The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The Sourcefire Event Streamer (also known as eStreamer) allows you to stream Sourcefire 3D System intrusion, discovery, and connection data from the Sourcefire Defense Center or managed device (also referred to as the eStreamer server) to external client applications.
Note that eStreamer is not supported on virtual devices. To stream events from a virtual device, you can configure eStreamer on the Defense Center that the device reports to.
eStreamer uses a custom application layer protocol to communicate with connected client applications. As the purpose of eStreamer is simply to return data that the client requests, the majority of this guide describes the eStreamer formats for the requested data.
There are three major steps to creating and integrating an eStreamer client with a Sourcefire 3D System:
This guide provides the information you need to successfully create and run an eStreamer Version 5.3 client application.
If you are upgrading your Sourcefire 3D System deployment to Version 5.3, please note the following changes, some of which may require you to update your eStreamer client:
■pact alerts can now handle IPv6 events. See Intrusion Impact Alert Data 5.3+ for more information. Added the following data structures:
• Added IOC State Data Block for 5.3+ to provide information on the dynamic analysis of files.
• Added IOC Name Data Block for 5.3+ to provide information about Indications of Compromise (IOCs).
• Replaced Full Host Profile Data Block 5.2.x with Full Host Profile Data Block 5.3+, which has new fields supporting IOC information.
• Replaced Connection Statistics Data Block 5.2.x with Connection Statistics Data Block 5.3.1+, which has fields for NetFlow support.
• Replaced Malware Event Data Block 5.2.x with Malware Event Data Block 5.3.1+, which has new fields supporting IOC information.
• Replaced File Event for 5.2.x with File Event for 5.3.1+, which has new fields supporting IOC information.
• Replaced Intrusion Event Record 5.2.x with Intrusion Event Record 5.3.1+, which has new fields supporting IOC information.
At the highest level, the eStreamer service is a mechanism for streaming data from the Sourcefire 3D System to a requesting client. The service can stream the following categories of data:
■rrelation (compliance) event data
Descriptions of the data structures returned by eStreamer make up the majority of this book. The chapters in the book are:
■apter 3, Understanding Intrusion and Correlation Data Structures, which documents the data formats used to return event data generated by the intrusion detection and correlation components and the data formats used to represent the intrusion and correlation events.
■apter 4, Understanding Discovery & Connection Data Structures, which documents the data formats used to return discovery, user, and connection event data.
■apter 5, Understanding Host Data Structures, which documents the data formats that eStreamer uses to return full host information data when it receives a host information request message.
■apter 6, Configuring eStreamer, which documents how to configure the eStreamer on a Defense Center or managed device. The chapter also documents the eStreamer command-line switches and provides instructions for manually starting and stopping the eStreamer service and for configuring the Defense Center or managed device to start eStreamer automatically.
■pendix A, Data Structure Examples, which provides examples of eStreamer message packets in binary format.
To understand the information in this guide, you should be familiar with the features and nomenclature of the Sourcefire 3D System and the function of its components in general, and with the different types of event data these components generate in particular. Definitions of unfamiliar or product-specific terms can frequently be obtained from the Sourcefire 3D System eStreamer Integration Guide.
Version numbers are used throughout this guide to describe the data format for events generated by the Sourcefire Device and Defense Center. The Sourcefire 3D System Product Versions lists versions for each product by major release.
The eStreamer Message Data Type Conventions lists the names used in this book to describe the various data field formats employed in eStreamer messages. Numeric constants used by the eStreamer service are typically unsigned integer values. Bit fields use low-order bits unless otherwise noted. For example, in a one byte field containing five bits of flag data, the low-order five bits will contain the data.
The Sourcefire database stores IPv4 and IPv6 addresses in the same fields in a BINARY format. To get IPv6 addresses, convert to hex notation, for example: 20010db8000000000000000000004321. The database follows the RFC for storing IPv4 addresses by filling in bits 80-95 with 1’s, which yields an invalid IPv6 address. For example, the IPv4 address 10.5.15.1 would be stored as 00000000000000000000FFFF0A050F01.