The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This appendix contains data structure examples for selected intrusion, correlation, and discovery events. Each example is displayed in binary format to clearly display how each bit is set.
This section contains examples of data structures that may be transmitted by eStreamer for intrusion events. The following examples are provided:
The following diagram shows an example event record:
In the preceding example, the following event information appears:
The following diagram shows an example intrusion impact alert record:
In the preceding example, the following information appears:
|
|
---|---|
The first two bytes of this line indicate the standard header value of |
|
This line indicates that the message that follows is |
|
The first bit of this is a flag indicating that the header is not an extended header containing an archive timestamp. The next 15 bits are an optional field containing the Netmap ID for the domain on which the event was detected. The remainder of the line indicates a record type value of |
|
This line indicates that the data that follows is |
|
This line contains a value of |
|
This line indicates that the length of the impact alert block, including the impact alert block header, is |
|
This line indicates that the event identification number is |
|
This line indicates that the event is collected from device number |
|
This line indicates that the event occurred at second |
|
This line indicates that |
|
This line indicates that the IP address associated with the violation event is |
|
This line indicates that there is no destination IP address associated with the violation (values are set to |
|
This line indicates that a string block follows, containing a string block length and a text string which, in this case, contains the impact name. For more information about string blocks, see String Data Block. |
|
This line indicates that the total length of the string block, including the string block indicator and length is |
|
This line indicates that the description of the impact is “Vulnerable.” |
The following diagram shows an example packet record:
In the preceding example, the following packet information appears:
The following diagram shows an example classification record:
In the preceding example, the following event information appears:
The following example shows a sample priority record:
In the preceding example, the following event information appears:
The following example shows a sample rule record:
In the preceding example, the following event information appears:
The following diagram shows an example connection statistics record: