocol data blocks. This field is followed by zero or more Protocol data blocks.
Protocol Block Type	uint32	Initiates a Protocol data block describing a network protocol. This value is always 4.
Protocol Block Length	uint32	Number of bytes in the Protocol data block, including eight bytes for the protocol block type and length fields, plus the number of bytes in the protocol data that follows.
Network Protocol Data	uint16	Data field containing a network protocol number, as documented in Protocol Data Block.
List Block Type	uint32	Initiates a List data block comprising Protocol data blocks conveying transport protocol data. This value is always 11.
List Block Length	uint32	Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus all encapsulated Protocol data blocks. This field is followed by zero or more transport protocol data blocks.
Protocol Block Type	uint32	Initiates a Protocol data block describing a transport protocol. This value is always 4.
Protocol Block Length	uint32	Number of bytes in the protocol data block, including eight bytes for the protocol block type and length, plus the number of bytes in the protocol data that follows.
Transport Protocol Data	variable	Data field containing a transport protocol number, as documented in Protocol Data Block.
List Block Type	uint32	Initiates a List data block comprising MAC Address data blocks. This value is always 11.
List Block Length	uint32	Number of bytes in the list, including the list header and all encapsulated MAC Address data blocks.
Host MAC Address Block Type	uint32	Initiates a Host MAC Address data block. This value is always 95.
Host MAC Address Block Length	uint32	Number of bytes in the Host MAC Address data block, including eight bytes for the Host MAC address block type and length fields, plus the number of bytes in the Host MAC address data that follows.
Host MAC Address Data	variable	Host MAC address data fields described in Host MAC Address 4.9+.
Host Last Seen	uint32	UNIX timestamp that represents the last time the system detected host activity.
Host Type	uint32	Indicates the host type. The following values may appear: 0 — host 1 — router 2 — bridge 3 — NAT device 4 — LB (load balancer)
VLAN Presence	uint8	Indicates whether a VLAN is present: 0 — Yes 1 — No
VLAN ID	uint16	VLAN identification number that indicates which VLAN the host is a member of.
VLAN Type	uint8	Type of packet encapsulated in the VLAN tag.
VLAN Priority	uint8	Priority value included in the VLAN tag.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Client Application data blocks conveying client application data. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated client application data blocks.
Client Application Block Type	uint32	Initiates a client application block. This value is always 5.
Client Application Block Length	uint32	Number of bytes in the client application block, including eight bytes for the client application block type and length fields, plus the number of bytes in the client application data that follows.
Client Application Data	variable	Client application data fields describing a client application, as documented in Host Client Application Data Block for 5.0+.
String Block Type	uint32	Initiates a string data block for the NetBIOS name. This value is set to 0 to indicate string data.
String Block Length	uint32	Indicates the number of bytes in the NetBIOS name data block, including eight bytes for the string block type and length, plus the number of bytes in the NetBIOS name.
NetBIOS String Data	Variable	Contains the NetBIOS name of the host described in the host profile.

Legacy OS Fingerprint Data Blocks

See the following sections for more information:

Operating System Fingerprint Data Block for 4.9.x - 5.0.2

The Operating System Fingerprint data block has a block type of 87. The block includes a fingerprint Universally Unique Identifier (UUID), as well as the fingerprint type, the fingerprint source type, and the fingerprint source ID. The following diagram shows the format of an Operating System Fingerprint data block for version 4.9.x to version 5.0.2.

Byte	0								1								2								3
Bit	0	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15	16	17	18	19	20	21	22	23	24	25	26	27	28	29	30	31
	Operating System Fingerprint Block Type (87)
	Operating System Fingerprint Block Length
OS Fingerprint UUID	Fingerprint UUID
	Fingerprint UUID, continued
	Fingerprint UUID, continued
	Fingerprint UUID, continued
	Fingerprint Type
	Fingerprint Source Type
	Fingerprint Source ID
	Last Seen Value for Fingerprint
	TTL Difference

The Operating System Fingerprint Data Block Fields describes the fields of the operating system fingerprint data block.

Operating System Fingerprint Data Block Fields
Field	Data Type	Description
Operating System Fingerprint Data Block Type	uint32	Initiates the operating system data block. This value is always 87.
Operating System Data Block Length	uint32	Number of bytes in the Operating System Fingerprint data block. This value should always be 41: eight bytes for the data block type and length fields, sixteen bytes for the fingerprint UUID value, four bytes for the fingerprint type, four bytes for the fingerprint source type, four bytes for the fingerprint source ID, four bytes for the last seen value, and one byte for the TTL difference.
Fingerprint UUID	uint8[16]	Fingerprint identification number, in octets, that acts as a unique identifier for the operating system. The fingerprint UUID maps to the operating system name, vendor, and version in the vulnerability database (VDB).
Fingerprint Type	uint32	Indicates the type of fingerprint.
Fingerprint Source Type	uint32	Indicates the type (i.e., user or scanner) of the source that supplied the operating system fingerprint.
Fingerprint Source ID	uint32	Indicates the ID of the source that supplied the operating system fingerprint.
Last Seen	uint32	Indicates when the fingerprint was last seen in traffic.
TTL Difference	uint8	Indicates the difference between the TTL value in the fingerprint and the TTL value seen in the packet used to fingerprint the host.

Legacy Connection Data Structures

For more information, see the following sections:

■ HREF="/c/en/us/td/docs/security/firesight/5311/api/estreamer/EventStreamerIntegrationGuide/AppBLegacyDataStructures.html#66412">Connection Statistics Data Block for 4.7 - 4.9.0.x

■ HREF="/c/en/us/td/docs/security/firesight/5311/api/estreamer/EventStreamerIntegrationGuide/AppBLegacyDataStructures.html#81800">Connection Statistics Data Block 4.9.1 - 4.10.1

■ HREF="/c/en/us/td/docs/security/firesight/5311/api/estreamer/EventStreamerIntegrationGuide/AppBLegacyDataStructures.html#87879">Connection Statistics Data Block 4.10.2.x

■ HREF="/c/en/us/td/docs/security/firesight/5311/api/estreamer/EventStreamerIntegrationGuide/AppBLegacyDataStructures.html#40016">Connection Statistics Data Block 5.0 - 5.0.2

■ HREF="/c/en/us/td/docs/security/firesight/5311/api/estreamer/EventStreamerIntegrationGuide/AppBLegacyDataStructures.html#36092">Connection Statistics Data Block 5.1

■ HREF="/c/en/us/td/docs/security/firesight/5311/api/estreamer/EventStreamerIntegrationGuide/AppBLegacyDataStructures.html#72601">Connection Chunk Data Block for 4.10.1 - 5.1

■ HREF="/c/en/us/td/docs/security/firesight/5311/api/estreamer/EventStreamerIntegrationGuide/AppBLegacyDataStructures.html#97897">The Connection Chunk Data Block Fields table describes the components of the Connection Chunk data block:

Connection Statistics Data Block for 4.7 - 4.9.0.x

The Connection Statistics data block is used in Connection Data messages. Changes to the Connection Statistics data block between 3.5 and 4.7 include the use of a server identification number rather than a server name and the addition of a client application type identification number and a domain name string. The Connection Statistics data block for 4.7 - 4.9.0 has a block type of 56.

For more information on the Connection Statistics Data message, see Connection Statistics Data Message.

The following diagram shows the format of a Connection data block for 4.7 - 4.9.0.x:

Byte	0								1								2								3
Bit	0	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15	16	17	18	19	20	21	22	23	24	25	26	27	28	29	30	31
	Connection Data Block Type (56)
	Connection Data Block Length
	Initiator IP Address
	Responder IP Address
	Initiator Port																Responder Port
	First Packet Timestamp
	Last Packet Timestamp
	Connection Type								Source Device IP Address
	Src Dev IP, cont.								TCP Flags								Packets Sent
	Packets Sent, cont.																Packets Received
	Packets Received, cont.																Bytes Sent
	Bytes Sent, cont.																Bytes Received
	Bytes Received, cont.																Protocol								Server ID...
	Server ID, cont...																								Client App Type ID
	Client Application Type ID cont....																								Client App ID
Client App Version	Client Application ID cont....																								Block Type (0)
	String Block Type (0)																								Block Length
	String Block Length																								App Version...
	Client Application Version...
Client App URL	String Block Type (0)
	String Block Length
	Client Application URL...
Domain Name	String Block Type (0)
	String Block Length
	Domain Name....

The Connection Statistics Data Block 4.7 - 4.9.0.x Fields describes the fields of the Connection Statistics data block returned by version 4.7.

Connection Statistics Data Block 4.7 - 4.9.0.x Fields
Field	Data Type	Description
Connection Statistics Data Block Type	uint32	Initiates a Connection Statistics data block for 4.7+. The value is always 56.
Connection Statistics Data Block Length	uint32	Number of bytes in the Connection Statistics data block, including eight bytes for the connection statistics block type and length fields, plus the number of bytes in the connection data that follows.
Initiator IP Address	uint8[4]	IP address of the host that initiated the session described in the connection event, in IP address octets.
Responder IP Address	uint8[4]	IP address of the host that responded to the initiating host, in IP address octets.
Initiator Port	uint16	Port used by the initiating host.
Responder Port	uint16	Port used by the responding host.
First Packet Timestamp	uint32	UNIX timestamp that represents the date and time that the first packet was exchanged in the session.
Last Packet Timestamp	uint32	UNIX timestamp that represents the date and time that the last packet was exchanged in the session.
Connection Type	uint8	Indicates the type of connection.
Source Device IP Address	uint8[4]	IP address of the sensor that detected the connection event, in IP address octets.
TCP Flags	uint8	Indicates any TCP flags for the connection event.
Packets Sent	uint32	Indicates the number of packets transmitted by the initiating host.
Packets Received	uint32	Number of packets transmitted by the responding host.
Bytes Sent	uint32	Number of bytes transmitted by the initiating host.
Bytes Received	uint32	Number of bytes transmitted by the responding host.
Protocol	uint8	Protocol used within the session.
Server ID	uint32	Indicates the identification number for the server.
Client Application Type ID	uint32	Identification number of the detected client application type, if applicable.
Client Application ID	uint32	Identification number of the detected client application, if applicable.
String Block Type	uint32	Initiates a String data block for the client application version. This value is always 0.
String Block Length	uint32	Number of bytes in the client application version String data block, including eight bytes for the string block type and length fields plus the number of bytes in the client application version string.
Client Application Version	string	Version of the client application (5.0, 5.5, and so on).
String Block Type	uint32	Initiates a string data block for the client application URL. This value is always 0.
String Block Length	uint32	Number of bytes in the client application URL String data block, including eight bytes for the string block type and length fields, plus the number of bytes in the client application URL string.
Client Application URL	string	URL the client application accessed, if applicable (/files/index.html, for example).
String Block Type	uint32	Initiates a string data block for the domain name. This value is always 0.
String Block Length	uint32	Number of bytes in the domain name String data block, including eight bytes for the string block type and length fields, plus the number of bytes in the domain name string.
Domain Name	string	The domain name for the initiating host, if applicable.

Connection Statistics Data Block 4.9.1 - 4.10.1

The Connection Statistics data block is used in Connection Data messages. Changes to the Connection data block between 4.7 and 4.9.1+ include the addition of a list of Web Application data blocks. The Connection Statistics data block for 4.9.1 - 4.10.1 has a block type of 101.

For more information on the Connection Statistics Data message, see Connection Statistics Data Message.

The following diagram shows the format of a Connection Statistics data block for 4.9.1 - 4.10.1:

Byte	0								1								2								3
Bit	0	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15	16	17	18	19	20	21	22	23	24	25	26	27	28	29	30	31
	Connection Data Block Type (101)
	Connection Data Block Length
	Initiator IP Address
	Responder IP Address
	Initiator Port																Responder Port
	First Packet Timestamp
	Last Packet Timestamp
	Connection Type								Source Device IP Address
	Src Dev IP, cont.								TCP Flags								Packets Sent
	Packets Sent, cont.																Packets Received
	Packets Received, cont.																Bytes Sent
	Bytes Sent, cont.																Bytes Received
	Bytes Received, cont.																Protocol								Server ID...
	Server ID, cont...																								Client App Type ID
	Client Application Type ID cont....																								Client App ID
Client App Version	Client Application ID cont....																								Block Type (0)
	String Block Type (0)																								Block Length
	String Block Length																								App Version...
	Client Application Version...
Client App URL	String Block Type (0)
	String Block Length
	Client Application URL...
Domain Name	String Block Type (0)
	String Block Length
	Domain Name....
	Payload Type
	Payload ID

The Connection Statistics Data Block 4.9.1 - 4.10.1 Fields describes the fields of the Connection Statistics data block returned by 4.9.1 - 4.10.x1

Connection Statistics Data Block 4.9.1 - 4.10.1 Fields
Field	Data Type	Description
Connection Statistics Data Block Type	uint32	Initiates a Connection Statistics data block for 4.9.1+. The value is always 101.
Connection Statistics Data Block Length	uint32	Number of bytes in the Connection Statistics data block, including eight bytes for the connection statistics block type and length fields, plus the number of bytes in the connection data that follows.
Initiator IP Address	uint8[4]	IP address of the host that initiated the session described in the connection event, in IP address octets.
Responder IP Address	uint8[4]	IP address of the host that responded to the initiating host, in IP address octets.
Initiator Port	uint16	Port used by the initiating host.
Responder Port	uint16	Port used by the responding host.
First Packet Timestamp	uint32	UNIX timestamp that represents the date and time that the first packet was exchanged in the session.
Last Packet Timestamp	uint32	UNIX timestamp that represents the date and time that the last packet was exchanged in the session.
Connection Type	uint8	Indicates the type of connection.
Source Device IP Address	uint8[4]	IP address of the sensor that detected the connection event, in IP address octets.
TCP Flags	uint8	Indicates any TCP flags for the connection event.
Packets Sent	uint32	Indicates the number of packets transmitted by the initiating host.
Packets Received	uint32	Number of packets transmitted by the responding host.
Bytes Sent	uint32	Number of bytes transmitted by the initiating host.
Bytes Received	uint32	Number of bytes transmitted by the responding host.
Protocol	uint8	Protocol used within the session.
Server ID	uint32	Indicates the identification number for the server.
Client Application Type ID	uint32	Identification number of the detected client application type, if applicable.
Client Application ID	uint32	Identification number of the detected client application, if applicable.
String Block Type	uint32	Initiates a String data block for the client application version. This value is always 0.
String Block Length	uint32	Number of bytes in the client application version String data block, including eight bytes for the string block type and length fields, plus the number of bytes in the client application version string.
Client Application Version	string	Version of the client application (5.0, 5.5, and so on).
String Block Type	uint32	Initiates a string data block for the client application URL. This value is always 0.
String Block Length	uint32	Number of bytes in the client application URL String data block, including eight bytes for the string block type and length fields, plus the number of bytes in the client application URL string.
Client Application URL	string	URL the client application accessed, if applicable (/files/index.html, for example).
String Block Type	uint32	Initiates a string data block for the domain name. This value is always 0.
String Block Length	uint32	Number of bytes in the domain name String data block, including eight bytes for the string block type and length fields, plus the number of bytes in the domain name string.
Domain Name	string	The domain name for the initiating host, if applicable.
Payload Type	uint32	Indicates the type of the payload data.
Payload ID	uint32	Indicates the ID of the payload.

Connection Statistics Data Block 4.10.2.x

The Connection Statistics data block is used in Connection Data messages. Changes to the Connection data block between 4.10.1 and 4.10.2 include the addition of NetFlow fields. The Connection Statistics data block for 4.10.2.x has a block type of 125.

For more information on the Connection Statistics Data message, see Connection Statistics Data Message.

The following diagram shows the format of a Connection Statistics data block for 4.10.2.x:

Byte	0								1								2								3
Bit	0	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15	16	17	18	19	20	21	22	23	24	25	26	27	28	29	30	31
	Connection Data Block Type (125)
	Connection Data Block Length
	Initiator IP Address
	Responder IP Address
	Initiator Port																Responder Port
	First Packet Timestamp
	Last Packet Timestamp
	Connection Type								NetFlow Src TOS								NetFlow Dst TOS								NetFlow SNMP Input
	NetFlow SNMP Input cont.								NetFlow SNMP Output																Source Device IP Address
	Source Device IP Address cont.																								TCP Flags
	Packets Sent
	Packets Received
	Bytes Sent
	Bytes Received
	Protocol								Server ID...
	Server ID, cont...								Client App Type ID
	Client Application Type ID cont....								Client App ID
Client App Version	Client Application ID cont....								String Block Type (0)
	Block Type cont.								String Block Length
	String Block Length								Client Application Version...
Client App URL	String Block Type (0)
	String Block Length
	Client Application URL...
Domain Name	String Block Type (0)
	String Block Length
	Domain Name....
	Payload Type
	Payload ID

The Connection Statistics Data Block 4.10.2 Fields describes the fields of the Connection Statistics data block returned by 4.10.2.

Connection Statistics Data Block 4.10.2 Fields
Field	Data Type	Description
Connection Statistics Data Block Type	uint32	Initiates a Connection Statistics data block for 4.10.2.x. The value is always 125.
Connection Statistics Data Block Length	uint32	Number of bytes in the Connection Statistics data block, including eight bytes for the connection statistics block type and length fields, plus the number of bytes in the connection data that follows.
Initiator IP Address	uint8[4]	IP address of the host that initiated the session described in the connection event, in IP address octets.
Responder IP Address	uint8[4]	IP address of the host that responded to the initiating host, in IP address octets.
Initiator Port	uint16	Port used by the initiating host.
Responder Port	uint16	Port used by the responding host.
First Packet Timestamp	uint32	UNIX timestamp that represents the date and time that the first packet was exchanged in the session.
Last Packet Timestamp	uint32	UNIX timestamp that represents the date and time that the last packet was exchanged in the session.
Connection Type	uint8	Indicates the type of connection.
NetFlow Source TOS	uint8	Type of service from the IP header when packets are flowing from the source to the destination.
NetFlow Destination TOS	uint8	Type of service from the IP header when packets are flowing from the destination to the source
NetFlow SNMP Input	uint16	ID of the interface used by packets flowing from the source to the destination.
NetFlow SNMP Output	uint16	ID of the interface used by packets flowing from the destination to the source.
Source Device IP Address	uint8[4]	IP address of the sensor that detected the connection event, in IP address octets.
TCP Flags	uint8	Indicates any TCP flags for the connection event.
Packets Sent	uint32	Indicates the number of packets transmitted by the initiating host.
Packets Received	uint32	Number of packets transmitted by the responding host.
Bytes Sent	uint32	Number of bytes transmitted by the initiating host.
Bytes Received	uint32	Number of bytes transmitted by the responding host.
Protocol	uint8	Protocol used within the session.
Server ID	uint32	Indicates the identification number for the server.
Client Application Type ID	uint32	Identification number of the detected client application type, if applicable.
Client Application ID	uint32	Identification number of the detected client application, if applicable.
String Block Type	uint32	Initiates a String data block for the client application version. This value is always 0.
String Block Length	uint32	Number of bytes in the client application version String data block, including eight bytes for the string block type and length fields, plus the number of bytes in the client application version string.
Client Application Version	string	Version of the client application (5.0, 5.5, and so on).
String Block Type	uint32	Initiates a string data block for the client application URL. This value is always 0.
String Block Length	uint32	Number of bytes in the client application URL String data block, including eight bytes for the string block type and length fields, plus the number of bytes in the client application URL string.
Client Application URL	string	URL the client application accessed, if applicable (/files/index.html, for example).
String Block Type	uint32	Initiates a string data block for the domain name. This value is always 0.
String Block Length	uint32	Number of bytes in the domain name String data block, including eight bytes for the string block type and length fields, plus the number of bytes in the domain name string.
Domain Name	string	The domain name for the initiating host, if applicable.
Payload Type	uint32	Indicates the type of the payload data.
Payload ID	uint32	Indicates the ID of the payload.

Connection Statistics Data Block 5.0 - 5.0.2

The Connection Statistics data block is used in Connection Data messages. Changes to the Connection data block between 4.10.x and 5.0 include addition of new fields with configuration parameters introduced in 5.0 (security zone, ingress and egress interface, URL category and reputation, and user, plus fields for additional tracking information such as violated policy and rule). The Connection Statistics data block for version 5.0 - 5.0.2 has a block type of 115. For more information on the Connection Statistics Data message, see Connection Statistics Data Message.

The following diagram shows the format of a Connection Statistics data block for 5.0 - 5.0.2:

::

Byte	0								1								2								3
Bit	0	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15	16	17	18	19	20	21	22	23	24	25	26	27	28	29	30	31
	Connection Data Block Type (115)
	Connection Data Block Length
	Device ID
	Ingress Zone
	Ingress Zone, continued
	Ingress Zone, continued
	Ingress Zone, continued
	Egress Zone
	Egress Zone, continued
	Egress Zone, continued
	Egress Zone, continued
	Ingress Interface
	Ingress Interface, continued
	Ingress Interface, continued
	Ingress Interface, continued
	Egress Interface
	Egress Interface, continued
	Egress Interface, continued
	Egress Interface, continued
	Initiator IP Address
	Initiator IP Address, continued
	Initiator IP Address, continued
	Initiator IP Address, continued
	Responder IP Address
	Responder IP Address, continued
	Responder IP Address, continued
	Responder IP Address, continued
	Policy Revision
	Policy Revision, continued
	Policy Revision, continued
	Policy Revision, continued
	Rule ID
	Rule Action
	Initiator Port																Responder Port
	TCP Flags																Protocol								NetFlow Source
	NetFlow Source, continued
	NetFlow Source, continued
	NetFlow Source, continued
	NetFlow Source, continued																								First Pkt Time
	First Packet Timestamp, continued																								Last Pkt Time
	Last Packet Timestamp, continued																								Packets Sent
	Packets Sent, continued
	Packets Sent, continued																								Packets Rcvd
	Packets Received, continued
	Packets Received, continued																								Bytes Sent
	Bytes Sent, continued
	Packets Received, continued																								Bytes Rcvd
	Bytes Received, continued
	Bytes Received, continued																								User ID
	User ID, continued																								Application Protocol ID
	Application Protocol ID, continued																								URL Category
	URL Category, continued																								URL Reputation
	URL Reputation, continued																								Client App ID
	Client Application ID, continued																								Web App ID
	Web Application ID, continued																								String Block Type (0)
Client App URL	String Block Type, continued																								String Block Length
Client App URL	String Block Length, continued																								Client Application URL...
NetBIOS Name	String Block Type (0)
	String Block Length
	NetBIOS Name....
Client App Version	String Block Type (0)
	String Block Length
	Client Application Version...

The Connection Statistics Data Block 5.0 - 5.0.2 Fields describes the fields of the Connection Statistics data block for 5.0 - 5.0.2.

Connection Statistics Data Block 5.0 - 5.0.2 Fields
Field	Data Type	Description
Connection Statistics Data Block Type	uint32	Initiates a Connection Statistics data block for 5.0 to 5.0.2. The value is always 115.
Connection Statistics Data Block Length	uint32	Number of bytes in the Connection Statistics data block, including eight bytes for the connection statistics block type and length fields, plus the number of bytes in the connection data that follows.
Device ID	uint32	The device that detected the connection event.
Ingress Zone	uint8[16]	Ingress security zone in the event that triggered the policy violation.
Egress Zone	uint8[16]	Egress security zone in the event that triggered the policy violation.
Ingress Interface	uint8[16]	Interface for the inbound traffic.
Egress Interface	uint8[16]	Interface for the outbound traffic.
Initiator IP Address	uint8[16]	IP address of the host that initiated the session described in the connection event, in IP address octets.
Responder IP Address	uint8[16]	IP address of the host that responded to the initiating host, in IP address octets.
Policy Revision	uint8[16]	Revision number of the rule associated with the triggered correlation event, if applicable.
Rule ID	uint32	Internal identifier for the rule that triggered the event, if applicable.
Rule Action	uint32	The action selected in the user interface for that rule (allow, block, and so forth).
Initiator Port	uint16	Port used by the initiating host.
Responder Port	uint16	Port used by the responding host.
TCP Flags	uint16	Indicates any TCP flags for the connection event.
Protocol	uint8	The IANA-specified protocol number.
NetFlow Source	uint8[16]	IP address of the NetFlow-enabled device that exported the data for the connection
First Packet Timestamp	uint32	UNIX timestamp of the date and time the first packet was exchanged in the session.
Last Packet Timestamp	uint32	UNIX timestamp of the date and time the last packet was exchanged in the session.
Packets Sent	uint64	Number of packets transmitted by the initiating host.
Packets Received	uint64	Number of packets transmitted by the responding host.
Bytes Sent	uint64	Number of bytes transmitted by the initiating host.
Bytes Received	uint64	Number of bytes transmitted by the responding host.
User ID	uint32	Internal identification number for the user who last logged into the host that generated the traffic.
Application Protocol ID	uint32	Application ID of the application protocol.
URL Category	uint32	The internal identification number of the URL category.
URL Reputation	uint32	The internal identification number for the URL reputation.
Client Application ID	uint32	The internal identification number of the detected client application, if applicable.
Web Application ID	uint32	The internal identification number of the detected web application, if applicable.
String Block Type	uint32	Initiates a String data block for the client application URL. This value is always 0.
String Block Length	uint32	Number of bytes in the client application URL String data block, including eight bytes for the string block type and length fields, plus the number of bytes in the client application URL string.
Client Application URL	string	URL the client application accessed, if applicable (/files/index.html, for example).
String Block Type	uint32	Initiates a String data block for the host NetBIOS name. This value is always 0.
String Block Length	uint32	Number of bytes in the String data block, including eight bytes for the string block type and length fields, plus the number of bytes in the NetBIOS name string.
NetBIOS Name	string	Host NetBIOS name string.
String Block Type	uint32	Initiates a String data block for the client application version. This value is always 0.
String Block Length	uint32	Number of bytes in the String data block for the client application version, including eight bytes for the string block type and length, plus the number of bytes in the version.
Client Application Version	string	Client application version.

Connection Statistics Data Block 5.1

The Connection Statistics data block is used in Connection Data messages. Changes to the Connection data block between 5.0.2 and 5.1 include the addition of new fields with configuration parameters introduced in 5.1 (rule action reason, monitor rules, Security Intelligence source/destination, Security Intelligence layer). The Connection Statistics data block for version 5.1 has a block type of 126. For more information on the Connection Statistics Data message, see Connection Statistics Data Message.

The following diagram shows the format of a Connection Statistics data block for 5.1:

::

Byte	0								1								2								3
Bit	0	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15	16	17	18	19	20	21	22	23	24	25	26	27	28	29	30	31
	Connection Data Block Type (126)
	Connection Data Block Length
	Device ID
	Ingress Zone
	Ingress Zone, continued
	Ingress Zone, continued
	Ingress Zone, continued
	Egress Zone
	Egress Zone, continued
	Egress Zone, continued
	Egress Zone, continued
	Ingress Interface
	Ingress Interface, continued
	Ingress Interface, continued
	Ingress Interface, continued
	Egress Interface
	Egress Interface, continued
	Egress Interface, continued
	Egress Interface, continued
	Initiator IP Address
	Initiator IP Address, continued
	Initiator IP Address, continued
	Initiator IP Address, continued
	Responder IP Address
	Responder IP Address, continued
	Responder IP Address, continued
	Responder IP Address, continued
	Policy Revision
	Policy Revision, continued
	Policy Revision, continued
	Policy Revision, continued
	Rule ID
	Rule Action																Rule Reason
	Initiator Port																Responder Port
	TCP Flags																Protocol								NetFlow Source
	NetFlow Source, continued
	NetFlow Source, continued
	NetFlow Source, continued
	NetFlow Source, continued																								First Pkt Time
	First Packet Timestamp, continued																								Last Pkt Time
	Last Packet Timestamp, continued																								Initiator Transmitted Packets
	Initiator Transmitted Packets, continued
	Initiator Transmitted Packets, continued																								Responder Transmitted Packets
	Responder Transmitted Packets, continued
	Responder Transmitted Packets, continued																								Initiator Transmitted Bytes
	Initiator Transmitted Bytes, continued
	Initiator Transmitted Bytes, continued																								Responder Transmitted Bytes
	Responder Transmitted Bytes, continued
	Responder Transmitted Bytes, continued																								User ID
	User ID, continued																								Application Protocol ID
	Application Protocol ID, continued																								URL Category
	URL Category, continued																								URL Reputation
	URL Reputation, continued																								Client App ID
	Client Application ID, continued																								Web App ID
	Web Application ID, continued																								String Block Type (0)
Client App URL	String Block Type, continued																								String Block Length
Client App URL	String Block Length, continued																								Client Application URL...
NetBIOS Name	String Block Type (0)
	String Block Length
	NetBIOS Name....
Client App Version	String Block Type (0)
	String Block Length
	Client Application Version...
	Monitor Rule 1
	Monitor Rule 2
	Monitor Rule 3
	Monitor Rule 4
	Monitor Rule 5
	Monitor Rule 6
	Monitor Rule 7
	Monitor Rule 8
	Sec. Int. Src/Dst								Sec. Int. Rep Layer

The Connection Statistics Data Block 5.1 Fields describes the fields of the Connection Statistics data block for 5.1.

Connection Statistics Data Block 5.1 Fields
Field	Data Type	Description
Connection Statistics Data Block Type	uint32	Initiates a Connection Statistics data block for 5.1+. The value is always 126.
Connection Statistics Data Block Length	uint32	Number of bytes in the Connection Statistics data block, including eight bytes for the connection statistics block type and length fields, plus the number of bytes in the connection data that follows.
Device ID	uint32	The device that detected the connection event.
Ingress Zone	uint8[16]	Ingress security zone in the event that triggered the policy violation.
Egress Zone	uint8[16]	Egress security zone in the event that triggered the policy violation.
Ingress Interface	uint8[16]	Interface for the inbound traffic.
Egress Interface	uint8[16]	Interface for the outbound traffic.
Initiator IP Address	uint8[16]	IP address of the host that initiated the session described in the connection event, in IP address octets.
Responder IP Address	uint8[16]	IP address of the host that responded to the initiating host, in IP address octets.
Policy Revision	uint8[16]	Revision number of the rule associated with the triggered correlation event, if applicable.
Rule ID	uint32	Internal identifier for the rule that triggered the event, if applicable.
Rule Action	uint16	The action selected in the user interface for that rule (allow, block, and so forth).
Rule Reason	uint16	The reason the rule triggered the event.
Initiator Port	uint16	Port used by the initiating host.
Responder Port	uint16	Port used by the responding host.
TCP Flags	uint16	Indicates any TCP flags for the connection event.
Protocol	uint8	The IANA-specified protocol number.
NetFlow Source	uint8[16]	IP address of the NetFlow-enabled device that exported the data for the connection.
First Packet Timestamp	uint32	UNIX timestamp of the date and time the first packet was exchanged in the session.
Last Packet Timestamp	uint32	UNIX timestamp of the date and time the last packet was exchanged in the session.
Initiator Transmitted Packets	uint64	Number of packets transmitted by the initiating host.
Responder Transmitted Packets	uint64	Number of packets transmitted by the responding host.
Initiator Transmitted Bytes	uint64	Number of bytes transmitted by the initiating host.
Responder Transmitted Bytes	uint64	Number of bytes transmitted by the responding host.
User ID	uint32	Internal identification number for the user who last logged into the host that generated the traffic.
Application Protocol ID	uint32	Application ID of the application protocol.
URL Category	uint32	The internal identification number of the URL category.
URL Reputation	uint32	The internal identification number for the URL reputation.
Client Application ID	uint32	The internal identification number of the detected client application, if applicable.
Web Application ID	uint32	The internal identification number of the detected web application, if applicable.
String Block Type	uint32	Initiates a String data block for the client application URL. This value is always 0.
String Block Length	uint32	Number of bytes in the client application URL String data block, including eight bytes for the string block type and length fields, plus the number of bytes in the client application URL string.
Client Application URL	string	URL the client application accessed, if applicable (/files/index.html, for example).
String Block Type	uint32	Initiates a String data block for the host NetBIOS name. This value is always 0.
String Block Length	uint32	Number of bytes in the String data block, including eight bytes for the string block type and length fields, plus the number of bytes in the NetBIOS name string.
NetBIOS Name	string	Host NetBIOS name string.
String Block Type	uint32	Initiates a String data block for the client application version. This value is always 0.
String Block Length	uint32	Number of bytes in the String data block for the client application version, including eight bytes for the string block type and length, plus the number of bytes in the version.
Client Application Version	string	Client application version.
Monitor Rule 1	uint32	The ID of the first monitor rule associated with the connection event.
Monitor Rule 2	uint32	The ID of the second monitor rule associated with the connection event.
Monitor Rule 3	uint32	The ID of the third monitor rule associated with the connection event.
Monitor Rule 4	uint32	The ID of the fourth monitor rule associated with the connection event.
Monitor Rule 5	uint32	The ID of the fifth monitor rule associated with the connection event.
Monitor Rule 6	uint32	The ID of the sixth monitor rule associated with the connection event.
Monitor Rule 7	uint32	The ID of the seventh monitor rule associated with the connection event.
Monitor Rule 8	uint32	The ID of the eighth monitor rule associated with the connection event.
Security Intelligence Source/ Destination	uint8	Whether the source or destination IP address matched the IP blacklist.
Security Intelligence Layer	uint8	The IP layer that matched the IP blacklist.

Connection Statistics Data Block 5.2.x

The connection statistics data block is used in connection data messages. Changes to the connection data block between versions 5.1.1 and 5.2 include the addition of new fields to support geolocation. The connection statistics data block for version 5.2.x has a block type of 144 in the series 1 group of blocks. It deprecates block type 137, The Connection Chunk Data Block Fields table describes the components of the Connection Chunk data block:.

For more information on the Connection Statistics Data message, see Connection Statistics Data Message.

The following diagram shows the format of a Connection Statistics data block for 5.2+:

::

Byte	0								1								2								3
Bit	0	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15	16	17	18	19	20	21	22	23	24	25	26	27	28	29	30	31
	Connection Data Block Type (144)
	Connection Data Block Length
	Device ID
	Ingress Zone
	Ingress Zone, continued
	Ingress Zone, continued
	Ingress Zone, continued
	Egress Zone
	Egress Zone, continued
	Egress Zone, continued
	Egress Zone, continued
	Ingress Interface
	Ingress Interface, continued
	Ingress Interface, continued
	Ingress Interface, continued
	Egress Interface
	Egress Interface, continued
	Egress Interface, continued
	Egress Interface, continued
	Initiator IP Address
	Initiator IP Address, continued
	Initiator IP Address, continued
	Initiator IP Address, continued
	Responder IP Address
	Responder IP Address, continued
	Responder IP Address, continued
	Responder IP Address, continued
	Policy Revision
	Policy Revision, continued
	Policy Revision, continued
	Policy Revision, continued
	Rule ID
	Rule Action																Rule Reason
	Initiator Port																Responder Port
	TCP Flags																Protocol								NetFlow Source
	NetFlow Source, continued
	NetFlow Source, continued
	NetFlow Source, continued
	NetFlow Source, continued																								Instance ID
	Instance ID, cont.								Connection Counter																First Pkt Time
	First Packet Timestamp, continued																								Last Pkt Time
	Last Packet Timestamp, continued																								Initiator Tx Packets
	Initiator Transmitted Packets, continued
	Initiator Transmitted Packets, continued																								Resp. Tx Packets
	Responder Transmitted Packets, continued
	Responder Transmitted Packets, continued																								Initiator Tx Bytes
	Initiator Transmitted Bytes, continued
	Initiator Transmitted Bytes, continued																								Resp. Tx Bytes
	Responder Transmitted Bytes, continued
	Responder Transmitted Bytes, continued																								User ID
	User ID, continued																								Application Prot. ID
	Application Protocol ID, continued																								URL Category
	URL Category, continued																								URL Reputation
	URL Reputation, continued																								Client App ID
	Client Application ID, continued																								Web App ID
Client URL	Web Application ID, continued																								Str. Block Type (0)
	String Block Type, continued																								String Block Length
	String Block Length, continued																								Client App. URL...
NetBIOS Name	String Block Type (0)
	String Block Length
	NetBIOS Name...
Client App Version	String Block Type (0)
	String Block Length
	Client Application Version...
	Monitor Rule 1
	Monitor Rule 2
	Monitor Rule 3
	Monitor Rule 4
	Monitor Rule 5
	Monitor Rule 6
	Monitor Rule 7
	Monitor Rule 8
	Sec. Int. Src/Dst								Sec. Int. Layer								File Event Count
	Intrusion Event Count																Initiator Country
	Responder Country

The Connection Statistics Data Block 5.2.x Fields describes the fields of the Connection Statistics data block for 5.2.x:

Connection Statistics Data Block 5.2.x Fields
Field	Data Type	Description
Connection Statistics Data Block Type	uint32	Initiates a Connection Statistics data block for 5.2+. The value is always 144.
Connection Statistics Data Block Length	uint32	Number of bytes in the Connection Statistics data block, including eight bytes for the connection statistics block type and length fields, plus the number of bytes in the connection data that follows.
Device ID	uint32	The device that detected the connection event.
Ingress Zone	uint8[16]	Ingress security zone in the event that triggered the policy violation.
Egress Zone	uint8[16]	Egress security zone in the event that triggered the policy violation.
Ingress Interface	uint8[16]	Interface for the inbound traffic.
Egress Interface	uint8[16]	Interface for the outbound traffic.
Initiator IP Address	uint8[16]	IP address of the host that initiated the session described in the connection event, in IP address octets.
Responder IP Address	uint8[16]	IP address of the host that responded to the initiating host, in IP address octets.
Policy Revision	uint8[16]	Revision number of the rule associated with the triggered correlation event, if applicable.
Rule ID	uint32	Internal identifier for the rule that triggered the event, if applicable.
Rule Action	uint16	The action selected in the user interface for that rule (allow, block, and so forth).
Rule Reason	uint16	The reason the rule triggered the event.
Initiator Port	uint16	Port used by the initiating host.
Responder Port	uint16	Port used by the responding host.
TCP Flags	uint16	Indicates any TCP flags for the connection event.
Protocol	uint8	The IANA-specified protocol number.
NetFlow Source	uint8[16]	IP address of the NetFlow-enabled device that exported the data for the connection.
Instance ID	uint16	Numerical ID of the Snort instance on the managed device that generated the event.
Connection Counter	uint16	Value used to distinguish between connection events that happen during the same second.
First Packet Timestamp	uint32	UNIX timestamp of the date and time the first packet was exchanged in the session.
Last Packet Timestamp	uint32	UNIX timestamp of the date and time the last packet was exchanged in the session.
Initiator Transmitted Packets	uint64	Number of packets transmitted by the initiating host.
Responder Transmitted Packets	uint64	Number of packets transmitted by the responding host.
Initiator Transmitted Bytes	uint64	Number of bytes transmitted by the initiating host.
Responder Transmitted Bytes	uint64	Number of bytes transmitted by the responding host.
User ID	uint32	Internal identification number for the user who last logged into the host that generated the traffic.
Application Protocol ID	uint32	Application ID of the application protocol.
URL Category	uint32	The internal identification number of the URL category.
URL Reputation	uint32	The internal identification number for the URL reputation.
Client Application ID	uint32	The internal identification number of the detected client application, if applicable.
Web Application ID	uint32	The internal identification number of the detected web application, if applicable.
String Block Type	uint32	Initiates a String data block for the client application URL. This value is always 0.
String Block Length	uint32	Number of bytes in the client application URL String data block, including eight bytes for the string block type and length fields, plus the number of bytes in the client application URL string.
Client Application URL	string	URL the client application accessed, if applicable (/files/index.html, for example).
String Block Type	uint32	Initiates a String data block for the host NetBIOS name. This value is always 0.
String Block Length	uint32	Number of bytes in the String data block, including eight bytes for the string block type and length fields, plus the number of bytes in the NetBIOS name string.
NetBIOS Name	string	Host NetBIOS name string.
String Block Type	uint32	Initiates a String data block for the client application version. This value is always 0.
String Block Length	uint32	Number of bytes in the String data block for the client application version, including eight bytes for the string block type and length, plus the number of bytes in the version.
Client Application Version	string	Client application version.
Monitor Rule 1	uint32	The ID of the first monitor rule associated with the connection event.
Monitor Rule 2	uint32	The ID of the second monitor rule associated with the connection event.
Monitor Rule 3	uint32	The ID of the third monitor rule associated with the connection event.
Monitor Rule 4	uint32	The ID of the fourth monitor rule associated with the connection event.
Monitor Rule 5	uint32	The ID of the fifth monitor rule associated with the connection event.
Monitor Rule 6	uint32	The ID of the sixth monitor rule associated with the connection event.
Monitor Rule 7	uint32	The ID of the seventh monitor rule associated with the connection event.
Monitor Rule 8	uint32	The ID of the eighth monitor rule associated with the connection event.
Security Intelligence Source/ Destination	uint8	Whether the source or destination IP address matched the IP blacklist.
Security Intelligence Layer	uint8	The IP layer that matched the IP blacklist.
File Event Count	uint16	Value used to distinguish between file events that happen during the same second.
Intrusion Event Count	uint16	Value used to distinguish between intrusion events that happen during the same second.
Initiator Country	uint16	Code for the country of the initiating host.
Responder Country	uint16	Code for the country of the responding host.

Connection Chunk Data Block for 4.10.1 - 5.1

The Connection Chunk data block conveys connection data detected by a NetFlow device. The Connection Chunk data block has a block type of 66 for pre-4.10.1 versions. For version 4.10.1 - 5.1, it has a block type of 119.

The following diagram shows the format of the Connection Chunk data block:

Byte	0								1								2								3
Bit	0	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15	16	17	18	19	20	21	22	23	24	25	26	27	28	29	30	31
	Connection Chunk Block Type (66 \| 119)
	Connection Chunk Block Length
	Initiator IP Address
	Responder IP Address
	Start Time
	Application ID
	Responder Port																Protocol								Connection Type
	NetFlow Detector IP Address
	Packets Sent
	Packets Received
	Bytes Sent
	Bytes Received
	Connections

The Connection Chunk Data Block Fields describes the components of the Connection Chunk data block:

Connection Chunk Data Block Fields
Field	Data Type	Description
Connection Chunk Block Type	uint32	Initiates a Connection Chunk data block. This value is 66 for versions before 4.10.1 and a value of 119 for version 5.0+.
Connection Chunk Block Length	uint32	Total number of bytes in the Connection Chunk data block, including eight bytes for the connection chunk block type and length fields, plus the number of bytes in the connection chunk data that follows.
Initiator IP Address	uint8[4]	IP address of the host that initiated the connection, in IP address octets.
Responder IP Address	uint8[4]	IP address of the host responding in the connection, in IP address octets.
Start Time	uint32	The starting time for the connection chunk.
Application ID	uint32	Application identification number for the application protocol used in the connection.
Responder Port	uint16	The port used by the responder in the connection chunk.
Protocol	uint8	The protocol for the packet containing the user information.
Connection Type	uint8	The type of connection.
Source Device IP Address	uint8[4]	IP address of the NetFlow device that detected the connection, in IP address octets.
Packets Sent	uint32	The number of packets sent in the connection chunk.
Packets Received	uint32	The number of packets received in the connection chunk.
Bytes Sent	uint32	The number of bytes sent in the connection chunk.
Bytes Received	uint32	The number of bytes received in the connection chunk.
Connections	uint32	The number of connections made in the connection chunk.

Connection Statistics Data Block 5.1.1.x

The connection statistics data block is used in connection data messages. Changes to the connection data block between versions 5.1 and 5.1.1 include the addition of new fields to identify associated intrusion events. The connection statistics data block for version 5.1.1.x has a block type of 137. It deprecates block type 126, Connection Statistics Data Block 5.1. For more information on the Connection Statistics Data message, see Connection Statistics Data Message.

The following diagram shows the format of a Connection Statistics data block for 5.1.1:

::

Byte	0								1								2								3
Bit	0	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15	16	17	18	19	20	21	22	23	24	25	26	27	28	29	30	31
	Connection Data Block Type (137)
	Connection Data Block Length
	Device ID
	Ingress Zone
	Ingress Zone, continued
	Ingress Zone, continued
	Ingress Zone, continued
	Egress Zone
	Egress Zone, continued
	Egress Zone, continued
	Egress Zone, continued
	Ingress Interface
	Ingress Interface, continued
	Ingress Interface, continued
	Ingress Interface, continued
	Egress Interface
	Egress Interface, continued
	Egress Interface, continued
	Egress Interface, continued
	Initiator IP Address
	Initiator IP Address, continued
	Initiator IP Address, continued
	Initiator IP Address, continued
	Responder IP Address
	Responder IP Address, continued
	Responder IP Address, continued
	Responder IP Address, continued
	Policy Revision
	Policy Revision, continued
	Policy Revision, continued
	Policy Revision, continued
	Rule ID
	Rule Action																Rule Reason
	Initiator Port																Responder Port
	TCP Flags																Protocol								NetFlow Source
	NetFlow Source, continued
	NetFlow Source, continued
	NetFlow Source, continued
	NetFlow Source, continued																								Instance ID
	Instance ID, cont.								Connection Counter																First Pkt Time
	First Packet Timestamp, continued																								Last Pkt Time
	Last Packet Timestamp, continued																								Initiator Tx Packets
	Initiator Transmitted Packets, continued
	Initiator Transmitted Packets, continued																								Resp. Tx Packets
	Responder Transmitted Packets, continued
	Responder Transmitted Packets, continued																								Initiator Tx Bytes
	Initiator Transmitted Bytes, continued
	Initiator Transmitted Bytes, continued																								Resp. Tx Bytes
	Responder Transmitted Bytes, continued
	Responder Transmitted Bytes, continued																								User ID
	User ID, continued																								Application Prot. ID
	Application Protocol ID, continued																								URL Category
	URL Category, continued																								URL Reputation
	URL Reputation, continued																								Client App ID
	Client Application ID, continued																								Web App ID
Client URL	Web Application ID, continued																								Str. Block Type (0)
	String Block Type, continued																								String Block Length
	String Block Length, continued																								Client App. URL...
NetBIOS Name	String Block Type (0)
	String Block Length
	NetBIOS Name...
Client App Version	String Block Type (0)
	String Block Length
	Client Application Version...
	Monitor Rule 1
	Monitor Rule 2
	Monitor Rule 3
	Monitor Rule 4
	Monitor Rule 5
	Monitor Rule 6
	Monitor Rule 7
	Monitor Rule 8
	Sec. Int. Src/Dst								Sec. Int. Layer								File Event Count
	Intrusion Event Count

The Connection Statistics Data Block 5.1.1.x Fields describes the fields of the Connection Statistics data block for 5.1.1.x.

Connection Statistics Data Block 5.1.1.x Fields
Field	Data Type	Description
Connection Statistics Data Block Type	uint32	Initiates a Connection Statistics data block for 5.1.1.x. The value is always 137.
Connection Statistics Data Block Length	uint32	Number of bytes in the Connection Statistics data block, including eight bytes for the connection statistics block type and length fields, plus the number of bytes in the connection data that follows.
Device ID	uint32	The device that detected the connection event.
Ingress Zone	uint8[16]	Ingress security zone in the event that triggered the policy violation.
Egress Zone	uint8[16]	Egress security zone in the event that triggered the policy violation.
Ingress Interface	uint8[16]	Interface for the inbound traffic.
Egress Interface	uint8[16]	Interface for the outbound traffic.
Initiator IP Address	uint8[16]	IP address of the host that initiated the session described in the connection event, in IP address octets.
Responder IP Address	uint8[16]	IP address of the host that responded to the initiating host, in IP address octets.
Policy Revision	uint8[16]	Revision number of the rule associated with the triggered correlation event, if applicable.
Rule ID	uint32	Internal identifier for the rule that triggered the event, if applicable.
Rule Action	uint16	The action selected in the user interface for that rule (allow, block, and so forth).
Rule Reason	uint16	The reason the rule triggered the event.
Initiator Port	uint16	Port used by the initiating host.
Responder Port	uint16	Port used by the responding host.
TCP Flags	uint16	Indicates any TCP flags for the connection event.
Protocol	uint8	The IANA-specified protocol number.
NetFlow Source	uint8[16]	IP address of the NetFlow-enabled device that exported the data for the connection.
Instance ID	uint16	Numerical ID of the Snort instance on the managed device that generated the event.
Connection Counter	uint16	Value used to distinguish between connection events that happen during the same second.
First Packet Timestamp	uint32	UNIX timestamp of the date and time the first packet was exchanged in the session.
Last Packet Timestamp	uint32	UNIX timestamp of the date and time the last packet was exchanged in the session.
Initiator Transmitted Packets	uint64	Number of packets transmitted by the initiating host.
Responder Transmitted Packets	uint64	Number of packets transmitted by the responding host.
Initiator Transmitted Bytes	uint64	Number of bytes transmitted by the initiating host.
Responder Transmitted Bytes	uint64	Number of bytes transmitted by the responding host.
User ID	uint32	Internal identification number for the user who last logged into the host that generated the traffic.
Application Protocol ID	uint32	Application ID of the application protocol.
URL Category	uint32	The internal identification number of the URL category.
URL Reputation	uint32	The internal identification number for the URL reputation.
Client Application ID	uint32	The internal identification number of the detected client application, if applicable.
Web Application ID	uint32	The internal identification number of the detected web application, if applicable.
String Block Type	uint32	Initiates a String data block for the client application URL. This value is always 0.
String Block Length	uint32	Number of bytes in the client application URL String data block, including eight bytes for the string block type and length fields, plus the number of bytes in the client application URL string.
Client Application URL	string	URL the client application accessed, if applicable (/files/index.html, for example).
String Block Type	uint32	Initiates a String data block for the host NetBIOS name. This value is always 0.
String Block Length	uint32	Number of bytes in the String data block, including eight bytes for the string block type and length fields, plus the number of bytes in the NetBIOS name string.
NetBIOS Name	string	Host NetBIOS name string.
String Block Type	uint32	Initiates a String data block for the client application version. This value is always 0.
String Block Length	uint32	Number of bytes in the String data block for the client application version, including eight bytes for the string block type and length, plus the number of bytes in the version.
Client Application Version	string	Client application version.
Monitor Rule 1	uint32	The ID of the first monitor rule associated with the connection event.
Monitor Rule 2	uint32	The ID of the second monitor rule associated with the connection event.
Monitor Rule 3	uint32	The ID of the third monitor rule associated with the connection event.
Monitor Rule 4	uint32	The ID of the fourth monitor rule associated with the connection event.
Monitor Rule 5	uint32	The ID of the fifth monitor rule associated with the connection event.
Monitor Rule 6	uint32	The ID of the sixth monitor rule associated with the connection event.
Monitor Rule 7	uint32	The ID of the seventh monitor rule associated with the connection event.
Monitor Rule 8	uint32	The ID of the eighth monitor rule associated with the connection event.
Security Intelligence Source/ Destination	uint8	Whether the source or destination IP address matched the IP blacklist.
Security Intelligence Layer	uint8	The IP layer that matched the IP blacklist.
File Event Count	uint16	Value used to distinguish between file events that happen during the same second.
Intrusion Event Count	uint16	Value used to distinguish between intrusion events that happen during the same second.

Legacy File Event Data Structures

The following topics describe other legacy file event data structures:

File Event for 5.1.1.x

■ HREF="/c/en/us/td/docs/security/firesight/5311/api/estreamer/EventStreamerIntegrationGuide/AppBLegacyDataStructures.html#61479">File Event for 5.2.x

File Event SHA Hash for 5.1.1-5.2.x

File Event for 5.1.1.x

The following graphic shows the structure of the File Event data block.:

Byte	0								1								2								3
Bit	0	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15	16	17	18	19	20	21	22	23	24	25	26	27	28	29	30	31
	File Event Block Type (23)
	File Event Block Length
	Device ID
	Connection Instance																Connection Counter
	Connection Timestamp
	File Event Timestamp
	Source IP Address Source IP Address, continued Source IP Address, continued Source IP Address, continued



	Destination IP Address Destination IP Address, continued Destination IP Address, continued Destination IP Address, continued



	Disposition								Action								SHA Hash
	SHA Hash, continued SHA Hash, continued SHA Hash, continued SHA Hash, continued SHA Hash, continued SHA Hash, continued SHA Hash, continued






	SHA Hash, continued																File Type ID
File Name	File Type ID, cont.																String Block Type (0)
	String Block Type (0), cont.																String Block Length
	String Block Length, cont.																File Name...
	File Size File Size, continued

	Direction								Application ID
	App ID, cont.								User ID
URI	User ID, cont.								String Block Type (0)
	String Block Type (0), cont.								String Block Length
	String Block Length, cont.								URI...
Signature	String Block Type (0)
	String Block Length
	Signature...
	Source Port																Destination Port
	Protocol								Access Control Policy UUID
	Access Control Policy UUID, continued
	Access Control Policy UUID, continued Access Control Policy UUID, continued

	AC Pol UUID, cont.

The File Event Data Block Fields describes the fields in the file event data block:

File Event Data Block Fields
Field	Data Type	Description
File Event Block Type	uint32	Initiates whether file event data block. This value is always 23.
File Event Block Length	uint32	Total number of bytes in the file event block, including eight bytes for the file event block type and length fields, plus the number of bytes of data that follows.
Device ID	uint32	ID for the device that generated the event.
Connection Instance	uint16	Snort instance on the device that generated the event. Used to link the event with a connection or intrusion event.
Connection Counter	uint16	Value used to distinguish between connection events that happen during the same second.
Connection Timestamp	uint32	UNIX timestamp (seconds since 01/01/1970) of the associated connection event.
File Event Timestamp	uint32	UNIX timestamp (seconds since 01/01/1970) of when the file type is identified and the file event generated.
Source IP Address	uint8[16]	IPv4 or IPv6 address for the source of the connection.
Destination IP Address	uint8[16]	IPv4 or IPv6 address for the destination of the connection.
Disposition	uint8	The malware status of the file. Possible values include: 1 — CLEAN — The file is clean and does not contain malware. 2 — UNKNOWN — It is unknown whether the file contains malware. 3 — MALWARE — The file contains malware. 4 — CACHE_MISS — The software was unable to send a request to the Sourcefire cloud for a disposition. 5 — NO_CLOUD_RESP — The Sourcefire cloud services did not respond to the request.
Action	uint8	The action taken on the file based on the file type. Can have the following values: 1 — Detect 2 — Block 3 — Malware Cloud Lookup 4 — Malware Block 5 — Malware Whitelist
SHA Hash	uint8[32]	SHA-256 hash of the file, in binary format.
File Type ID	uint32	ID number that maps to the file type.
File Name	string	Name of the file.
File Size	uint64	Size of the file in bytes.
Direction	uint8	Value that indicates whether the file was uploaded or downloaded. Can have the following values: 1 — Download 2 — Upload Currently the value depends on the protocol (for example, if the connection is HTTP it is a download).
Application ID	uint32	ID number that maps to the application using the file transfer.
User ID	uint32	ID number for the user logged into the destination host, as identified by the system.
URI	string	Uniform Resource Identifier (URI) of the connection.
Signature	string	SHA-256 hash of the file, in string format.
Source Port	uint16	Port number for the source of the connection.
Destination Port	uint16	Port number for the destination of the connection.
Protocol	uint8	IANA protocol number specified by the user. For example: 1 — ICMP 4 — IP 6 — TCP 17 — UDP This is currently only TCP.
Access Control Policy UUID	uint8[16]	Unique identifier for the access control policy that triggered the event.

File Event for 5.2.x

The file event contains information on files that are sent over the network. This includes the connection information, whether the file is malware, and specific information to identify the file. The file event has a block type of 32 in the series 2 group of blocks. It supersedes block type 23. New fields have been added to track source and destination country, as well as the client and web application instances.

The following graphic shows the structure of the File Event data block:

Byte	0								1								2								3
Bit	0	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15	16	17	18	19	20	21	22	23	24	25	26	27	28	29	30	31
	File Event Block Type (32)
	File Event Block Length
	Device ID
	Connection Instance																Connection Counter
	Connection Timestamp
	File Event Timestamp
	Source IP Address Source IP Address, continued Source IP Address, continued Source IP Address, continued



	Destination IP Address Destination IP Address, continued Destination IP Address, continued Destination IP Address, continued



	Disposition								Action								SHA Hash
	SHA Hash, continued SHA Hash, continued SHA Hash, continued SHA Hash, continued SHA Hash, continued SHA Hash, continued SHA Hash, continued






	SHA Hash, continued																File Type ID
File Name	File Type ID, cont.																String Block Type (0)
	String Block Type (0), cont.																String Block Length
	String Block Length, cont.																File Name...
	File Size File Size, continued

	Direction								Application ID
	App ID, cont.								User ID
URI	User ID, cont.								String Block Type (0)
	String Block Type (0), cont.								String Block Length
	String Block Length, cont.								URI...
Signature	String Block Type (0)
	String Block Length
	Signature...
	Source Port																Destination Port
	Protocol								Access Control Policy UUID
	Access Control Policy UUID, continued
	Access Control Policy UUID, continued Access Control Policy UUID, continued

	AC Pol UUID, cont.								Source Country																Dst. Country
	Dst. Country, cont.								Web Application ID
	Web App. ID, cont.								Client Application ID
	Client App. ID, cont.

The File Event Data Block Fields describes the fields in the file event data block:

File Event Data Block Fields
Field	Data Type	Description
File Event Block Type	uint32	Initiates whether file event data block. This value is always 23.
File Event Block Length	uint32	Total number of bytes in the file event block, including eight bytes for the file event block type and length fields, plus the number of bytes of data that follows.
Device ID	uint32	ID for the device that generated the event.
Connection Instance	uint16	Snort instance on the device that generated the event. Used to link the event with a connection or intrusion event.
Connection Counter	uint16	Value used to distinguish between connection events that happen during the same second.
Connection Timestamp	uint32	UNIX timestamp (seconds since 01/01/1970) of the associated connection event.
File Event Timestamp	uint32	UNIX timestamp (seconds since 01/01/1970) of when the file type is identified and the file event generated.
Source IP Address	uint8[16]	IPv4 or IPv6 address for the source of the connection.
Destination IP Address	uint8[16]	IPv4 or IPv6 address for the destination of the connection.
Disposition	uint8	The malware status of the file. Possible values include: 1 — CLEAN — The file is clean and does not contain malware. 2 — NEUTRAL — It is unknown whether the file contains malware. 3 — MALWARE — The file contains malware. 4 — CACHE_MISS — The software was unable to send a request to the Sourcefire cloud for a disposition, or the Sourcefire cloud services did not respond to the request.
Action	uint8	The action taken on the file based on the file type. Can have the following values: 1 — Detect 2 — Block 3 — Malware Cloud Lookup 4 — Malware Block 5 — Malware Whitelist
SHA Hash	uint8[32]	SHA-256 hash of the file, in binary format.
File Type ID	uint32	ID number that maps to the file type.
File Name	string	Name of the file.
File Size	uint64	Size of the file in bytes.
Direction	uint8	Value that indicates whether the file was uploaded or downloaded. Can have the following values: 1 — Download 2 — Upload Currently the value depends on the protocol (for example, if the connection is HTTP it is a download).
Application ID	uint32	ID number that maps to the application using the file transfer.
User ID	uint32	ID number for the user logged into the destination host, as identified by the system.
URI	string	Uniform Resource Identifier (URI) of the connection.
Signature	string	SHA-256 hash of the file, in string format.
Source Port	uint16	Port number for the source of the connection.
Destination Port	uint16	Port number for the destination of the connection.
Protocol	uint8	IANA protocol number specified by the user. For example: 1 — ICMP 4 — IP 6 — TCP 17 — UDP This is currently only TCP.
Access Control Policy UUID	uint8[16]	Unique identifier for the access control policy that triggered the event.
Source Country	uint16	Code for the country of the source host.
Destination Country	uint16	Code for the country of the destination host.
Web Application ID	uint32	The internal identification number for the web application, if applicable.
Client Application ID	uint32	The internal identification number for the client application, if applicable.

File Event SHA Hash for 5.1.1-5.2.x

The eStreamer service uses the File Event SHA Hash data block to contain metadata of the mapping of the SHA hash of a file to its filename. The block type is 26 in the series 2 list of data blocks. It can be requested if file log events have been requested in the extended requests—event code 111—and either bit 20 is set or metadata is requested with an event version of 4 and an event code of 21.

The following diagram shows the structure of a file event hash data block:

Byte	0								1								2								3
Bit	0	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15	16	17	18	19	20	21	22	23	24	25	26	27	28	29	30	31
	File Event SHA Hash Block Type (26)
	File Event SHA Hash Block Length
	SHA Hash
	SHA Hash, continued
	SHA Hash, continued
	SHA Hash, continued SHA Hash, continued SHA Hash, continued SHA Hash, continued SHA Hash, continued
File Name	String Block Type (0)
	String Block Length
	File Name or Disposition...

The File Event SHA Hash 5.1.1-5.2.x Data Block Fields describes the fields in the file event SHA hash data block.

File Event SHA Hash 5.1.1-5.2.x Data Block Fields
Field	Data Type	Description
File Event SHA Hash Block Type	uint32	Initiates a File Event SHA Hash block. This value is always 26.
File Event SHA Hash Block Length	uint32	Total number of bytes in the File Event SHA Hash block, including eight bytes for the File Event SHA Hash block type and length fields, plus the number of bytes of data that follows.
SHA Hash	uint8[32]	The SHA-256 hash of the file in binary format.
String Block Type	uint32	Initiates a String data block containing the descriptive name associated with the file. This value is always 0.
String Block Length	uint32	The number of bytes included in the name String data block, including eight bytes for the block type and header fields plus the number of bytes in the Name field.
File Name or Disposition	string	The descriptive name or disposition of the file. If the file is clean, this value is Clean. If the file’s disposition is unknown, the value is Neutral. If the file contains malware, the file name is given.

Legacy Correlation Event Data Structures

The following topics describe other legacy correlation (compliance) data structures:

Correlation Event for 4.8.0.2 - 4.9.1.x

■ HREF="/c/en/us/td/docs/security/firesight/5311/api/estreamer/EventStreamerIntegrationGuide/AppBLegacyDataStructures.html#54409">Correlation Event for 4.10.x

Correlation Event for 5.0 - 5.0.2

Correlation Event for 4.8.0.2 - 4.9.1.x

Correlation events contain information about policy violations and are transmitted when correlation policies are violated. The Defense Center uses the standard message header with a record type of 97, followed by a correlation data block with a type of 84. The source and destination user ID fields were added in the 4.7.0.2 - 4.8 version.

You can request that eStreamer transmit 4.8.0.2 - 4.9.1.x correlation events by setting bit 22 in the Flags field of a request message. If you enable bit 23, an extended event header is included in the record.

To request user record metadata along with the policy event data, you must request policy event data using bit 22 and request version 4 metadata (bit 20). For more information, see User Record.

Byte	0								1								2								3
Bit	0	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15	16	17	18	19	20	21	22	23	24	25	26	27	28	29	30	31
	Header Version (1)																Message Type (4)
	Message Length
	Record Type (97)
	Record Length
	eStreamer Server Timestamp (in events, only if bit 23 is set)
	Reserved for Future Use (in events, only if bit 23 is set)
	Correlation Block Type (84)
	Correlation Block Length
	Detection Engine ID
	Event Second
	Correlation Event ID
	Policy ID
	Rule ID
	Priority
	String Block Type (0)																																Event Description
	String Block Length
	Description...																								Policy Event Type
	Event Detection Engine ID
	Signature ID
	Signature Generator ID
	Event Second
	Event Microsecond
	Event ID
	Event Defined Mask
	Event Impact Flags
	IP Protocol								Network Protocol																Source IP
	Source IP, continued																								Source Host Type
	Source VLAN ID																Source OS Fingerprint UUID																Source OS Fingerprint
	Source OS Fingerprint UUID, continued
	Source OS Fingerprint UUID, continued
	Source OS Fingerprint UUID, continued
	Source OS Fingerprint UUID, continued																Source Criticality
	Source User ID
	Source Port																Source Server ID
	Source Server ID																Destination IP
	Destination IP																Dest. Host Type								Dest VLAN ID								Destination OS Fingerprint
	Dest. VLAN ID								Dest. Fingerprint UUID
	Destination OS Fingerprint UUID, continued
	Destination OS Fingerprint UUID, continued
	Destination OS Fingerprint UUID, continued
	Fprt UUID, cont								Dest. Criticality																Dest. User ID
	Dest. User ID, cont.																								Destination Port
	Dest. Port cont.								Dest. Server ID
	Dest. Serv. ID cont.

The Correlation Event Data 4.8.0.2 - 4.9.1.x Fields describes each data field in a correlation event.

Correlation Event Data 4.8.0.2 - 4.9.1.x Fields
Field	Data Type	Description
Correlation Block Type	uint32	Indicates a correlation event data block follows. This field always has a value of 84.
Correlation Block Length	uint32	Length of the correlation data block, that includes 8 bytes for the correlation block type and length plus the correlation data that follows.
Detection Engine ID	uint32	ID of the detection engine or Defense Center that generated the correlation event. A value of zero indicates the Defense Center. You can obtain detection engine names and the detection engine UUIDs that correlate to them by requesting Version 3 metadata. See Detection Engine Record for 4.6.1 - 4.10.x for more information.
Event Second	uint32	UNIX timestamp indicating the time that the event was detected (in seconds from 01/01/1970).
Correlation Event ID	uint32	Correlation event identification number.
Policy ID	uint32	Identification number of the correlation policy that was violated. See Server Record for information about how to obtain policy identification numbers from the database.
Rule ID	uint32	Identification number of the correlation rule that triggered to violate the policy. See Server Record for information about how to obtain policy identification numbers from the database.
Priority	uint32	Priority assigned to the event. This is an integer value from 0 to 5.
String Block Type	uint32	Initiates a string data block that contains the policy violation event description. This value is always set to 0.
String Block Length	uint32	Number of bytes in the event description string block, which includes four bytes for the string block type and four bytes for the string block length, plus the number of bytes in the description.
Description	string	Description of the correlation event.
Policy Event Type	uint8	Indicates whether the correlation event was triggered by an intrusion, discovery, or user event: 1 — intrusion 2 — intrusion 3 — user
Event Detection Engine ID	uint32	Identification number of the detection engine that generated the intrusion or discovery event that triggered the correlation event. You can obtain detection engine IDs and the detection engine UUIDs that correlate to them by requesting Version 3 metadata. See Detection Engine Record for 4.6.1 - 4.10.x for more information.
Signature ID	uint32	If the event was an intrusion event, indicates the rule identification number that corresponds with the event. Otherwise, the value is 0.
Signature Generator ID	uint32	If the event was an intrusion event, indicates the ID number of the Sourcefire 3D System preprocessor or rules engine that generated the event.
Event Second	uint32	UNIX timestamp indicating the time that the event was detected (in seconds from 01/01/1970).
Event Microsecond	uint32	Microsecond (one millionth of a second) increment that the event was detected.
Event ID	uint32	Identification number of the event generated by the device.
Event Defined Mask	bits[32]	Set bits in this field indicate which of the fields that follow in the message are valid. See Event Defined Values for a list of each bit value.
Event Impact Flags	bits[32]	Impact level of the event. The low-order six bits are used and the impact is determined by how the bits are set. Values are: 0x00000001 — Source or destination host is in a monitored network monitored (bit 0). 0x00000002 — Source or destination host exists in the network map (bit 1). 0x00000004 — Source or destination host is running a server on the port in the event (if TCP or UDP) or uses the IP protocol (bit 2). 0x00000008 — There is a vulnerability mapped to the operating system of the source or destination host in the event (bit 3). 0x00000010 — There is a vulnerability mapped to the server detected in the event (bit 4). 0x00000020 — The event caused the sensor to drop the session (used only when the sensor is running in inline mode) (bit 5). Corresponds to blocked status in Inline Result column in the Sourcefire 3D System web interface. On the Defense Center, the following values map to specific priorities. An X indicates that the value can be 0 or 1: Gray (0, unknown): X00000 Red (1, vulnerable): XX1XXX , X1XXXX Orange (2, potentially vulnerable): X00111 Yellow (3, currently not vulnerable): X00011 Blue (4, unknown target): X00001 Black (dropped packet): 1XXXXX
IP Protocol	uint8	IP protocol associated with the event, if applicable.
Network Protocol	uint16	Network protocol associated with the event, if applicable.
Source IP	uint8[4]	IP address of the source host in the event, in IP address octets.
Source Host Type	uint8	Source host’s type: 0 — Host 1 — Router 2 — Bridge
Source VLAN ID	uint16	Source host’s VLAN identification number, if applicable.
Source OS Fingerprint UUID	uint8[16]	A fingerprint ID number that acts a unique identifier for the source host’s operating system. See Server Record for information about obtaining the values that map to the fingerprint IDs.
Source Criticality	uint16	User-defined criticality value for the source host: 0 — None 1 — Low 2 — Medium 3 — High
Source User ID	uint32	Identification number for the user logged into the source host, as identified by the system.
Source Port	uint16	Source port in the event.
Source Server ID	uint32	Identification number for the server running on the source host.
Destination IP Address	uint8[4]	IP address of the destination host associated with the policy violation (if applicable). This value will be 0 if there is no destination IP address.
Destination Host Type	uint8	Destination host’s type: 0 — Host 1 — Router 2 — Bridge
Destination VLAN ID	uint16	Destination host’s VLAN identification number, if applicable.
Destination OS Fingerprint UUID	uint8[16]	A fingerprint ID number that acts as a unique identifier for the destination host’s operating system. See Server Record for information about obtaining the values that map to the fingerprint IDs.
Destination Criticality	uint16	User-defined criticality value for the destination host: 0 — None 1 — Low 2 — Medium 3 — High
Destination User ID	uint32	Identification number for the user logged into the destination host, as identified by the system.
Destination Port	uint16	Destination port in the event.
Destination Server ID	uint32	Identification number for the server running on the source host.

Event Data Mask Field Values

The Event Defined Values describes each Event Defined Mask value.

Event Defined Values
Description	Mask Value
Event Impact Flags	0x00000001
IP Protocol	0x00000002
Network Protocol	0x00000004
Source IP	0x00000008
Source Host Type	0x00000010
Source VLAN ID	0x00000020
Source Fingerprint ID	0x00000040
Source Criticality	0x00000080
Source Port	0x00000100
Source Server	0x00000200
Destination IP	0x00000400
Destination Host Type	0x00000800
Destination VLAN ID	0x00001000
Destination Fingerprint ID	0x00002000
Destination Criticality	0x00004000
Destination Port	0x00008000
Destination Server	0x00010000
Source User	0x00020000
Destination User	0x00040000

Correlation Event for 4.10.x

Correlation events contain information about policy violations and are transmitted when correlation policies are violated. The Defense Center uses the standard message header with a record type of 112, followed by a correlation data block with a type of 107.

Byte	0								1								2								3
Bit	0	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15	16	17	18	19	20	21	22	23	24	25	26	27	28	29	30	31
	Header Version (1)																Message Type (4)
	Message Length
	Record Type (112)
	Record Length
	eStreamer Server Timestamp (in events, only if bit 23 is set)
	Reserved for Future Use (in events, only if bit 23 is set)
	Correlation Block Type (107)
	Correlation Block Length
	Detection Engine ID
	Event Second
	Correlation Event ID
	Policy ID
	Rule ID
	Priority
	String Block Type (0)																																Event Description
	String Block Length
	Description...																								Event Type
	Event Detection Engine ID
	Signature ID
	Signature Generator ID
	Event Second
	Event Microsecond
	Event ID
	Event Defined Mask
	Event Impact Flags								IP Protocol								Network Protocol
	Source IP
	Source Host Type								Source VLAN ID																Source OS Fprt UUID								Source OS Fprt
	Source OS Fingerprint UUID, continued
	Source OS Fingerprint UUID, continued
	Source OS Fingerprint UUID, continued
	Source OS Fingerprint UUID, continued																								Source Criticality
	Source Criticality, cont								Source User ID
	Source User ID, cont								Source Port																Source Server ID
	Source Server ID, continued																								Destination IP
	Destination IP, continued																								Dest. Host Type
	Dest. VLAN ID																Destination OS Fingerprint UUID																Dest OS Fingerprint
	Destination OS Fingerprint UUID, continued
	Destination OS Fingerprint UUID, continued
	Destination OS Fingerprint UUID, continued
	Destination OS Fingerprint UUID, continued																Dest. Criticality
	Dest. User ID
	Destination Port																Dest. Server ID
	Dest. Server ID, continued																Blocked

The Correlation Event 4.10.x Data Fields describes each data field in a correlation event.

Correlation Event 4.10.x Data Fields
Field	Data Type	Description
Correlation Block Type	uint32	Indicates a correlation event data block follows. This field always has a value of 107.
Correlation Block Length	uint32	Length of the correlation data block, which includes 8 bytes for the correlation block type and length plus the correlation data that follows.
Detection Engine ID	uint32	ID of the detection engine or Defense Center that generated the correlation event. A value of zero indicates the Defense Center. You can obtain detection engine IDs and the detection engine UUIDs that correlate to them by requesting Version 3 metadata. See Detection Engine Record for 4.6.1 - 4.10.x for more information.
Event Second	uint32	UNIX timestamp indicating the time that the event was detected (in seconds from 01/01/1970).
Correlation Event ID	uint32	Correlation event identification number.
Policy ID	uint32	Identification number of the correlation policy that was violated. See Server Record for information about how to obtain policy identification numbers from the database.
Rule ID	uint32	Identification number of the correlation rule that triggered to violate the policy. See Server Record for information about how to obtain policy identification numbers from the database.
Priority	uint32	Priority assigned to the event. This is an integer value from 0 to 5.
String Block Type	uint32	Initiates a string data block that contains the correlation violation event description. This value is always set to 0.
String Block Length	uint32	Number of bytes in the event description string block, which includes four bytes for the string block type and four bytes for the string block length, plus the number of bytes in the description.
Description	string	Description of the correlation event.
Event Type	uint8	Indicates whether the correlation event was triggered by an intrusion, discovery, or user activity event: 1 — intrusion 2 — discovery 3 — user activity
Event Detection Engine ID	uint32	Identification number of the detection engine that generated the intrusion or discovery event that triggered the correlation event. You can obtain detection engine IDs and the detection engine UUIDs that correlate to them by requesting Version 3 metadata. See Detection Engine Record for 4.6.1 - 4.10.x for more information.
Signature ID	uint32	If the event was an intrusion event, indicates the rule identification number that corresponds with the event. Otherwise, the value is 0.
Signature Generator ID	uint32	If the event was an intrusion event, indicates the ID number of the Sourcefire 3D System preprocessor or rules engine that generated the event.
Event Second	uint32	UNIX timestamp indicating the time that the event was detected (in seconds from 01/01/1970).
Event Microsecond	uint32	Microsecond (one millionth of a second) increment that the event was detected.
Event ID	uint32	Identification number of the event generated by the device.
Event Defined Mask	bits[32]	Set bits in this field indicate which of the fields that follow in the message are valid. See Event Defined Values for a list of each bit value.
Event Impact Flags	bits[8]	Impact level of the event. The low-order seven bits are used and the impact is determined by how the bits are set. Values are: 0x01 — Source or destination host is in a monitored network monitored (bit 0). 0x02 — Source or destination host exists in the network map (bit 1). 0x04 — Source or destination host is running a server on the port in the event (if TCP or UDP) or uses the IP protocol (bit 2). 0x08 — There is a vulnerability mapped to the operating system of the source or destination host in the event (bit 3). 0x10 — There is a vulnerability mapped to the server detected in the event (bit 4). 0x20 — The event caused the sensor to drop the session (used only when the sensor is running in inline mode) (bit 5). Corresponds to blocked status in Inline Result column in the Sourcefire 3D System web interface. 0x40 — The rule that generated this event contains rule metadata setting the impact flag to red (bit 6). If the rule is provided by the Sourcefire Vulnerability Research Team (VRT), the source or destination host is potentially compromised by a virus, trojan, or other piece of malicious software. On the Defense Center, the following values map to specific priorities. An X indicates that the value can be 0 or 1: Gray (0, unknown): 0X00000 Red (1, vulnerable): XXX1XXX , XX1XXXX , 1XXXXXX Orange (2, potentially vulnerable): 0X00111 Yellow (3, currently not vulnerable): 0X00011 Blue (4, unknown target): 0X00001 Black (dropped packet): X1XXXXX
IP Protocol	uint8	IP protocol associated with the event, if applicable.
Network Protocol	uint16	Network protocol associated with the event, if applicable.
Source IP	uint8[4]	IP address of the source host in the event, in IP address octets.
Source Host Type	uint8	Source host’s type: 0 — Host 1 — Router 2 — Bridge
Source VLAN ID	uint16	Source host’s VLAN identification number, if applicable.
Source OS Fingerprint UUID	uint8[16]	A fingerprint ID number that acts a unique identifier for the source host’s operating system. See Server Record for information about obtaining the values that map to the fingerprint IDs.
Source Criticality	uint16	User-defined criticality value for the source host: 0 — None 1 — Low 2 — Medium 3 — High
Source User ID	uint32	Identification number for the user logged into the source host, as identified by the system.
Source Port	uint16	Source port in the event.
Source Server ID	uint32	Identification number for the server running on the source host.
Destination IP Address	uint8[4]	IP address of the destination host associated with the policy violation (if applicable). This value will be 0 if there is no destination IP address.
Destination Host Type	uint8	Destination host’s type: 0 — Host 1 — Router 2 — Bridge
Destination VLAN ID	uint16	Destination host’s VLAN identification number, if applicable.
Destination OS Fingerprint UUID	uint8[16]	A fingerprint ID number that acts as a unique identifier for the destination host’s operating system. See Server Record for information about obtaining the values that map to the fingerprint IDs.
Destination Criticality	uint16	User-defined criticality value for the destination host: 0 — None 1 — Low 2 — Medium 3 — High
Destination User ID	uint32	Identification number for the user logged into the destination host, as identified by the system.
Destination Port	uint16	Destination port in the event.
Destination Server ID	uint32	Identification number for the server running on the source host.
Blocked	uint8	Value indicating what happened to the packet that triggered the intrusion event. 0 — Intrusion event not dropped 1 — Intrusion event was dropped (inline mode, drop when inline is set) 2 — The packet that triggered the event would have been dropped, if the intrusion policy had been applied to a detection engine using an inline interface set.

Event Data Mask Field Values

The Event Defined Values describes each value in the Event Defined Mask.

Event Defined Values
Description	Mask Value
Event Impact Flags	0x00000001
IP Protocol	0x00000002
Network Protocol	0x00000004
Source IP	0x00000008
Source Host Type	0x00000010
Source VLAN ID	0x00000020
Source Fingerprint ID	0x00000040
Source Criticality	0x00000080
Source Port	0x00000100
Source Server	0x00000200
Destination IP	0x00000400
Destination Host Type	0x00000800
Destination VLAN ID	0x00001000
Destination Fingerprint ID	0x00002000
Destination Criticality	0x00004000
Destination Port	0x00008000
Destination Server	0x00010000
Source User	0x00020000
Destination User	0x00040000

Correlation Event for 5.0 - 5.0.2

Correlation events (called compliance events in pre-5.0 versions) contain information about correlation policy violations. This message uses the standard eStreamer message header and specifies a record type of 112, followed by a correlation data block of type 116. Data block type 116 differs from its predecessor (block type 107) in including additional information about the associated security zone and interface.

You can request 5.0+ correlation events from eStreamer only by extended request, for which you request event type code 31 and version code 7 in the Stream Request message (see Submitting Extended Requests for information about submitting extended requests). You can optionally enable bit 23 in the flags field of the initial event stream request message, to include the extended event header. You can also enable bit 20 in the flags field to include user metadata.

Byte	0								1								2								3
Bit	0	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15	16	17	18	19	20	21	22	23	24	25	26	27	28	29	30	31
	Header Version (1)																Message Type (4)
	Message Length
	Record Type (112)
	Record Length
	eStreamer Server Timestamp (in events, only if bit 23 is set)
	Reserved for Future Use (in events, only if bit 23 is set)
	Correlation Block Type (116)
	Correlation Block Length
	Device ID
	(Correlation) Event Second
	Event ID
	Policy ID
	Rule ID
	Priority
	String Block Type (0)																																Event Description
	String Block Length
	Description...																								Event Type
	Event Device ID
	Signature ID
	Signature Generator ID
	(Trigger) Event Second
	(Trigger) Event Microsecond
	Event ID
	Event Defined Mask
	Event Impact Flags								IP Protocol								Network Protocol
	Source IP
	Source Host Type								Source VLAN ID																Source OS Fprt UUID								Source OS Fprt UUID
	Source OS Fingerprint UUID, continued
	Source OS Fingerprint UUID, continued
	Source OS Fingerprint UUID, continued
	Source OS Fingerprint UUID, continued																								Source Criticality
	Source Criticality, cont								Source User ID
	Source User ID, cont								Source Port																Source Server ID
	Source Server ID, continued																								Destination IP
	Destination IP, continued																								Dest. Host Type
	Dest. VLAN ID																Destination OS Fingerprint UUID																Dest OS Fingerprint UUID
	Destination OS Fingerprint UUID, continued
	Destination OS Fingerprint UUID, continued
	Destination OS Fingerprint UUID, continued
	Destination OS Fingerprint UUID, continued																Destination Criticality
	Dest. User ID
	Destination Port																Destination Server ID
	Destination Server ID, cont.																Blocked								Ingress Interface UUID
	Ingress Interface UUID, continued
	Ingress Interface UUID, continued
	Ingress Interface UUID, continued
	Ingress Interface UUID, continued																								Egress Interface UUID
	Egress Interface UUID, continued
	Egress Interface UUID, continued
	Egress Interface UUID, continued
	Egress Interface UUID, continued																								Ingress Zone UUID
	Ingress Zone UUID
	Ingress Zone UUID, continued
	Ingress Zone UUID, continued
	Ingress Zone UUID, continued																								Egress Zone UUID
	Egress Zone UUID
	Egress Zone UUID, continued
	Egress Zone UUID, continued
	Egress Zone UUID, continued

Note that the record structure includes a String block type, which is a block in series 1. For information about series 1 blocks, see Understanding Discovery (Series 1) Blocks.

Correlation Event 5.0 - 5.0.2 Data Fields
Field	Data Type	Description
Correlation Block Type	uint32	Indicates a correlation event data block follows. This field always has a value of 107. See Understanding Discovery (Series 1) Blocks.
Correlation Block Length	uint32	Length of the correlation data block, which includes 8 bytes for the correlation block type and length plus the correlation data that follows.
Device ID	uint32	Internal identification number of the managed device or Defense Center that generated the correlation event. A value of zero indicates the Defense Center. You can obtain managed device names by requesting Version 3 metadata. See Managed Device Record Metadata for more information.
(Correlation) Event Second	uint32	UNIX timestamp indicating the time that the correlation event was generated (in seconds from 01/01/1970).
Event ID	uint32	Correlation event identification number.
Policy ID	uint32	Identification number of the correlation policy that was violated. See Server Record for information about how to obtain policy identification numbers from the database.
Rule ID	uint32	Identification number of the correlation rule that triggered to violate the policy. See Server Record for information about how to obtain policy identification numbers from the database.
Priority	uint32	Priority assigned to the event. This is an integer value from 0 to 5.
String Block Type	uint32	Initiates a string data block that contains the correlation violation event description. This value is always set to 0. For more information about string blocks, see String Data Block.
String Block Length	uint32	Number of bytes in the event description string block, which includes four bytes for the string block type and four bytes for the string block length, plus the number of bytes in the description.
Description	string	Description of the correlation event.
Event Type	uint8	Indicates whether the correlation event was triggered by an intrusion, host discovery, or user event: 1 — intrusion 2 — host discovery 3 — user
Event Device ID	uint32	Identification number of the device that generated the event that triggered the correlation event. You can obtain device name by requesting Version 3 metadata. See Managed Device Record Metadata for more information.
Signature ID	uint32	If the event was an intrusion event, indicates the rule identification number that corresponds with the event. Otherwise, the value is 0.
Signature Generator ID	uint32	If the event was an intrusion event, indicates the ID number of the Sourcefire 3D System preprocessor or rules engine that generated the event.
(Trigger) Event Second	uint32	UNIX timestamp indicating the time of the event that triggered the correlation policy rule (in seconds from 01/01/1970).
(Trigger) Event Microsecond	uint32	Microsecond (one millionth of a second) increment that the event was detected.
Event ID	uint32	Identification number of the event generated by the device.
Event Defined Mask	bits[32]	Set bits in this field indicate which of the fields that follow in the message are valid. See Event Defined Values for a list of each bit value.
Event Impact Flags	bits[8]	Impact flag value of the event. The low-order eight bits indicate the impact level. Values are: 0x01 (bit 0) — Source or destination host is in a network monitored by the system. 0x02 (bit 1) — Source or destination host exists in the network map. 0x04 (bit 2) — Source or destination host is running a server on the port in the event (if TCP or UDP) or uses the IP protocol. 0x08 (bit 3) — There is a vulnerability mapped to the operating system of the source or destination host in the event. 0x10 (bit 4) — There is a vulnerability mapped to the server detected in the event. 0x20 (bit 5) — The event caused the managed device to drop the session (used only when the device is running in inline, switched, or routed deployment). Corresponds to blocked status in the Sourcefire 3D System web interface. 0x40 (bit 6) — The rule that generated this event contains rule metadata setting the impact flag to red (bit 6). The source or destination host is potentially compromised by a virus, trojan, or other piece of malicious software. 0x80 (bit 7) — There is a vulnerability mapped to the client detected in the event. The following impact level values map to specific priorities on the Defense Center. An X indicates the value can be 0 or 1: gray (0, unknown): 00X00000 red (1, vulnerable): XXXX1XXX, XXX1XXXX, X1XXXXXX, 1XXXXXXX orange (2, potentially vulnerable): 00X00111 yellow (3, currently not vulnerable): 00X00011 blue (4, unknown target): 00X00001
IP Protocol	uint8	Identifier of the IP protocol associated with the event, if applicable.
Network Protocol	uint16	Network protocol associated with the event, if applicable.
Source IP	uint8[4]	IP address of the source host in the event, in IP address octets.
Source Host Type	uint8	Source host’s type: 0 — Host 1 — Router 2 — Bridge
Source VLAN ID	uint16	Source host’s VLAN identification number, if applicable.
Source OS Fingerprint UUID	uint8[16]	A fingerprint ID number that acts a unique identifier for the source host’s operating system. See Server Record for information about obtaining the values that map to the fingerprint IDs.
Source Criticality	uint16	User-defined criticality value for the source host: 0 — None 1 — Low 2 — Medium 3 — High
Source User ID	uint32	Identification number for the user logged into the source host, as identified by the system.
Source Port	uint16	Source port in the event.
Source Server ID	uint32	Identification number for the server running on the source host.
Destination IP Address	uint8[4]	IP address of the destination host associated with the policy violation (if applicable). This value will be 0 if there is no destination IP address.
Destination Host Type	uint8	Destination host’s type: 0 — Host 1 — Router 2 — Bridge
Destination VLAN ID	uint16	Destination host’s VLAN identification number, if applicable.
Destination OS Fingerprint UUID	uint8[16]	A fingerprint ID number that acts as a unique identifier for the destination host’s operating system. See Server Record for information about obtaining the values that map to the fingerprint IDs.
Destination Criticality	uint16	User-defined criticality value for the destination host: 0 — None 1 — Low 2 — Medium 3 — High
Destination User ID	uint32	Identification number for the user logged into the destination host, as identified by the system.
Destination Port	uint16	Destination port in the event.
Destination Service ID	uint32	Identification number for the server running on the source host.
Blocked	uint8	Value indicating what happened to the packet that triggered the intrusion event. 0 — Intrusion event not dropped 1 — Intrusion event was dropped (drop when deployment is inline, switched, or routed) 2 — The packet that triggered the event would have been dropped, if the intrusion policy had been applied to a device in inline, switched, or routed deployment.
Ingress Interface UUID	uint8[16]	An interface ID that acts as the unique identifier for the ingress interface associated with correlation event.
Egress Interface UUID	uint8[16]	An interface ID that acts as the unique identifier for the egress interface associated with correlation event.
Ingress Zone UUID	uint8[16]	A zone ID that acts as the unique identifier for the ingress security zone associated with correlation event.
Egress Zone UUID	uint8[16]	A zone ID that acts as the unique identifier for the egress security zone associated with correlation event.

The Event Defined Values describes each Event Defined Mask value.

Event Defined Values
Description	Mask Value
Event Impact Flags	0x00000001
IP Protocol	0x00000002
Network Protocol	0x00000004
Source IP	0x00000008
Source Host Type	0x00000010
Source VLAN ID	0x00000020
Source Fingerprint ID	0x00000040
Source Criticality	0x00000080
Source Port	0x00000100
Source Server	0x00000200
Destination IP	0x00000400
Destination Host Type	0x00000800
Destination VLAN ID	0x00001000
Destination Fingerprint ID	0x00002000
Destination Criticality	0x00004000
Destination Port	0x00008000
Destination Server	0x00010000
Source User	0x00020000
Destination User	0x00040000

Legacy Host Data Structures

To request these structures, you must use a Host Request Message. To request a legacy structure, the Host Request Message must use an older format. See Host Request Message Format for more information.

The following topics describe legacy host data structures, including both host profile and full host profile structures:

Full Host Profile Data Block 4.8

■ HREF="/c/en/us/td/docs/security/firesight/5311/api/estreamer/EventStreamerIntegrationGuide/AppBLegacyDataStructures.html#53427">Full Host Profile Data Block 4.9 - 4.10.x

■ HREF="/c/en/us/td/docs/security/firesight/5311/api/estreamer/EventStreamerIntegrationGuide/AppBLegacyDataStructures.html#10759">Full Host Profile Data Block 5.0 - 5.0.2

■ HREF="/c/en/us/td/docs/security/firesight/5311/api/estreamer/EventStreamerIntegrationGuide/AppBLegacyDataStructures.html#56861">Full Host Profile Data Block 5.1.1

■ HREF="/c/en/us/td/docs/security/firesight/5311/api/estreamer/EventStreamerIntegrationGuide/AppBLegacyDataStructures.html#13247">Full Host Profile Data Block 5.2.x

■ HREF="/c/en/us/td/docs/security/firesight/5311/api/estreamer/EventStreamerIntegrationGuide/AppBLegacyDataStructures.html#56606">Host Profile Data Block for 5.1.x

■ HREF="/c/en/us/td/docs/security/firesight/5311/api/estreamer/EventStreamerIntegrationGuide/AppBLegacyDataStructures.html#98083">IP Range Specification Data Block for 4.7.x - 5.1.1.x

Full Host Profile Data Block 4.8

The Full Host Profile data block contains a full set of data describing one host. The eStreamer server generates and transmits Full Host Profile data blocks in host request data messages, which it sends in response to host request messages submitted by the client. The full host profile data block for 4.8 has the format shown in the following graphic. Note that the graphic shows all fields in the record, but the content details of nested data blocks are omitted. For information about the fields in the encapsulated blocks, see the subsections of this guide that described the data block in question. The Full Host Profile Data Block for version 4.8 has a data block type value of 47.

An asterisk(*) next to a data block name in the following diagram indicates that multiple instances of the data block may occur.

Byte	0								1								2								3
Bit	0	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15	16	17	18	19	20	21	22	23	24	25	26	27	28	29	30	31
	Full Host Profile Data Block (47)
	Data Block Length
	IP Address
	Hops								Confidence
	Confidence								Fingerprint UUID
	Fingerprint UUID, continued
	Fingerprint UUID, continued
	Fingerprint UUID, cont.								List Block Type (11)...
	List Block Type (11)...								List Block Length...
	List Block Length...								(TCP) Full Server Data Blocks *
	List Block Type (11)
	List Block Length
	(UDP) Full Server Data Blocks *
	List Block Type (11)
	List Block Length
	(Network) Protocol Data Blocks *
	List Block Type (11)
	List Block Length
	(Transport) Protocol Data Blocks *
	List Block Type (11)
	List Block Length
	Host MAC Address Data Blocks *
	Last Seen
	Host Type
	Business Criticality																VLAN ID
	VLAN Type								VLAN Priority								Generic List Block Type (31)
	Generic List Block Type, continued																Generic List Block Length
	Generic List Block Length, continued																Client Application Data Blocks *
NetBIOS Name	String Block Type (0)
	String Block Length
	NetBIOS Name String...
Notes Data	String Block Type (0)
	String Block Length
	Notes String....
	Generic List Block Type (31)
	Generic List Block Length
	(VDB) Host Vulnerability Data Blocks *
	Generic List Block Type (31)
	Generic List Block Length
	(Third Party Scan) Host Vulnerability Data Blocks *
	List Block Type (11)
	List Block Length
	Attribute Value Data Blocks *

The Full Host Profile Data Block 4.8 describes the components of the Full Host Profile record.

Full Host Profile Data Block 4.8
Field	Data Type	Description
IP Address	uint8[4]	IP address of the host, in IP address octets.
Hops	uint8	Number of network hops from the host to the detection device.
Confidence	uint32	Percentage of confidence of Sourcefire in correct identification of the host data.
Fingerprint UUID	uint8[16]	UUID of the OS Fingerprint
List Block Type	uint32	Initiates a List data block comprising Protocol data blocks conveying network protocol data. This value is always 11.
List Block Length	uint32	Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus the length of all encapsulated Protocol data blocks.
(Network) Protocol Data Blocks *	variable	List of Protocol data blocks conveying data about the network protocols on the host. See Protocol Data Block for a description of this data block.
List Block Type	uint32	Initiates a List data block comprising Protocol data blocks conveying transport protocol data. This value is always 11.
List Block Length	uint32	Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus the length of all encapsulated Protocol data blocks.
(Transport) Protocol Data Blocks *	variable	List of Protocol data blocks conveying data about the transport protocols on the host. See Protocol Data Block for a description of this data block.
List Block Type	uint32	Initiates a List data block containing Host MAC Address data blocks. This value is always 11.
List Block Length	uint32	Number of bytes in the list, including the list header and all encapsulated Host MAC Address data blocks.
Host MAC Address Data Blocks *	variable	List of MAC Address data blocks. See Host MAC Address 4.9+ for a description of this data block.
Last Seen	uint32	UNIX timestamp that represents the last time the system detected host activity.
Host Type	uint32	Indicates host type. Values include: 0 — host 1 — router 2 — bridge 3 — NAT (network address translation device) 4 — LB (load balancer)
Business Criticality	uint16	Indicates criticality of host to business.
VLAN ID	uint16	VLAN identification number that indicates which VLAN the host is a member of.
VLAN Type	uint8	Type of packet encapsulated in the VLAN tag.
VLAN Priority	uint8	Priority value included in the VLAN tag.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Host Vulnerability data blocks conveying Client Application data. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated Client Application data blocks.
Client Application Data Blocks *	variable	List of Client Application data blocks. See Host Client Application Data Block for 4.9.1 - 4.10.x for a description of this data block.
String Block Type	uint32	Initiates a String data block for the host NetBIOS name. This value is always 0.
String Block Length	uint32	Number of bytes in the String data block, including eight bytes for the string block type and length fields, plus the number of bytes in the NetBIOS name string.
NetBIOS Name	string	Host NetBIOS name string.
String Block Type	uint32	Initiates a String data block for host notes. This value is always 0.
String Block Length	uint32	Number of bytes in the notes String data block, including eight bytes for the string block type and length fields, plus the number of bytes in the notes string.
Notes	string	Contains the contents of the Notes host attribute for the host.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Host Vulnerability data blocks conveying Sourcefire vulnerability data. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated data blocks.
(VDB) Host Vulnerability Data Blocks *	variable	List of Host Vulnerability data blocks for vulnerabilities cataloged in the Sourcefire vulnerability database (VDB). See Host Vulnerability Data Block 4.9.0+ for a description of this data block.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Host Vulnerability data blocks conveying third party scan vulnerability data. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated data blocks.
(Third Party Scan) Host Vulnerability Data Blocks *	variable	List of Host Vulnerability data blocks for vulnerabilities identified through a third party scanner. Note that the host vulnerability IDs for these data blocks are third party scanner IDs, not Sourcefire vulnerability IDs. See Host Vulnerability Data Block 4.9.0+ for a description of this data block.
List Block Type	uint32	Initiates a List data block comprising Attribute Value data blocks conveying attribute data. This value is always 11.
List Block Length	uint32	Number of bytes in the List data block, including the list header and all encapsulated data blocks.
Attribute Value Data Blocks *	variable	List of Attribute Value data blocks. See Attribute Value Data Block for a description of this data block.

Full Host Profile Data Block 4.9 - 4.10.x

The Full Host Profile data block contains a full set of data describing one host. The eStreamer server generates and transmits Full Host Profile data blocks in host request data messages, which it sends in response to host request messages submitted by the client. The full host profile data block for 4.9 - 4.10.x has the format shown in the following graphic. Note that the graphic shows all fields in the record, but the content details of nested data blocks are omitted. For information about the fields in the encapsulated blocks, see the subsections of this guide that described the data block in question. The Full Host Profile Data Block for version 4.9 to 4.10.x has a data block type value of 92.

An asterisk(*) next to a data block name in the following diagram indicates that multiple instances of the data block may occur.

Byte	0								1								2								3
Bit	0	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15	16	17	18	19	20	21	22	23	24	25	26	27	28	29	30	31
	Full Host Profile Data Block (92)
	Data Block Length
	IP Address
	Hops								Generic List Block Type (31)
	Generic List Block Type, continued								Generic List Block Length
Derived Fingerprints	Generic List Block Length, continued								Operating System Fingerprint Block Type (87)*
	OS Fingerprint Block Type (87)*, con’t								Operating System Fingerprint Block Length
	OS Fingerprint Block Length, con’t								Operating System Derived Fingerprint Data...
	Generic List Block Type (31)
	Generic List Block Length
Server Fingerprints	Operating System Fingerprint Block Type (87)*
	Operating System Fingerprint Block Length
	Operating System Server Fingerprint Data...
	Generic List Block Type (31)
	Generic List Block Length
Client Fingerprints	Operating System Fingerprint Block Type (87)*
	Operating System Fingerprint Block Length
	Operating System Client Fingerprint Data...
	Generic List Block Type (31)
	Generic List Block Length
VDB Native Fingerprints 1	Operating System Fingerprint Block Type (87)*
	Operating System Fingerprint Block Length
	Operating System SMB Fingerprint Data...
	Generic List Block Type (31)
	Generic List Block Length
VDB Native Fingerprints 2	Operating System Fingerprint Block Type (87)*
	Operating System Fingerprint Block Length
	Operating System DHCP Fingerprint Data...
	Generic List Block Type (31)
	Generic List Block Length
User Fingerprints	Operating System Fingerprint Block Type (87)*
	Operating System Fingerprint Block Length
	Operating System User Fingerprint Data...
	Generic List Block Type (31)
	Generic List Block Length
Scan Fingerprints	Operating System Fingerprint Block Type (87)*
	Operating System Fingerprint Block Length
	Operating System Scan Fingerprint Data...
	Generic List Block Type (31)
	Generic List Block Length
Application Fingerprints	Operating System Fingerprint Block Type (87)*
	Operating System Fingerprint Block Length
	Operating System Application Fingerprint Data...
	Generic List Block Type (31)
	Generic List Block Length
Conflict Fingerprints	Operating System Fingerprint Block Type (87)*
	Operating System Fingerprint Block Length
	Operating System Conflict Fingerprint Data...
	List Block Type (11)...
	List Block Length...
	(TCP) Full Server Data Blocks *
	List Block Type (11)
	List Block Length
	(UDP) Full Server Data Blocks *
	List Block Type (11)
	List Block Length
	(Network) Protocol Data Blocks *
	List Block Type (11)
	List Block Length
	(Transport) Protocol Data Blocks *
	List Block Type (11)
	List Block Length
	Host MAC Address Data Blocks *
	Last Seen
	Host Type
	Business Criticality																VLAN ID
	VLAN Type								VLAN Priority								Generic List Block Type (31)
	Generic List Block Type, continued																Generic List Block Length
	Generic List Block Length, continued																Client Application Data Blocks *
NetBIOS Name	String Block Type (0)
	String Block Length
	NetBIOS Name String...
Notes Data	String Block Type (0)
	String Block Length
	Notes String....
	Generic List Block Type (31)
	Generic List Block Length
	(VDB) Host Vulnerability Data Blocks *
	Generic List Block Type (31)
	Generic List Block Length
	(Third Party/VDB) Host Vulnerability Data Blocks *
	Generic List Block Type (31)
	Generic List Block Length
	(Third Party Scan) Host Vulnerability Data Blocks *
	List Block Type (11)
	List Block Length
	Attribute Value Data Blocks *

The Full Host Profile Data Block 4.9 - 4.10.x describes the components of the Full Host Profile record.

Full Host Profile Data Block 4.9 - 4.10.x
Field	Data Type	Description
IP Address	uint8[4]	IP address of the host, in IP address octets.
Hops	uint8	Number of network hops from the host to the detection device.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data derived from the existing fingerprints for the host. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks.
Operating System Fingerprint (Derived Fingerprint) Data Blocks *	variable	Operating System Fingerprint data blocks containing information about the operating system on a host derived from the existing fingerprints for the host. See Operating System Fingerprint Data Block for 4.9.x - 5.0.2 for a description of this data block.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using a server fingerprint. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks.
Operating System Fingerprint (Server Fingerprint) Data Blocks *	variable	Operating System Fingerprint data blocks containing information about the operating system on a host identified using a server fingerprint. See Operating System Fingerprint Data Block for 4.9.x - 5.0.2 for a description of this data block.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using a client fingerprint. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks.
Operating System Fingerprint (Client Fingerprint) Data Blocks *	variable	Operating System Fingerprint data blocks containing information about the operating system on a host identified using a client fingerprint. See Operating System Fingerprint Data Block for 4.9.x - 5.0.2 for a description of this data block.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using a VDB fingerprint. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks.
Operating System Fingerprint (VDB Fingerprint 1) Data Blocks *	variable	Operating System Fingerprint data blocks containing information about the operating system on a host identified using the fingerprints in the Sourcefire vulnerability database (VDB). See Operating System Fingerprint Data Block for 4.9.x - 5.0.2 for a description of this data block.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using a Sourcefire VDB fingerprint. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks.
Operating System Fingerprint (VDB Fingerprint 2) Data Blocks *	variable	Operating System Fingerprint data blocks containing information about the operating system on a host identified using the fingerprints in the Sourcefire vulnerability database (VDB). See Operating System Fingerprint Data Block for 4.9.x - 5.0.2 for a description of this data block.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data added by a user. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks.
Operating System Fingerprint (User Fingerprint) Data Blocks *	variable	Operating System Fingerprint data blocks containing information about the operating system on a host added by a user. See Operating System Fingerprint Data Block for 4.9.x - 5.0.2 for a description of this data block.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data added by a vulnerability scanner. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks.
Operating System Fingerprint (Scan Fingerprint) Data Blocks *	variable	Operating System Fingerprint data blocks containing information about the operating system on a host added by a vulnerability scanner. See Operating System Fingerprint Data Block for 4.9.x - 5.0.2 for a description of this data block.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data added by an application. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks.
Operating System Fingerprint (Application Fingerprint) Data Blocks *	variable	Operating System Fingerprint data blocks containing information about the operating system on a host added by an application. See Operating System Fingerprint Data Block for 4.9.x - 5.0.2 for a description of this data block.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data selected through fingerprint conflict resolution. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks.
Operating System Fingerprint (Conflict Fingerprint) Data Blocks *	variable	Operating System Fingerprint data blocks containing information about the operating system on a host selected through fingerprint conflict resolution. See Operating System Fingerprint Data Block for 4.9.x - 5.0.2 for a description of this data block.
List Block Type	uint32	Initiates a List data block comprising Full Server data blocks conveying TCP server data. This value is always 11.
List Block Length	uint32	Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus the length of all encapsulated Full Server data blocks.
(TCP) Full Server Data Blocks *	variable	List of Full Server data blocks conveying data about the TCP services on the host. See Full Host Server Data Block 4.10.0+ for a description of this data block.
List Block Type	uint32	Initiates a List data block comprising Full Server data blocks conveying UDP service data. This value is always 11.
List Block Length	uint32	Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus the length of all encapsulated Full Server data blocks.
(UDP) Full Server Data Blocks *	variable	List of Full Server data blocks conveying data about the UDP services on the host. See Full Host Server Data Block 4.10.0+ for a description of this data block.
List Block Type	uint32	Initiates a List data block comprising Protocol data blocks conveying network protocol data. This value is always 11.
List Block Length	uint32	Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus the length of all encapsulated Protocol data blocks.
(Network) Protocol Data Blocks *	variable	List of Protocol data blocks conveying data about the network protocols on the host. See Protocol Data Block for a description of this data block.
List Block Type	uint32	Initiates a List data block comprising Protocol data blocks conveying transport protocol data. This value is always 11.
List Block Length	uint32	Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus the length of all encapsulated Protocol data blocks.
(Transport) Protocol Data Blocks *	variable	List of Protocol data blocks conveying data about the transport protocols on the host. See Protocol Data Block for a description of this data block.
List Block Type	uint32	Initiates a List data block containing Host MAC Address data blocks. This value is always 11.
List Block Length	uint32	Number of bytes in the list, including the list header and all encapsulated Host MAC Address data blocks.
Host MAC Address Data Blocks *	variable	List of MAC Address data blocks. See Host MAC Address 4.9+ for a description of this data block.
Last Seen	uint32	UNIX timestamp that represents the last time the system detected host activity.
Host Type	uint32	Indicates host type. Values include: 0 — host 1 — router 2 — bridge 3 — NAT (network address translation device) 4 — LB (load balancer)
Business Criticality	uint16	Indicates criticality of host to business.
VLAN ID	uint16	VLAN identification number that indicates which VLAN the host is a member of.
VLAN Type	uint8	Type of packet encapsulated in the VLAN tag.
VLAN Priority	uint8	Priority value included in the VLAN tag.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Host Vulnerability data blocks conveying Client Application data. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated Client Application data blocks.
Client Application Data Blocks *	variable	List of Client Application data blocks. See Host Client Application Data Block for 4.9.1 - 4.10.x for a description of this data block.
String Block Type	uint32	Initiates a String data block for the host NetBIOS name. This value is always 0.
String Block Length	uint32	Number of bytes in the String data block, including eight bytes for the string block type and length fields, plus the number of bytes in the NetBIOS name string.
NetBIOS Name	string	Host NetBIOS name string.
String Block Type	uint32	Initiates a String data block for host notes. This value is always 0.
String Block Length	uint32	Number of bytes in the notes String data block, including eight bytes for the string block type and length fields, plus the number of bytes in the notes string.
Notes	string	Contains the contents of the Notes host attribute for the host.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Host Vulnerability data blocks conveying Sourcefire vulnerability data. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated data blocks.
(VDB) Host Vulnerability Data Blocks *	variable	List of Host Vulnerability data blocks for vulnerabilities cataloged in the Sourcefire vulnerability database (VDB). See Host Vulnerability Data Block 4.9.0+ for a description of this data block.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Host Vulnerability data blocks conveying third-party scan vulnerability data. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated data blocks.
(Third Party Scan/VDB) Host Vulnerability Data Blocks *	variable	Host Vulnerability data blocks sourced from a third party scanner and containing information about host vulnerabilities cataloged in the Sourcefire vulnerability database (VDB). See Host Vulnerability Data Block 4.9.0+ for a description of this data block.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Host Vulnerability data blocks conveying third party scan vulnerability data. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated data blocks.
(Third Party Scan) Host Vulnerability Data Blocks *	variable	List of Host Vulnerability data blocks for vulnerabilities identified through a third party scanner. Note that the host vulnerability IDs for these data blocks are third party scanner IDs, not Sourcefire vulnerability IDs. See Host Vulnerability Data Block 4.9.0+ for a description of this data block.
List Block Type	uint32	Initiates a List data block comprising Attribute Value data blocks conveying attribute data. This value is always 11.
List Block Length	uint32	Number of bytes in the List data block, including the list header and all encapsulated data blocks.
Attribute Value Data Blocks *	variable	List of Attribute Value data blocks. See Attribute Value Data Block for a description of this data block.

Full Host Profile Data Block 5.0 - 5.0.2

The Full Host Profile data block for version 5.0 - 5.0.2 contains a full set of data describing one host. It has the format shown in the graphic below and explained in the following table. Note that, except for List data blocks, the graphic does not show the fields of the encapsulated data blocks. These encapsulated data blocks are described separately in Understanding Discovery & Connection Data Structures. The Full Host Profile data block a block type value of 111.

An asterisk(*) next to a block name in the following diagram indicates that multiple instances of the data block may occur.

Byte	0								1								2								3
Bit	0	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15	16	17	18	19	20	21	22	23	24	25	26	27	28	29	30	31
	Full Host Profile Data Block (111)
	Data Block Length
	IP Address
	Hops								Generic List Block Type (31)
	Generic List Block Type, continued								Generic List Block Length
OS Derived Fingerprints	Generic List Block Length, continued								Operating System Fingerprint Block Type (130)*
	OS Fingerprint Block Type (130)*, con’t								Operating System Fingerprint Block Length
	OS Fingerprint Block Length, con’t								Operating System Derived Fingerprint Data...
	Generic List Block Type (31)
	Generic List Block Length
Server Fingerprints	Operating System Fingerprint Block Type (130)*
	Operating System Fingerprint Block Length
	Operating System Server Fingerprint Data...
	Generic List Block Type (31)
	Generic List Block Length
Client Fingerprints	Operating System Fingerprint Block Type (130)*
	Operating System Fingerprint Block Length
	Operating System Client Fingerprint Data...
	Generic List Block Type (31)
	Generic List Block Length
VDB Native Fingerprints 1	Operating System Fingerprint Block Type (130)*
	Operating System Fingerprint Block Length
	Operating System VDB Fingerprint Data...
	Generic List Block Type (31)
	Generic List Block Length
VDB Native Fingerprints 2	Operating System Fingerprint Block Type (130)*
	Operating System Fingerprint Block Length
	Operating System VDB Fingerprint Data...
	Generic List Block Type (31)
	Generic List Block Length
User Fingerprints	Operating System Fingerprint Block Type (130)*
	Operating System Fingerprint Block Length
	Operating System User Fingerprint Data...
	Generic List Block Type (31)
	Generic List Block Length
Scan Fingerprints	Operating System Fingerprint Block Type (130)*
	Operating System Fingerprint Block Length
	Operating System Scan Fingerprint Data...
	Generic List Block Type (31)
	Generic List Block Length
Application Fingerprints	Operating System Fingerprint Block Type (130)*
	Operating System Fingerprint Block Length
	Operating System Application Fingerprint Data...
	Generic List Block Type (31)
	Generic List Block Length
Conflict Fingerprints	Operating System Fingerprint Block Type (130)*
	Operating System Fingerprint Block Length
	Operating System Conflict Fingerprint Data...
(TCP) Full Server Data	List Block Type (11)...
	List Block Length...
	(TCP) Full Server Data Blocks (104)*
(UDP) Full Server Data	List Block Type (11)
	List Block Length
	(UDP) Full Server Data Blocks (104)*
Network Protocol Data	List Block Type (11)
	List Block Length
	(Network) Protocol Data Blocks (4)*
Transport Protocol Data	List Block Type (11)
	List Block Length
	(Transport) Protocol Data Blocks (4)*
MAC Address Data	List Block Type (11)
	List Block Length
	Host MAC Address Data Blocks (95)*
	Last Seen
	Host Type
	Business Criticality																VLAN ID
	VLAN Type								VLAN Priority								Generic List Block Type (31)
Host Client Data	Generic List Block Type, continued																Generic List Block Length
Host Client Data	Generic List Block Length, continued																Full Host Client Application Data Blocks (112)*
NetBIOS Name	String Block Type (0)
	String Block Length
	NetBIOS Name String...
Notes Data	String Block Type (0)
	String Block Length
	Notes String....
(VDB) Host Vulns	Generic List Block Type (31)
	Generic List Block Length
	(VDB) Host Vulnerability Data Blocks (85)*
3rd Pty/VDB) Host Vulns	Generic List Block Type (31)
	Generic List Block Length
	(Third Party/VDB) Host Vulnerability Data Blocks (85)*
3rd Pty Scan Host Vulns	Generic List Block Type (31)
	Generic List Block Length
	(Third Party Scan) Host Vulnerability Data Blocks with Original Vuln IDs (85)*
Attribute Value Data	List Block Type (11)
	List Block Length
	Attribute Value Data Blocks *

The Full Host Profile Record 5.0 - 5.0.2 Fields describes the components of the Full Host Profile for 5.0 - 5.0.2record.

Full Host Profile Record 5.0 - 5.0.2 Fields
Field	Data Type	Description
IP Address	uint8[4]	IP address of the host, in IP address octets.
Hops	uint8	Number of network hops from the host to the device.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data derived from the existing fingerprints for the host. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks.
Operating System Derived Fingerprint Data Blocks *	variable	Operating System Fingerprint data blocks containing information about the operating system on a host derived from the existing fingerprints for the host. See Operating System Fingerprint Data Block 5.1+ for a description of this data block.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using a server fingerprint. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks.
Operating System Fingerprint (Server Fingerprint) Data Blocks *	variable	Operating System Fingerprint data blocks containing information about the operating system on a host identified using a server fingerprint. See Operating System Fingerprint Data Block 5.1+ for a description of this data block.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using a client fingerprint. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks.
Operating System Fingerprint (Client Fingerprint) Data Blocks *	variable	Operating System Fingerprint data blocks containing information about the operating system on a host identified using a client fingerprint. See Operating System Fingerprint Data Block 5.1+ for a description of this data block.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using a Sourcefire VDB fingerprint. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks.
Operating System Fingerprint (VDB) Native Fingerprint 1) Data Blocks *	variable	Operating System Fingerprint data blocks containing information about the operating system on a host identified using the fingerprints in the Sourcefire vulnerability database (VDB). See Operating System Fingerprint Data Block 5.1+ for a description of this data block.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using a Sourcefire VDB fingerprint. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks.
Operating System Fingerprint (VDB) Native Fingerprint 2) Data Blocks *	variable	Operating System Fingerprint data blocks containing information about the operating system on a host identified using the fingerprints in the Sourcefire vulnerability database (VDB). See Operating System Fingerprint Data Block 5.1+ for a description of this data block.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data added by a user. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks.
Operating System Fingerprint (User Fingerprint) Data Blocks *	variable	Operating System Fingerprint data blocks containing information about the operating system on a host added by a user. See Operating System Fingerprint Data Block 5.1+ for a description of this data block.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data added by a vulnerability scanner. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks.
Operating System Fingerprint (Scan Fingerprint) Data Blocks *	variable	Operating System Fingerprint data blocks containing information about the operating system on a host added by a vulnerability scanner. See Operating System Fingerprint Data Block 5.1+ for a description of this data block.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data added by an application. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks.
Operating System Fingerprint (Application Fingerprint) Data Blocks *	variable	Operating System Fingerprint data blocks containing information about the operating system on a host added by an application. See Operating System Fingerprint Data Block 5.1+ for a description of this data block.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data selected through fingerprint conflict resolution. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks.
Operating System Fingerprint (Conflict Fingerprint) Data Blocks *	variable	Operating System Fingerprint data blocks containing information about the operating system on a host selected through fingerprint conflict resolution. See Operating System Fingerprint Data Block 5.1+ for a description of this data block.
List Block Type	uint32	Initiates a List data block comprising Full Server data blocks conveying TCP service data. This value is always 11.
List Block Length	uint32	Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus the length of all encapsulated Full Server data blocks.
(TCP) Full Server Data Blocks *	variable	List of Full Server data blocks conveying data about the TCP services on the host. See Full Host Server Data Block 4.10.0+ for a description of this data block.
List Block Type	uint32	Initiates a List data block comprising Full Server data blocks conveying UDP service data. This value is always 11.
List Block Length	uint32	Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus the length of all encapsulated Full Server data blocks.
(UDP) Full Server Data Blocks *	variable	List of Full Server data blocks conveying data about the UDP sub-servers on the host. See Full Host Server Data Block 4.10.0+ for a description of this data block.
List Block Type	uint32	Initiates a List data block comprising Protocol data blocks conveying network protocol data. This value is always 11.
List Block Length	uint32	Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus the length of all encapsulated Protocol data blocks.
(Network) Protocol Data Blocks *	variable	List of Protocol data blocks conveying data about the network protocols on the host. See Protocol Data Block for a description of this data block.
List Block Type	uint32	Initiates a List data block comprising Protocol data blocks conveying transport protocol data. This value is always 11.
List Block Length	uint32	Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus the length of all encapsulated Protocol data blocks.
(Transport) Protocol Data Blocks *	variable	List of Protocol data blocks conveying data about the transport protocols on the host. See Protocol Data Block for a description of this data block.
List Block Type	uint32	Initiates a List data block containing Host MAC Address data blocks. This value is always 11.
List Block Length	uint32	Number of bytes in the list, including the list header and all encapsulated Host MAC Address data blocks.
Host MAC Address Data Blocks *	variable	List of Host MAC Address data blocks. See Host MAC Address 4.9+ for a description of this data block.
Last Seen	uint32	UNIX timestamp that represents the last time the system detected host activity.
Host Type	uint32	Indicates host type. Values include: 0 — host 1 — router 2 — bridge 3 — NAT (network address translation device) 4 — LB (load balancer)
Business Criticality	uint16	Indicates criticality of host to business.
VLAN ID	uint16	VLAN identification number that indicates which VLAN the host is a member of.
VLAN Type	uint8	Type of packet encapsulated in the VLAN tag.
VLAN Priority	uint8	Priority value included in the VLAN tag.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Host Vulnerability data blocks conveying Client Application data. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated Client Application data blocks.
Full Host Client Application Data Blocks *	variable	List of Client Application data blocks. See Full Host Client Application Data Block 5.0+ for a description of this data block.
String Block Type	uint32	Initiates a String data block for the host NetBIOS name. This value is always 0.
String Block Length	uint32	Number of bytes in the String data block, including eight bytes for the string block type and length fields, plus the number of bytes in the NetBIOS name string.
NetBIOS Name	string	Host NetBIOS name string.
String Block Type	uint32	Initiates a String data block for host notes. This value is always 0.
String Block Length	uint32	Number of bytes in the notes String data block, including eight bytes for the string block type and length fields, plus the number of bytes in the notes string.
Notes	string	Contains the contents of the Notes host attribute for the host.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Host Vulnerability data blocks conveying VDB vulnerability data. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated data blocks.
(VDB) Host Vulnerability Data Blocks *	variable	List of Host Vulnerability data blocks for vulnerabilities identified in the Sourcefire vulnerability database (VDB). See Host Vulnerability Data Block 4.9.0+ for a description of this data block.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Host Vulnerability data blocks conveying third-party scan vulnerability data. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated data blocks.
(Third Party/VDB) Host Vulnerability Data Blocks *	variable	Host Vulnerability data blocks sourced from a third party scanner and containing information about host vulnerabilities cataloged in the Sourcefire vulnerability database (VDB). See Host Vulnerability Data Block 4.9.0+ for a description of this data block.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Host Vulnerability data blocks conveying third party scan vulnerability data. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated data blocks.
(Third Party Scan) Host Vulnerability Data Blocks *	variable	Host Vulnerability data blocks sourced from a third party scanner. Note that the host vulnerability IDs for these data blocks are the third party scanner IDs, not Sourcefire-detected IDs. See Host Vulnerability Data Block 4.9.0+ for a description of this data block.
List Block Type	uint32	Initiates a List data block comprising Attribute Value data blocks conveying attribute data. This value is always 11.
List Block Length	uint32	Number of bytes in the List data block, including the list header and all encapsulated data blocks.
Attribute Value Data Blocks *	variable	List of Attribute Value data blocks. See Attribute Value Data Block for a description of the data blocks in this list.

Full Host Profile Data Block 5.1.1

The Full Host Profile data block for version 5.1.1 contains a full set of data describing one host. It has the format shown in the graphic below and explained in the following table. Note that, except for List data blocks, the graphic does not show the fields of the encapsulated data blocks. These encapsulated data blocks are described separately in Understanding Discovery & Connection Data Structures. The Full Host Profile data block a block type value of 135 It deprecates data block 111.

An asterisk(*) next to a block name in the following diagram indicates that multiple instances of the data block may occur.

Byte	0								1								2								3
Bit	0	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15	16	17	18	19	20	21	22	23	24	25	26	27	28	29	30	31
	Full Host Profile Data Block (135)
	Data Block Length
	IP Address
	Hops								Generic List Block Type (31)
	Generic List Block Type, continued								Generic List Block Length
OS Derived Fingerprints	Generic List Block Length, continued								Operating System Fingerprint Block Type (130)*
	OS Fingerprint Block Type (130)*, con’t								Operating System Fingerprint Block Length
	OS Fingerprint Block Length, con’t								Operating System Derived Fingerprint Data...
	Generic List Block Type (31)
	Generic List Block Length
Server Fingerprints	Operating System Fingerprint Block Type (130)*
	Operating System Fingerprint Block Length
	Operating System Server Fingerprint Data...
	Generic List Block Type (31)
	Generic List Block Length
Client Fingerprints	Operating System Fingerprint Block Type (130)*
	Operating System Fingerprint Block Length
	Operating System Client Fingerprint Data...
	Generic List Block Type (31)
	Generic List Block Length
VDB Native Fingerprints 1	Operating System Fingerprint Block Type (130)*
	Operating System Fingerprint Block Length
	Operating System VDB Fingerprint Data...
	Generic List Block Type (31)
	Generic List Block Length
VDB Native Fingerprints 2	Operating System Fingerprint Block Type (130)*
	Operating System Fingerprint Block Length
	Operating System VDB Fingerprint Data...
	Generic List Block Type (31)
	Generic List Block Length
User Fingerprints	Operating System Fingerprint Block Type (130)*
	Operating System Fingerprint Block Length
	Operating System User Fingerprint Data...
	Generic List Block Type (31)
	Generic List Block Length
Scan Fingerprints	Operating System Fingerprint Block Type (130)*
	Operating System Fingerprint Block Length
	Operating System Scan Fingerprint Data...
	Generic List Block Type (31)
	Generic List Block Length
Application Fingerprints	Operating System Fingerprint Block Type (130)*
	Operating System Fingerprint Block Length
	Operating System Application Fingerprint Data...
	Generic List Block Type (31)
	Generic List Block Length
Conflict Fingerprints	Operating System Fingerprint Block Type (130)*
	Operating System Fingerprint Block Length
	Operating System Conflict Fingerprint Data...
(TCP) Full Server Data	List Block Type (11)...
	List Block Length...
	(TCP) Full Server Data Blocks (104)*
(UDP) Full Server Data	List Block Type (11)
	List Block Length
	(UDP) Full Server Data Blocks (104)*
Network Protocol Data	List Block Type (11)
	List Block Length
	(Network) Protocol Data Blocks (4)*
Transport Protocol Data	List Block Type (11)
	List Block Length
	(Transport) Protocol Data Blocks (4)*
MAC Address Data	List Block Type (11)
	List Block Length
	Host MAC Address Data Blocks (95)*
	Last Seen
	Host Type
	Business Criticality																VLAN ID
	VLAN Type								VLAN Priority								Generic List Block Type (31)
Host Client Data	Generic List Block Type, continued																Generic List Block Length
Host Client Data	Generic List Block Length, continued																Full Host Client Application Data Blocks (112)*
NetBIOS Name	String Block Type (0)
	String Block Length
	NetBIOS Name String...
Notes Data	String Block Type (0)
	String Block Length
	Notes String....
(VDB) Host Vulns	Generic List Block Type (31)
	Generic List Block Length
	(VDB) Host Vulnerability Data Blocks (85)*
3rd Pty/VDB) Host Vulns	Generic List Block Type (31)
	Generic List Block Length
	(Third Party/VDB) Host Vulnerability Data Blocks (85)*
3rd Pty Scan Host Vulns	Generic List Block Type (31)
	Generic List Block Length
	(Third Party Scan) Host Vulnerability Data Blocks with Original Vuln IDs (85)*
Attribute Value Data	List Block Type (11)
	List Block Length
	Attribute Value Data Blocks *
	Mobile								Jailbroken								VLAN Presence

The Full Host Profile Record 5.1.1 Fields describes the components of the Full Host Profile for 5.1.1 record.

Full Host Profile Record 5.1.1 Fields
Field	Data Type	Description
IP Address	uint8[4]	IP address of the host, in IP address octets.
Hops	uint8	Number of network hops from the host to the device.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data derived from the existing fingerprints for the host. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks.
Operating System Derived Fingerprint Data Blocks *	variable	Operating System Fingerprint data blocks containing information about the operating system on a host derived from the existing fingerprints for the host. See Operating System Fingerprint Data Block 5.1+ for a description of this data block.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using a server fingerprint. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks.
Operating System Fingerprint (Server Fingerprint) Data Blocks *	variable	Operating System Fingerprint data blocks containing information about the operating system on a host identified using a server fingerprint. See Operating System Fingerprint Data Block 5.1+ for a description of this data block.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using a client fingerprint. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks.
Operating System Fingerprint (Client Fingerprint) Data Blocks *	variable	Operating System Fingerprint data blocks containing information about the operating system on a host identified using a client fingerprint. See Operating System Fingerprint Data Block 5.1+ for a description of this data block.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using a Sourcefire VDB fingerprint. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks.
Operating System Fingerprint (VDB) Native Fingerprint 1) Data Blocks *	variable	Operating System Fingerprint data blocks containing information about the operating system on a host identified using the fingerprints in the Sourcefire vulnerability database (VDB). See Operating System Fingerprint Data Block 5.1+ for a description of this data block.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using a Sourcefire VDB fingerprint. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks.
Operating System Fingerprint (VDB) Native Fingerprint 2) Data Blocks *	variable	Operating System Fingerprint data blocks containing information about the operating system on a host identified using the fingerprints in the Sourcefire vulnerability database (VDB). See Operating System Fingerprint Data Block 5.1+ for a description of this data block.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data added by a user. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks.
Operating System Fingerprint (User Fingerprint) Data Blocks *	variable	Operating System Fingerprint data blocks containing information about the operating system on a host added by a user. See Operating System Fingerprint Data Block 5.1+ for a description of this data block.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data added by a vulnerability scanner. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks.
Operating System Fingerprint (Scan Fingerprint) Data Blocks *	variable	Operating System Fingerprint data blocks containing information about the operating system on a host added by a vulnerability scanner. See Operating System Fingerprint Data Block 5.1+ for a description of this data block.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data added by an application. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks.
Operating System Fingerprint (Application Fingerprint) Data Blocks *	variable	Operating System Fingerprint data blocks containing information about the operating system on a host added by an application. See Operating System Fingerprint Data Block 5.1+ for a description of this data block.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data selected through fingerprint conflict resolution. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks.
Operating System Fingerprint (Conflict Fingerprint) Data Blocks *	variable	Operating System Fingerprint data blocks containing information about the operating system on a host selected through fingerprint conflict resolution. See Operating System Fingerprint Data Block 5.1+ for a description of this data block.
List Block Type	uint32	Initiates a List data block comprising Full Server data blocks conveying TCP service data. This value is always 11.
List Block Length	uint32	Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus the length of all encapsulated Full Server data blocks.
(TCP) Full Server Data Blocks *	variable	List of Full Server data blocks conveying data about the TCP services on the host. See Full Host Server Data Block 4.10.0+ for a description of this data block.
List Block Type	uint32	Initiates a List data block comprising Full Server data blocks conveying UDP service data. This value is always 11.
List Block Length	uint32	Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus the length of all encapsulated Full Server data blocks.
(UDP) Full Server Data Blocks *	variable	List of Full Server data blocks conveying data about the UDP sub-servers on the host. See Full Host Server Data Block 4.10.0+ for a description of this data block.
List Block Type	uint32	Initiates a List data block comprising Protocol data blocks conveying network protocol data. This value is always 11.
List Block Length	uint32	Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus the length of all encapsulated Protocol data blocks.
(Network) Protocol Data Blocks *	variable	List of Protocol data blocks conveying data about the network protocols on the host. See Protocol Data Block for a description of this data block.
List Block Type	uint32	Initiates a List data block comprising Protocol data blocks conveying transport protocol data. This value is always 11.
List Block Length	uint32	Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus the length of all encapsulated Protocol data blocks.
(Transport) Protocol Data Blocks *	variable	List of Protocol data blocks conveying data about the transport protocols on the host. See Full Host Server Data Block 4.10.0+ for a description of this data block.
List Block Type	uint32	Initiates a List data block containing Host MAC Address data blocks. This value is always 11.
List Block Length	uint32	Number of bytes in the list, including the list header and all encapsulated Host MAC Address data blocks.
Host MAC Address Data Blocks *	variable	List of Host MAC Address data blocks. See Host MAC Address 4.9+ for a description of this data block.
Last Seen	uint32	UNIX timestamp that represents the last time the system detected host activity.
Host Type	uint32	Indicates host type. Values include: 0 — host 1 — router 2 — bridge 3 — NAT (network address translation device) 4 — LB (load balancer)
Business Criticality	uint16	Indicates criticality of host to business.
VLAN ID	uint16	VLAN identification number that indicates which VLAN the host is a member of.
VLAN Type	uint8	Type of packet encapsulated in the VLAN tag.
VLAN Priority	uint8	Priority value included in the VLAN tag.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Host Vulnerability data blocks conveying Client Application data. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated Client Application data blocks.
Full Host Client Application Data Blocks *	variable	List of Client Application data blocks. See Full Host Client Application Data Block 5.0+ for a description of this data block.
String Block Type	uint32	Initiates a String data block for the host NetBIOS name. This value is always 0.
String Block Length	uint32	Number of bytes in the String data block, including eight bytes for the string block type and length fields, plus the number of bytes in the NetBIOS name string.
NetBIOS Name	string	Host NetBIOS name string.
String Block Type	uint32	Initiates a String data block for host notes. This value is always 0.
String Block Length	uint32	Number of bytes in the notes String data block, including eight bytes for the string block type and length fields, plus the number of bytes in the notes string.
Notes	string	Contains the contents of the Notes host attribute for the host.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Host Vulnerability data blocks conveying VDB vulnerability data. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated data blocks.
(VDB) Host Vulnerability Data Blocks *	variable	List of Host Vulnerability data blocks for vulnerabilities identified in the Sourcefire vulnerability database (VDB). See Host Vulnerability Data Block 4.9.0+ for a description of this data block.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Host Vulnerability data blocks conveying third-party scan vulnerability data. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated data blocks.
(Third Party/VDB) Host Vulnerability Data Blocks *	variable	Host Vulnerability data blocks sourced from a third party scanner and containing information about host vulnerabilities cataloged in the Sourcefire vulnerability database (VDB). See Host Vulnerability Data Block 4.9.0+ for a description of this data block.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Host Vulnerability data blocks conveying third party scan vulnerability data. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated data blocks.
(Third Party Scan) Host Vulnerability Data Blocks *	variable	Host Vulnerability data blocks sourced from a third party scanner. Note that the host vulnerability IDs for these data blocks are the third party scanner IDs, not Sourcefire-detected IDs. See Host Vulnerability Data Block 4.9.0+ for a description of this data block.
List Block Type	uint32	Initiates a List data block comprising Attribute Value data blocks conveying attribute data. This value is always 11.
List Block Length	uint32	Number of bytes in the List data block, including the list header and all encapsulated data blocks.
Attribute Value Data Blocks *	variable	List of Attribute Value data blocks. See Attribute Value Data Block for a description of the data blocks in this list.
Mobile	uint8	A true-false flag indicating whether the operating system is running on a mobile device.
Jailbroken	uint8	A true-false flag indicating whether the mobile device operating system is jailbroken.
VLAN Presence	uint8	Indicates whether a VLAN is present: 0 — Yes 1 — No

Full Host Profile Data Block 5.2.x

The Full Host Profile data block for version 5.2.x contains a full set of data describing one host. It has the format shown in the graphic below and explained in the following table. Note that, except for List data blocks, the graphic does not show the fields of the encapsulated data blocks. These encapsulated data blocks are described separately in Understanding Discovery & Connection Data Structures. The Full Host Profile data block a block type value of 140. It supersedes the prior version, which has a block type of 135.

An asterisk (*) next to a block name in the following diagram indicates that multiple instances of the data block may occur.

Byte	0								1								2								3
Bit	0	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15	16	17	18	19	20	21	22	23	24	25	26	27	28	29	30	31
	Full Host Profile Data Block (140)
	Data Block Length
	Host ID
	Host ID, continued
	Host ID, continued
	Host ID, continued
IP Addresses	List Block Type (11)
	List Block Length
	IP Address Data Blocks (143)*
	Hops								Generic List Block Type (31)
	Generic List Block Type, continued								Generic List Block Length
OS Derived Fingerprints	Generic List Block Length, continued								Operating System Fingerprint Block Type (130)*
	OS Fingerprint Block Type (130)*, con’t								Operating System Fingerprint Block Length
	OS Fingerprint Block Length, con’t								Operating System Derived Fingerprint Data...
	Generic List Block Type (31)
	Generic List Block Length
Server Fingerprints	Operating System Fingerprint Block Type (130)*
	Operating System Fingerprint Block Length
	Operating System Server Fingerprint Data...
	Generic List Block Type (31)
	Generic List Block Length
Client Fingerprints	Operating System Fingerprint Block Type (130)*
	Operating System Fingerprint Block Length
	Operating System Client Fingerprint Data...
	Generic List Block Type (31)
	Generic List Block Length
VDB Native Fingerprints 1	Operating System Fingerprint Block Type (130)*
	Operating System Fingerprint Block Length
	Operating System VDB Fingerprint Data...
	Generic List Block Type (31)
	Generic List Block Length
VDB Native Fingerprints 2	Operating System Fingerprint Block Type (130)*
	Operating System Fingerprint Block Length
	Operating System VDB Fingerprint Data...
	Generic List Block Type (31)
	Generic List Block Length
User Fingerprints	Operating System Fingerprint Block Type (130)*
	Operating System Fingerprint Block Length
	Operating System User Fingerprint Data...
	Generic List Block Type (31)
	Generic List Block Length
Scan Fingerprints	Operating System Fingerprint Block Type (130)*
	Operating System Fingerprint Block Length
	Operating System Scan Fingerprint Data...
	Generic List Block Type (31)
	Generic List Block Length
Application Fingerprints	Operating System Fingerprint Block Type (130)*
	Operating System Fingerprint Block Length
	Operating System Application Fingerprint Data...
	Generic List Block Type (31)
	Generic List Block Length
Conflict Fingerprints	Operating System Fingerprint Block Type (130)*
	Operating System Fingerprint Block Length
	Operating System Conflict Fingerprint Data...
	Generic List Block Type (31)
	Generic List Block Length
Mobile Fingerprints	Operating System Fingerprint Block Type (130)*
	Operating System Fingerprint Block Length
	Operating System Mobile Fingerprint Data...
	Generic List Block Type (31)
	Generic List Block Length
IPv6 Server Fingerprints	Operating System Fingerprint Block Type (130)*
	Operating System Fingerprint Block Length
	Operating System IPv6 Server Fingerprint Data...
	Generic List Block Type (31)
	Generic List Block Length
Ipv6 Client Fingerprints	Operating System Fingerprint Block Type (130)*
	Operating System Fingerprint Block Length
	Operating System Ipv6 Client Fingerprint Data...
	Generic List Block Type (31)
	Generic List Block Length
Ipv6 DHCP Fingerprints	Operating System Fingerprint Block Type (130)*
	Operating System Fingerprint Block Length
	Operating System IPv6 DHCP Fingerprint Data...
	Generic List Block Type (31)
	Generic List Block Length
User Agent Fingerprints	Operating System Fingerprint Block Type (130)*
	Operating System Fingerprint Block Length
	Operating System User Agent Fingerprint Data...
(TCP) Full Server Data	List Block Type (11)...
	List Block Length...
	(TCP) Full Server Data Blocks (104)*
(UDP) Full Server Data	List Block Type (11)
	List Block Length
	(UDP) Full Server Data Blocks (104)*
Network Protocol Data	List Block Type (11)
	List Block Length
	(Network) Protocol Data Blocks (4)*
Transport Protocol Data	List Block Type (11)
	List Block Length
	(Transport) Protocol Data Blocks (4)*
MAC Address Data	List Block Type (11)
	List Block Length
	Host MAC Address Data Blocks (95)*
	Last Seen
	Host Type
	Business Criticality																VLAN ID
	VLAN Type								VLAN Priority								Generic List Block Type (31)
Host Client Data	Generic List Block Type, continued																Generic List Block Length
Host Client Data	Generic List Block Length, continued																Full Host Client Application Data Blocks (112)*
NetBios Name Name	String Block Type (0)
	String Block Length
	NetBIOS Name String...
Notes Data	String Block Type (0)
	String Block Length
	Notes String....
(VDB) Host Vulns	Generic List Block Type (31)
	Generic List Block Length
	(VDB) Host Vulnerability Data Blocks (85)*
3rd Pty/VDB) Host Vulns	Generic List Block Type (31)
	Generic List Block Length
	(Third Party/VDB) Host Vulnerability Data Blocks (85)*
3rd Pty Scan Host Vulns	Generic List Block Type (31)
	Generic List Block Length
	(Third Party Scan) Host Vulnerability Data Blocks with Original Vuln IDs (85)*
Attribute Value Data	List Block Type (11)
	List Block Length
	Attribute Value Data Blocks *
	Mobile								Jailbroken

The Full Host Profile Record 5.2.x Fields describes the components of the Full Host Profile for 5.2.x record.

Full Host Profile Record 5.2.x Fields
Field	Data Type	Description
Host ID	uint8[16]	Unique ID number of the host. This is a UUID.
List Block Type	uint32	Initiates a List data block comprising IP address data blocks conveying TCP service data. This value is always 11.
List Block Length	uint32	Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus the length of all encapsulated IP address data blocks.
IP Address	variable	IP addresses of the host and when each IP address was last seen. See Host IP Address Data Block for a description of this data block.
Hops	uint8	Number of network hops from the host to the device.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data derived from the existing fingerprints for the host. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks.
Operating System Derived Fingerprint Data Blocks *	variable	Operating System Fingerprint data blocks containing information about the operating system on a host derived from the existing fingerprints for the host. See Operating System Fingerprint Data Block 5.1+ for a description of this data block.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using a server fingerprint. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks.
Operating System Fingerprint (Server Fingerprint) Data Blocks *	variable	Operating System Fingerprint data blocks containing information about the operating system on a host identified using a server fingerprint. See Operating System Fingerprint Data Block 5.1+ for a description of this data block.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using a client fingerprint. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks.
Operating System Fingerprint (Client Fingerprint) Data Blocks *	variable	Operating System Fingerprint data blocks containing information about the operating system on a host identified using a client fingerprint. See Operating System Fingerprint Data Block 5.1+ for a description of this data block.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using a Sourcefire VDB fingerprint. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks.
Operating System Fingerprint (VDB) Native Fingerprint 1) Data Blocks *	variable	Operating System Fingerprint data blocks containing information about the operating system on a host identified using the fingerprints in the Sourcefire vulnerability database (VDB). See Operating System Fingerprint Data Block 5.1+ for a description of this data block.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using a Sourcefire VDB fingerprint. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks.
Operating System Fingerprint (VDB) Native Fingerprint 2) Data Blocks *	variable	Operating System Fingerprint data blocks containing information about the operating system on a host identified using the fingerprints in the Sourcefire vulnerability database (VDB). See Operating System Fingerprint Data Block 5.1+ for a description of this data block.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data added by a user. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks.
Operating System Fingerprint (User Fingerprint) Data Blocks *	variable	Operating System Fingerprint data blocks containing information about the operating system on a host added by a user. See Operating System Fingerprint Data Block 5.1+ for a description of this data block.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data added by a vulnerability scanner. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks.
Operating System Fingerprint (Scan Fingerprint) Data Blocks *	variable	Operating System Fingerprint data blocks containing information about the operating system on a host added by a vulnerability scanner. See Operating System Fingerprint Data Block 5.1+ for a description of this data block.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data added by an application. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks.
Operating System Fingerprint (Application Fingerprint) Data Blocks *	variable	Operating System Fingerprint data blocks containing information about the operating system on a host added by an application. See Operating System Fingerprint Data Block 5.1+ for a description of this data block.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data selected through fingerprint conflict resolution. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks.
Operating System Fingerprint (Conflict Fingerprint) Data Blocks *	variable	Operating System Fingerprint data blocks containing information about the operating system on a host selected through fingerprint conflict resolution. See Operating System Fingerprint Data Block 5.1+ for a description of this data block.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying mobile device fingerprint data. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks.
Operating System Fingerprint (Mobile) Data Blocks *	variable	Operating System Fingerprint data blocks containing information about the operating system on a mobile device host. See Operating System Fingerprint Data Block 5.1+ for a description of this data block.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using an IPv6 server fingerprint. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks.
Operating System Fingerprint (IPv6 Server Fingerprint) Data Blocks *	variable	Operating System Fingerprint data blocks containing information about the operating system on a host identified using an IPv6 server fingerprint. See Operating System Fingerprint Data Block 5.1+ for a description of this data block.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using an IPv6 client fingerprint. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks.
Operating System Fingerprint (IPv6 Client Fingerprint) Data Blocks *	variable	Operating System Fingerprint data blocks containing information about the operating system on a host identified using an IPv6 client fingerprint. See Operating System Fingerprint Data Block 5.1+ for a description of this data block.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using an IPv6 DHCP fingerprint. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks.
Operating System Fingerprint (IPv6 DHCP) Data Blocks *	variable	Operating System Fingerprint data blocks containing information about the operating system on a host identified using an IPv6 DHCP fingerprint. See Operating System Fingerprint Data Block 5.1+ for a description of this data block.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using a user agent fingerprint. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks.
Operating System Fingerprint (User Agent) Data Blocks *	variable	Operating System Fingerprint data blocks containing information about the operating system on a host identified using a user agent fingerprint. See Operating System Fingerprint Data Block 5.1+ for a description of this data block.
List Block Type	uint32	Initiates a List data block comprising Full Server data blocks conveying TCP service data. This value is always 11.
List Block Length	uint32	Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus the length of all encapsulated Full Server data blocks.
(TCP) Full Server Data Blocks *	variable	List of Full Server data blocks conveying data about the TCP services on the host. See Full Host Server Data Block 4.10.0+ for a description of this data block.
List Block Type	uint32	Initiates a List data block comprising Full Server data blocks conveying UDP service data. This value is always 11.
List Block Length	uint32	Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus the length of all encapsulated Full Server data blocks.
(UDP) Full Server Data Blocks *	variable	List of Full Server data blocks conveying data about the UDP sub-servers on the host. See Full Host Server Data Block 4.10.0+ for a description of this data block.
List Block Type	uint32	Initiates a List data block comprising Protocol data blocks conveying network protocol data. This value is always 11.
List Block Length	uint32	Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus the length of all encapsulated Protocol data blocks.
(Network) Protocol Data Blocks *	variable	List of Protocol data blocks conveying data about the network protocols on the host. See Protocol Data Block for a description of this data block.
List Block Type	uint32	Initiates a List data block comprising Protocol data blocks conveying transport protocol data. This value is always 11.
List Block Length	uint32	Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus the length of all encapsulated Protocol data blocks.
(Transport) Protocol Data Blocks *	variable	List of Protocol data blocks conveying data about the transport protocols on the host. See Protocol Data Block for a description of this data block.
List Block Type	uint32	Initiates a List data block containing Host MAC Address data blocks. This value is always 11.
List Block Length	uint32	Number of bytes in the list, including the list header and all encapsulated Host MAC Address data blocks.
Host MAC Address Data Blocks *	variable	List of Host MAC Address data blocks. See Host MAC Address 4.9+ for a description of this data block.
Last Seen	uint32	UNIX timestamp that represents the last time the system detected host activity.
Host Type	uint32	Indicates host type. Values include: 0 — host 1 — router 2 — bridge 3 — NAT (network address translation device) 4 — LB (load balancer)
Business Criticality	uint16	Indicates criticality of host to business.
VLAN ID	uint16	VLAN identification number that indicates which VLAN the host is a member of.
VLAN Type	uint8	Type of packet encapsulated in the VLAN tag.
VLAN Priority	uint8	Priority value included in the VLAN tag.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Host Vulnerability data blocks conveying Client Application data. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated Client Application data blocks.
Full Host Client Application Data Blocks *	variable	List of Client Application data blocks. See Full Host Client Application Data Block 5.0+ for a description of this data block.
String Block Type	uint32	Initiates a String data block for the host NetBIOS name. This value is always 0.
String Block Length	uint32	Number of bytes in the String data block, including eight bytes for the string block type and length fields, plus the number of bytes in the NetBIOS name string.
NetBIOS Name	string	Host NetBIOS name string.
String Block Type	uint32	Initiates a String data block for host notes. This value is always 0.
String Block Length	uint32	Number of bytes in the notes String data block, including eight bytes for the string block type and length fields, plus the number of bytes in the notes string.
Notes	string	Contains the contents of the Notes host attribute for the host.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Host Vulnerability data blocks conveying VDB vulnerability data. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated data blocks.
(VDB) Host Vulnerability Data Blocks *	variable	List of Host Vulnerability data blocks for vulnerabilities identified in the Sourcefire vulnerability database (VDB). See Host Vulnerability Data Block 4.9.0+ for a description of this data block.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Host Vulnerability data blocks conveying third-party scan vulnerability data. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated data blocks.
(Third Party/VDB) Host Vulnerability Data Blocks *	variable	Host Vulnerability data blocks sourced from a third party scanner and containing information about host vulnerabilities cataloged in the Sourcefire vulnerability database (VDB). See Host Vulnerability Data Block 4.9.0+ for a description of this data block.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Host Vulnerability data blocks conveying third party scan vulnerability data. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated data blocks.
(Third Party Scan) Host Vulnerability Data Blocks *	variable	Host Vulnerability data blocks sourced from a third party scanner. Note that the host vulnerability IDs for these data blocks are the third party scanner IDs, not Sourcefire-detected IDs. See Host Vulnerability Data Block 4.9.0+ for a description of this data block.
List Block Type	uint32	Initiates a List data block comprising Attribute Value data blocks conveying attribute data. This value is always 11.
List Block Length	uint32	Number of bytes in the List data block, including the list header and all encapsulated data blocks.
Attribute Value Data Blocks *	variable	List of Attribute Value data blocks. See Attribute Value Data Block for a description of the data blocks in this list.
Mobile	uint8	A true-false flag indicating whether the operating system is running on a mobile device.
Jailbroken	uint8	A true-false flag indicating whether the mobile device operating system is jailbroken.

Host Profile Data Block for 5.1.x

The following diagram shows the format of a Host Profile data block. The data block also does not include a host criticality value, but does include a VLAN presence indicator. In addition, a data block can convey a NetBIOS name for the host. The Host Profile data block has a block type of 132.

An asterisk(*) next to a block type field in the following diagram indicates the message may contain zero or more instances of the series 1 data block.

Byte	0								1								2								3
Bit	0	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15	16	17	18	19	20	21	22	23	24	25	26	27	28	29	30	31
	Host Profile Block Type (132)
	Host Profile Block Length
	IP Address
Server Fingerprints	Hops								Primary/Secondary								Generic List Block Type (31)
	Generic List Block Type, continued																Generic List Block Length
	Generic List Block Length, continued																Server Fingerprint Data Blocks*
Client Fingerprints	Generic List Block Type (31)
	Generic List Block Length
	Client Fingerprint Data Blocks*
SMB Fingerprints	Generic List Block Type (31)
	Generic List Block Length
	SMB Fingerprint Data Blocks*
DHCP Fingerprints	Generic List Block Type (31)
	Generic List Block Length
	DHCP Fingerprint Data Blocks*
Mobile Device Fingerprints	Generic List Block Type (31)
	Generic List Block Length
	Mobile Device Fingerprint Data Blocks*
TCP Server Block*	List Block Type (11)																																List of TCP Servers
	List Block Length
	TCP Server Data Blocks
UDP Server Block*	List Block Type (11)																																List of UDP Servers
	List Block Length
	UDP Server Data Blocks
Network Protocol Block*	List Block Type (11)																																List of Network Protocols
	List Block Length
	Network Protocol Data Blocks
Transport Protocol Block*	List Block Type (11)																																List of Transport Protocols
	List Block Length
	Transport Protocol Data Blocks
MAC Address Block*	List Block Type (11)																																List of MAC Addresses
	List Block Length
	Host MAC Address Data Blocks
	Host Last Seen
	Host Type
	Mobile								Jailbroken								VLAN Presence								VLAN ID
Client App Data	VLAN ID, cont.								VLAN Type								VLAN Priority								Generic List Block Type (31)								List of Client Applications
	Generic List Block Type (31), cont.																								Generic List Block Length
	Generic List Block Length, cont.																								Client Application Data Blocks
NetBIOS Name	String Block Type (0)
	String Block Length
	NetBIOS String Data...

The Host Profile Data Block 5.1.x Fields describes the fields of the host profile data block returned by version 5.1.x

Host Profile Data Block 5.1.x Fields
Field	Data Type	Description
Host Profile Block Type	uint32	Initiates the Host Profile data block for 5.1.x. This value is always 132.
Host Profile Block Length	uint32	Number of bytes in the Host Profile data block, including eight bytes for the host profile block type and length fields, plus the number of bytes included in the host profile data that follows.
IP Address	uint8[4]	IP address of the host described in the profile, in IP address octets.
Hops	uint8	Number of hops from the host to the device.
Primary/ Secondary	uint8	Indicates whether the host is in the primary or secondary network of the device that detected it: 0 — host is in the primary network. 1 — host is in the secondary network.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using a server fingerprint. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks.
Operating System Fingerprint (Server Fingerprint) Data Blocks *	variable	Operating System Fingerprint data blocks containing information about the operating system on a host identified using a server fingerprint. See Operating System Fingerprint Data Block 5.1+ for a description of this data block.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using a client fingerprint. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks.
Operating System Fingerprint (Client Fingerprint) Data Blocks *	variable	Operating System Fingerprint data blocks containing information about the operating system on a host identified using a client fingerprint. See Operating System Fingerprint Data Block 5.1+ for a description of this data block.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using an SMB fingerprint. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks.
Operating System Fingerprint (SMB Fingerprint) Data Blocks *	variable	Operating System Fingerprint data blocks containing information about the operating system on a host identified using an SMB fingerprint. See Operating System Fingerprint Data Block 5.1+ for a description of this data block.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using a DHCP fingerprint. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks.
Operating System Fingerprint (DHCP Fingerprint) Data Blocks *	variable	Operating System Fingerprint data blocks containing information about the operating system on a host identified using a DHCP fingerprint. See Operating System Fingerprint Data Block 5.1+ for a description of this data block.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using a DHCP fingerprint. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks.
Operating System Fingerprint (Mobile Device Fingerprint) Data Blocks *	variable	Operating System Fingerprint data blocks containing information about the operating system on a host identified using a mobile device fingerprint. See Operating System Fingerprint Data Block 5.1+ for a description of this data block.
List Block Type	uint32	Initiates a List data block comprising Server data blocks conveying TCP server data. This value is always 11.
List Block Length	uint32	Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus all encapsulated Server data blocks. This field is followed by zero or more Server data blocks.
TCP Server Data Blocks	variable	Host server data blocks describing a TCP server. See Host Server Data Block for Version 4.9.0.x for a description of this data block.
List Block Type	uint32	Initiates a List data block comprising Server data blocks conveying UDP server data. This value is always 11.
List Block Length	uint32	Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus all encapsulated Server data blocks. This field is followed by zero or more Server data blocks.
UDP Server Data Blocks	uint32	Host server data blocks describing a UDP server. See Host Server Data Block for Version 4.9.0.x for a description of this data block.
List Block Type	uint32	Initiates a List data block comprising Protocol data blocks conveying network protocol data. This value is always 11.
List Block Length	uint32	Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus all encapsulated Protocol data blocks. This field is followed by zero or more Protocol data blocks.
Network Protocol Data Blocks	uint32	Protocol data blocks describing a network protocol. See Protocol Data Block for a description of this data block.
List Block Type	uint32	Initiates a List data block comprising Protocol data blocks conveying transport protocol data. This value is always 11.
List Block Length	uint32	Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus all encapsulated Protocol data blocks. This field is followed by zero or more transport protocol data blocks.
Transport Protocol Data Blocks	uint32	Protocol data blocks describing a transport protocol. See Protocol Data Block for a description of this data block.
List Block Type	uint32	Initiates a List data block comprising MAC Address data blocks. This value is always 11.
List Block Length	uint32	Number of bytes in the list, including the list header and all encapsulated MAC Address data blocks.
Host MAC Address Data Blocks	uint32	Host MAC Address data blocks describing a host MAC address. See Host MAC Address 4.9+ for a description of this data block.
Host Last Seen	uint32	UNIX timestamp that represents the last time the system detected host activity.
Host Type	uint32	Indicates the host type. The following values may appear: 0 — host 1 — router 2 — bridge 3 — NAT device 4 — LB (load balancer)
Mobile	uint8	True-false flag indicating whether the host is a mobile device.
Jailbroken	uint8	True-false flag indicating whether the host is a mobile device that is also jailbroken.
VLAN Presence	uint8	Indicates whether a VLAN is present: 0 — Yes 1 — No
VLAN ID	uint16	VLAN identification number that indicates which VLAN the host is a member of.
VLAN Type	uint8	Type of packet encapsulated in the VLAN tag.
VLAN Priority	uint8	Priority value included in the VLAN tag.
Generic List Block Type	uint32	Initiates a Generic List data block comprising Client Application data blocks conveying client application data. This value is always 31.
Generic List Block Length	uint32	Number of bytes in the Generic List data block, including the list header and all encapsulated client application data blocks.
Client Application Data Blocks	uint32	Client application data blocks describing a client application. See Full Host Client Application Data Block 5.0+ for a description of this data block.
String Block Type	uint32	Initiates a string data block for the NetBIOS name. This value is set to 0 to indicate string data.
String Block Length	uint32	Indicates the number of bytes in the NetBIOS name data block, including eight bytes for the string block type and length, plus the number of bytes in the NetBIOS name.
NetBIOS String Data	Variable	Contains the NetBIOS name of the host described in the host profile.

IP Range Specification Data Block for 4.7.x - 5.1.1.x

The IP Range Specification data block conveys a range of IP addresses. IP Range Specification data blocks are used in User Protocol, User Client Application, Address Specification, User Product, User Server, User Hosts, User Vulnerability, User Criticality, and User Attribute Value data blocks. The IP Range Specification data block has a block type of 61.

The following diagram shows the format of the IP Range Specification data block:

Byte	0								1								2								3
Bit	0	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15	16	17	18	19	20	21	22	23	24	25	26	27	28	29	30	31
	IP Range Specification Block Type (61)
	IP Range Specification Block Length
	IP Range Start
	IP Range End

The IP Range Specification Data Block Fields describes the components of the IP Range Specification data block.

IP Range Specification Data Block Fields
Field	Data Type	Description
IP Range Specification Block Type	uint32	Initiates a IP Range Specification data block. This value is always 61.
IP Range Specification Block Length	uint32	Total number of bytes in the IP Range Specification data block, including eight bytes for the IP Range Specification block type and length fields, plus the number of bytes of IP range specification data that follows.
IP Range Specification Start	uint32	The starting IP address for the IP address range.
IP Range Specification End	uint32	The ending IP address for the IP address range.

Legacy Metadata Structures

The following legacy data structures apply to versions of the system before 5.1:

Detection Engine Record for 4.6.1 - 4.10.x

The eStreamer service transmits metadata containing device information for an event within a Detection Engine record, the format of which is shown below.

The Detection Engine for 4.6.1+ contains the same fields as the Detection Engine record for 4.6 but has a new UUID field. Detection Engine information is sent when the Version 3 or Version 4 metadata flag—bit 15 or bit 20 in the Request Flags field of a request message—is set. See Request Flags. The Record Type field has a value of 68.

Byte	0								1								2								3
Bit	0	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15	16	17	18	19	20	21	22	23	24	25	26	27	28	29	30	31
	Header Version (1)																Message Type (4)
	Message Length
	Record Type (68)
	Record Length
	Detection Engine ID
	Name Length																Name...
	Description Length
	Description...
	Type Length
	Type...
Managed Device UUID	Detection Engine UUID
	Detection Engine UUID, continued
	Detection Engine UUID, continued
	Detection Engine UUID, continued

The Detection Engine Record Fields describes the fields in the Detection Engine Record.

Detection Engine Record Fields
Field	Data Type	Description
Detection Engine ID	uint32	The detection engine ID number.
Name Length	uint16	The number of bytes included in the detection engine name.
Name	string	The name of the detection engine that detected the event.
Description Length	uint16	The number of bytes included in the detection engine description.
Description	string	The description of the detection engine that detected the event.
Type Length	uint16	The number of bytes included in the detection engine type.
Type	string	The type of the detection engine that detected the event.
UUID	uint8[16]	A detection engine ID number that acts as a unique identifier for the detection engine.

FireSIGHT System eStreamer Integration Guide v5.3.1

Bias-Free Language

Results

Chapter: Understanding Legacy Data Structures

Legacy Intrusion Data Structures

Intrusion Event (IPv4) Record for 4.9 - 4.10.x

Intrusion Event (IPv4) Record 4.9 - 4.10.x Fields

Intrusion Event (IPv6) Record for 4.10.2.3

Intrusion Event (IPv6) Record 4.10.2.3+ Fields

Intrusion Event (IPv4) Record 5.0.x - 5.1

Intrusion Event (IPv4) Record Fields

Intrusion Event (IPv6) Record 5.0.x - 5.1

Intrusion Event (IPv6) Record Fields

Intrusion Event Record 5.2.x

Intrusion Event Record 5.2.x Fields

Intrusion Event Record 5.1.1.x

Intrusion Event Record 5.1.1 Fields

Legacy Malware Event Data Structures

Malware Event Data Block 5.1

Malware Event Data Block Fields

Malware Event Data Block 5.1.1.x

Malware Event Data Block for 5.1.1.x Fields

Malware Event Data Block 5.2.x

Malware Event Data Block for 5.2.x Fields

Legacy Discovery Data Structures

Legacy Discovery Event Header

Discovery Event Header 4.8.0.2-5.1.1.x

Discovery Event Header Fields

Legacy Server Data Blocks

Host Server Data Block for Version 4.9.0.x

Host Server Data 4.9.0.x Fields

Web Application Data Block for 4.9.1 - 4.10.x

Web Application Data Block Fields

Host Server Data Block for 4.9.1.x

Host Server Data Fields 4.9.1.x

Full Server Data Block for 4.9.0.x

:

Full Server Data Block 4.9.0.x Fields

Full Server Data Block for 4.9.1.x

::

Full Server Data Block 4.9.1.x Fields

Server Information Data Block for 4.9.1 and Earlier

Server Information Data Block 4.9.1 and Earlier Fields

Attribute Address Data Block for 4.5.x - 5.1.1.x

Attribute Address Data Block Fields

Legacy Client Application Data Blocks

Host Client Application Data Block for 3.5 - 4.9.0.x

Client Application Data Block 3.5 - 4.9.0.x Fields

Host Client Application Data Block for 4.9.1 - 4.10.x

Client Application Data Block for 4.9.1 - 4.10.x Fields

User Client Application Data Block for 5.1 and earlier

User Client Application Data Block Fields

Legacy Scan Result Data Blocks

Generic Scan Results Data Block for 4.9.1.x and earlier

Generic Scan Result Data Block for 4.9.1.x and earlier Fields

Scan Result Data Block for 4.6.1 - 4.9.1.x

Scan Result Data Block for 4.6.1 - 4.9.1.x Fields

Scan Result Data Block 4.10.0 - 5.1.1.x

Scan Result Data Block Fields

Scan Vulnerability Data Block for 4.9 - 4.9.1.x

Scan Vulnerability Data Block for 4.9 - 4.9.1.x Fields

User Product Data Block for 4.10.x, 5.0 - 5.0.x

User Product Data Block Fields for 4.10.x, 5.0-5.0.x

Legacy Vulnerability Blocks

User Vulnerability Data Block 4.7 - 4.10.x

User Vulnerability Data Block Fields

Legacy User Login Data Blocks

User Login Information Data Block for 5.0 - 5.0.2

User Login Information Data Block Fields 5.0 - 5.0.2

Legacy Host Profile Data Blocks

Host Profile Data Block for 4.9.x - 5.0.2

Host Profile Data Block for 4.9 - 5.0.2 Fields

Legacy OS Fingerprint Data Blocks

Operating System Fingerprint Data Block for 4.9.x - 5.0.2

Operating System Fingerprint Data Block Fields

Legacy Connection Data Structures

Connection Statistics Data Block for 4.7 - 4.9.0.x

Host Client A pplication Data Block for 3.5 - 4.9.0.x

Host Client A pplication Data Block for 4.9.1 - 4.10.x