• Understanding Discovery (Series 1) Blocks
  • Host Discovery and Connection Data Blocks
  • User Data Blocks
  • Discovery and Connection Event Series 2 Data Blocks
  • Understanding Discovery &
    Connection Data Structures

    This chapter provides details about the data structures used in eStreamer messages for discovery and connection events, as well as the metadata for those events. Discovery and connection event messages use the same general message format and series of data blocks; the differences are in the contents of data blocks themselves.

    Discovery events include two sub-categories of events:

    • Host discovery events, which identify new and changed hosts on your managed network, including the applications running on the hosts detected from the contents of the packets, and the host vulnerabilities.
    • User events, which report the detection of new users and user activity, such as logins.

    Connection events report information about the session traffic between your monitored hosts and all other hosts. Connection information includes the first and last packet of the transaction, source and destination IP address, source and destination port, and the number of packets and bytes sent and received. If applicable, connection events also report the client application and URL involved in the session.

    For information about requesting discovery or connection events from the eStreamer server, see Request Flags.

    For information about the general structure of eStreamer event data messages, see Understanding the Organization of Event Data Messages.

    See the following sections in this chapter for more information about discovery and connection event data structures:

    tip.gif

    Tipblank.gif See “Data Structure Examples” section for examples that illustrate sample discovery events.


    Discovery and Connection Event Data Messages

    eStreamer packages the data for discovery and connection events in the same message structure, which contains:

    Discovery and Connection Event Record Types

    The following table lists the event record types for host discovery and connection events, and provides links to the event message structure for each record type. The list includes metadata record types as well. Some records contain a single data block which stores a specific piece of data. These data blocks are broken up into series 1 blocks that contain most types of data, and series 2 blocks that specifically contain discovery data. The table also indicates the status of each version (current or legacy). A current record is the latest version. A legacy record has been superseded by a later version but can still be requested from eStreamer.

     

    Table 4-1 Discovery and Connection Event Record Types

    Record Type
    Contains Block Type
    Series
    Description
    Record Status
    Data Format Described in...

    10

    139

    1

    New Host Detected

    Current

    New Host and Host Last Seen Messages

    11

    103

    1

    New TCP Server

    Current

    Server Messages

    12

    103

    1

    New UDP Server

    Current

    Server Messages

    13

    4

    1

    New Network Protocol

    Current

    New Network Protocol Message

    14

    4

    1

    New Transport Protocol

    Current

    New Transport Protocol Message

    15

    122

    1

    New Client Application

    Current

    Client Application Messages

    16

    103

    1

    TCP Server Information Update

    Current

    Server Messages

    17

    103

    1

    UDP Server Information Update

    Current

    Server Messages

    18

    53

    1

    OS Information Update

    Current

    Operating System Update Messages

    19

    N/A

    N/A

    Host Timeout

    Current

    IP Address Reused and Host Timeout/Deleted Messages

    20

    N/A

    N/A

    Host IP Address Reused

    Current

    IP Address Reused and Host Timeout/Deleted Messages

    21

    N/A

    N/A

    Host Deleted: Host Limit Reached

    Current

    IP Address Reused and Host Timeout/Deleted Messages

    22

    N/A

    N/A

    Hops Change

    Current

    Hops Change Message

    23

    N/A

    N/A

    TCP Port Closed

    Current

    TCP and UDP Port Closed/Timeout Messages

    24

    N/A

    N/A

    UDP Port Closed

    Current

    TCP and UDP Port Closed/Timeout Messages

    25

    N/A

    N/A

    TCP Port Timeout

    Current

    TCP and UDP Port Closed/Timeout Messages

    26

    N/A

    N/A

    UDP Port Timeout

    Current

    TCP and UDP Port Closed/Timeout Messages

    27

    N/A

    N/A

    MAC Information Change

    Current

    MAC Address Messages

    28

    N/A

    N/A

    Additional MAC Detected for Host

    Current

    MAC Address Messages

    29

    N/A

    N/A

    Host IP Address Changed

    Current

    IP Address Change Message

    31

    N/A

    N/A

    Host Identified as Router/Bridge

    Current

    Host Identified as a Bridge/Router Message

    34

    14

    1

    VLAN Tag Information Update

    Current

    VLAN Tag Information Update Messages

    35

    122

    1

    Client Application Timeout

    Current

    Client Application Messages

    42

    35

    1

    NetBIOS Name Change

    Current

    Change NetBIOS Name Message

    44

    N/A

    N/A

    Host Dropped: Host Limit Reached

    Current

    IP Address Reused and Host Timeout/Deleted Messages

    45

    37

    1

    Update Banner

    Current

    Update Banner Message

    46

    55

    1

    Add Host Attribute

    Current

    Attribute Messages

    47

    55

    1

    Update Host Attribute

    Current

    Attribute Messages

    48

    55

    1

    Delete Host Attribute

    Current

    Attribute Messages

    51

    103

    1

    TCP Server Confidence Update

    Legacy

    Server Messages

    52

    103

    1

    UDP Server Confidence Update

    Legacy

    Server Messages

    53

    53

    1

    OS Confidence Update

    Legacy

    Operating System Update Messages

    54

    N/A

    N/A

    Fingerprint Metadata

    Current

    Fingerprint Record

    55

    N/A

    N/A

    Client Application Metadata

    Current

    Client Application Record

    57

    N/A

    N/A

    Vulnerability Metadata

    Current

    Vulnerability Record

    58

    N/A

    N/A

    Criticality Metadata

    Current

    Criticality Record

    59

    N/A

    N/A

    Network Protocol Metadata

    Current

    Network Protocol Record

    60

    N/A

    N/A

    Attribute Metadata

    Current

    Attribute Record

    61

    N/A

    N/A

    Scan Type Metadata

    Current

    Scan Type Record

    63

    N/A

    N/A

    Server Metadata

    Current

    Service Record

    71

    144

    1

    Connection Statistics

    Legacy

    Connection Statistics Data Block 5.2.x

    71

    152

    1

    Connection Statistics

    Legacy

    Connection Statistics Data Block 5.3

    71

    154

    1

    Connection Statistics

    Legacy

    Connection Statistics Data Block 5.3.1

    71

    155

    1

    Connection Statistics

    Legacy

    Connection Statistics Data Block 5.4

    71

    157

    1

    Connection Statistics

    Legacy

    Connection Statistics Data Block 5.4.1

    71

    160

    1

    Connection Statistics

    Legacy

    Connection Statistics Data Block 6.0.x

    71

    163

    1

    Connection Statistics

    Current

    Connection Statistics Data Block 6.2+

    73

    136

    1

    Connection Chunks

    Current

    Connection Chunk Message

    74

    N/A

    N/A

    User Set OS

    Current

    User Server and Operating System Messages

    75

    N/A

    N/A

    User Set Server

    Current

    User Server and Operating System Messages

    76

    83

    1

    User Delete Protocol

    Current

    User Protocol Messages

    77

    60

    1

    User Delete Client Application

    Current

    User Client Application Messages

    78

    78

    1

    User Delete Address

    Current

    User Add and Delete Host Messages

    79

    77

    1

    User Delete Server

    Current

    User Delete Server Message

    80

    80

    1

    User Set Valid Vulnerabilities

    Current

    User Set Vulnerabilities Messages for Version 4.6.1+

    81

    80

    1

    User Set Invalid Vulnerabilities

    Current

    User Set Vulnerabilities Messages for Version 4.6.1+

    82

    81

    1

    User Set Host Criticality

    Current

    User Set Host Criticality Messages

    83

    55

    1

    User Set Attribute Value

    Current

    Attribute Value Messages

    84

    82

    1

    User Delete Attribute Value

    Current

    Attribute Value Messages

    85

    78

    1

    User Add Host

    Current

    User Add and Delete Host Messages

    86

    N/A

    N/A

    User Add Server

    Current

    User Server and Operating System Messages

    87

    60

    1

    User Add Client Application

    Current

    User Client Application Messages

    88

    83

    1

    User Add Protocol

    Current

    User Protocol Messages

    89

    142

    1

    User Add Scan Result

    Current

    Add Scan Result Messages

    90

    N/A

    N/A

    Source Type Record

    Current

    Source Type Record

    91

    N/A

    N/A

    Source Application Record

    Current

    Source Application Record

    92

    120

    1

    User Dropped Change Event

    Current

    User Modification Messages

    93

    120

    1

    User Removed Change Event

    Current

    User Modification Messages

    94

    120

    1

    New User Identification Event

    Current

    User Modification Messages

    95

    121

    1

    User Login Change Event

    Current

    User Information Update Message Block

    96

    N/A

    N/A

    Source Detector Record

    Current

    Source Detector Record

    98

    57

    2

    User Record

    Current

    User Record

    101

    N/A

    N/A

    New OS Event

    Current

    New Operating System Messages

    102

    94

    1

    Identity Conflict Event

    Current

    Identity Conflict and Identity Timeout System Messages

    103

    94

    1

    Identity Timeout Event

    Current

    Identity Conflict and Identity Timeout System Messages

    106

    N/A

    N/A

    Third Party Scanner Vulnerability Record

    Current

    Third Party Scanner Vulnerability Record

    107

    122

    1

    Client Application Update

    Current

    Client Application Messages

    109

    N/A

    N/A

    Web Application Record

    Current

    Web Application Record

    114

    121

    1

    Failed User Login Event

    Current

    User Information Update Message Block

    115

    N/A

    N/A

    Security Zone Name Record

    Current

    Security Zone Name Record

    116

    14

    2

    Interface Name Record

    Current

    Interface Name Record

    117

    14

    2

    Access Control Policy Name Metadata

    Current

    Access Control Policy Name Record

    118

    14

    2

    Intrusion Policy Name Record

    Current

    Intrusion Policy Name Record

    119

    14

    2

    Access Control Rule ID Record

    Current

    Access Control Rule ID Record Metadata

    120

    N/A

    N/A

    Access Control Rule Action Record

    Current

    Access Control Rule Action Record Metadata

    121

    N/A

    N/A

    URL Category Record

    Current

    URL Category Record Metadata

    122

    N/A

    N/A

    URL Reputation Metadata

    Current

    URL Reputation Record Metadata

    124

    21

    2

    Access Control Rule Reason Metadata

    Current

    Access Control Rule Reason Metadata

    145

    64

    2

    Access Control Policy Metadata

    Current

    Access Control Policy Metadata

    146

    64

    2

    Prefilter Policy Metadata

    Current

    Prefilter Policy Metadata

    147

    21

    2

    Tunnel or Prefilter Rule Metadata

    Current

    TTunnel or Prefilter Rule Metadata

    160

    7

    1

    Host IOC Set Messages

    Current

    Host IOC Set Messages

    161

    39

    2

    IOC Name Data Block for 5.3+

    Current

    IOC Name Data Block for 5.3+

    162

    148

    1

    User Host IOC Delete

    Current

    User IOC Change Data Block 5.3+

    163

    148

    1

    User Host IOC Enable

    Current

    User IOC Change Data Block 5.3+

    164

    148

    1

    User Host IOC Disable

    Current

    User IOC Change Data Block 5.3+

    170

    95

    1

    VPN User Login Event

    Current

    User Information Update Message Block

    171

    95

    1

    VPN User Logoff Event

    Current

    User Information Update Message Block

    280

    22

    2

    Security Intelligence Category Metadata

    Current

    Security Intelligence Category Metadata

    281

    N/A

    N/A

    Security Intelligence Source/Destination Record

    Current

    Security Intelligence Source/Destination Record

    Metadata for Discovery Events

    You request metadata by metadata version number. For the metadata version that corresponds to your version of the Firepower System, see Understanding Metadata. For important information on how eStreamer streams metadata records, see Metadata Transmission.

    For information on the structures of the various metadata records types for host discovery and user event records, see:

    For metadata records for intrusion and correlation events, see Intrusion Event and Metadata Record Types.

    Fingerprint Record

    The eStreamer service transmits the fingerprint metadata for an event within a Fingerprint record, the format of which is shown below. (Fingerprint metadata is sent when one of the metadata flags—bits 1, 14, 15, or 20 in the Request Flags field of a request message—is set. See Request Flags.) Note that the Record Type field, which appears after the Message Length field, has a value of 54, indicating a Fingerprint record.

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

    Header Version (1)

    Message Type (4)

     

    Message Length

     

    Netmap ID

    Record Type (54)

     

    Record Length

    Fingerprint UUID

    Fingerprint UUID

    Fingerprint UUID cont.

    Fingerprint UUID cont.

    Fingerprint UUID cont.

     

    OS Name Length

     

    OS Name...

     

    OS Vendor Length

     

    OS Vendor...

     

    OS Version Length

     

    OS Version...

    The following table describes the fields in the Fingerprint record.

     

    Table 4-2 Fingerprint Record Fields

    Field
    Data Type
    Description

    Fingerprint UUID

    uint8[16]

    A fingerprint ID number that acts as a unique identifier for the operating system. This field is the unique key for this record.

    OS Name Length

    uint32

    The number of bytes included in the operating system name.

    OS Name

    string

    The name of the operating system for the fingerprint.

    OS Vendor Length

    uint32

    The number of bytes included in the operating system vendor name.

    OS Vendor

    string

    The name of the operating system vendor for the fingerprint.

    OS Version Length

    uint32

    The number of bytes included in the operating system version.

    OS Version

    string

    The version of the operating system for the fingerprint.

    Client Application Record

    The eStreamer service transmits the client application metadata for an event within a Client Application record, the format of which is shown below. (Client application metadata is sent when one of the metadata flags—bits 1, 14, 15, or 20 in the Request Flags field of a request message—is set. See Request Flags.) Note that the Record Type field, which appears after the Message Length field, has a value of 55, indicating a Client Application record.

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

    Header Version (1)

    Message Type (4)

     

    Message Length

     

    Netmap ID

    Record Type (55)

     

    Record Length

     

    Application ID

     

    Name Length

     

    Name...

    The following table describes the fields in the Client Application record.

     

    Table 4-3 Client Application Record Fields

    Field
    Data Type
    Description

    Application ID

    uint32

    The application ID number for the client application. This field is the unique key for this record.

    Name Length

    uint32

    The number of bytes included in the name.

    Name

    string

    The client application name.

    Vulnerability Record

    The eStreamer service transmits metadata containing vulnerability information for an event within a Vulnerability record, the format of which is shown below. (Vulnerability information is sent when one of the metadata flags—bits 1, 14, 15, or 20 in the Request Flags field of a request message—is set. See Request Flags.) Note that the Record Type field, which appears after the Message Length field, has a value of 57, indicating a Vulnerability record.

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

    Header Version (1)

    Message Type (4)

     

    Message Length

     

    Netmap ID

    Record Type (57)

     

    Record Length

     

    Vulnerability ID

     

    Impact

     

    Exploits

    Remote

    Entry Date Length

     

    Entry Date Length Cont.

    Entry Date...

     

    Published Date Length

     

    Published Date...

     

    Modified Date Length

     

    Modified Date...

     

    Title Length

     

    Title...

     

    Short Description Length

     

    Short Description...

     

    Description Length

     

    Description...

     

    Technical Description Length

     

    Technical Description...

     

    Solution Length

     

    Solution...

    The following table describes the fields in the Vulnerability record.

     

    Table 4-4 Vulnerability Record Fields

    Field
    Data Type
    Description

    Vulnerability ID

    uint32

    The vulnerability ID number. This field is the unique key for this record.

    Impact

    uint32

    The vulnerability impact, corresponding to the impact level determined through correlation of intrusion data, host discovery events, and vulnerability assessments. The value can be from 1 to 10, with 10 being the most severe. The impact value of a vulnerability is determined by the writer of the Bugtraq entry.

    Exploits

    uint8

    Indicates whether known exploits exist for the vulnerability. Possible values include:

    • 0 — Yes
    • 1 — No

    Remote

    uint8

    Indicates whether the vulnerability can be exploited across a network. Possible values include:

    • 0 — Yes
    • 1 — No
    • Blank — Vulnerability to remote exploits unknown

    Entry Date Length

    uint32

    The length of the entry date field.

    Entry Date

    string

    The date the vulnerability was entered in the database.

    Published Date Length

    uint32

    The length of the published date field.

    Published Date

    string

    The date the vulnerability was published.

    Modified Date Length

    uint32

    The length of the modified date field.

    Modified Date

    string

    The date of the most recent modification to the vulnerability, if applicable.

    Title Length

    uint32

    The length of the title field.

    Title

    string

    The title of the vulnerability.

    Short Description Length

    uint32

    The length of the short description field.

    Short Description

    string

    A summary description of the vulnerability.

    Description Length

    uint32

    The length of the description field.

    Description

    string

    A general description of the vulnerability.

    Technical Description Length

    uint32

    The length of the technical description field.

    Technical Description

    string

    The technical description of the vulnerability.

    Solution Length

    uint32

    The length of the solution field.

    Solution

    string

    The solution to the vulnerability.

    Criticality Record

    The eStreamer service transmits metadata containing host criticality information for an event within a Criticality record, the format of which is shown below. (Criticality information is sent when one of the metadata flags—bits 1, 14, 15, or 20 in the Request Flags field of a request message—is set. See Request Flags.) Note that the Record Type field, which appears after the Message Length field, has a value of 58, indicating a Criticality record.

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

    Header Version (1)

    Message Type (4)

     

    Message Length

     

    Netmap ID

    Record Type (58)

     

    Record Length

     

    Criticality ID

     

    Name Length

     

    Name...

    The following table describes the fields in the Criticality record.

     

    Table 4-5 Criticality Record Fields

    Field
    Data Type
    Description

    Criticality ID

    uint32

    The criticality ID number. This field is the unique key for this record.

    Name Length

    uint32

    The number of bytes included in the criticality level.

    Name

    string

    The criticality level.

    Network Protocol Record

    The eStreamer service transmits metadata containing network protocol information for an event within a Network Protocol record, the format of which is shown below. (Network protocol information is sent when one of the metadata flags—bits 1, 14, 15, or 20 in the Request Flags field of a request message—is set. See Request Flags.) Note that the Record Type field, which appears after the Message Length field, has a value of 59, indicating a Network Protocol record.

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

    Header Version (1)

    Message Type (4)

     

    Message Length

     

    Netmap ID

    Record Type (59)

     

    Record Length

     

    Network Protocol ID

     

    Name Length

     

    Name...

    The following table describes the fields in the Network Protocol record.

     

    Table 4-6 Network Protocol Record Fields

    Field
    Data Type
    Description

    Network Protocol ID

    uint32

    The network protocol ID number. This field is the unique key for this record.

    Name Length

    uint32

    The number of bytes included in the network protocol name.

    Name

    string

    The name of the network protocol.

    Attribute Record

    The eStreamer service transmits metadata containing attribute information for an event within an Attribute record, the format of which is shown below. (Attribute information is sent when one of the metadata flags—bits 1, 14, 15, or 20 in the Request Flags field of a request message—is set. See Request Flags.) Note that the Record Type field, which appears after the Message Length field, has a value of 60, indicating an Attribute record.

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

    Header Version (1)

    Message Type (4)

     

    Message Length

     

    Netmap ID

    Record Type (60)

     

    Record Length

     

    Attribute ID

     

    Name Length

     

    Name...

    The following table describes the fields in the Attribute record.

     

    Table 4-7 Attribute Record Fields

    Field
    Data Type
    Description

    Attribute ID

    uint32

    The attribute ID number. This field is the unique key for this record.

    Name Length

    uint32

    The number of bytes included in the attribute name.

    Name

    string

    The name of the attribute.

    Scan Type Record

    The eStreamer service transmits metadata containing scan type information for an event within a Scan Type record, the format of which is shown below. (Scan type information is sent when one of the metadata flags—bits 1, 14, 15, or 20 in the Request Flags field of a request message—is set. See Request Flags.) Note that the Record Type field, which appears after the Message Length field, has a value of 61, indicating a Scan Type record.

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

    Header Version (1)

    Message Type (4)

     

    Message Length

     

    Netmap ID

    Record Type (61)

     

    Record Length

     

    Scan Type ID

     

    Name Length

     

    Name...

    The following table describes the fields in the Scan Type record.

     

    Table 4-8 Scan Type Record Fields

    Field
    Data Type
    Description

    Scan Type ID

    uint32

    The scan type ID number. This field is the unique key for this record.

    Name Length

    uint32

    The number of bytes included in the scan type name.

    Name

    string

    The name of the scan type.

    Service Record

    The eStreamer service transmits metadata containing service information for an event within a Service record, the format of which is shown below. The application ID of the service’s application protocol provides the cross-reference to the metadata. (Service information is sent when one of the metadata flags—bits 1, 14, 15, or 20 in the Request Flags field of a request message—is set. See Request Flags.) Note that the Record Type field, which appears after the Message Length field, has a value of 63, indicating a Service record.

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

    Header Version (1)

    Message Type (4)

     

    Message Length

     

    Netmap ID

    Record Type (63)

     

    Record Length

     

    Application ID

     

    Name Length

     

    Name...

    The following table describes the fields in the Service record.

     

    Table 4-9 Service Record Fields

    Field
    Data Type
    Description

    Application ID

    uint32

    The application ID number of the application protocol. This field is the unique key for this record.

    Name Length

    uint32

    The number of bytes included in the service name.

    Name

    string

    The name of the application protocol. For application ID 65535, the name is unknown.

    Source Type Record

    The eStreamer service transmits metadata containing information about the source application for an event within a Source Type record, the format of which is shown below. (Source type information is sent when one of the metadata flags—bits 1, 14, 15, or 20 in the Request Flags field of a request message—is set. See Request Flags.) Note that the Record Type field, which appears after the Message Length field, has a value of 90, indicating a Source Type record.

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

    Header Version (1)

    Message Type (4)

     

    Message Length

     

    Netmap ID

    Record Type (90)

     

    Record Length

     

    Source Type ID

     

    Name Length

     

    Name...

    The following table describes the fields in the Source Type record.

     

    Table 4-10 Source Type Record Fields

    Field
    Data Type
    Description

    Source Type ID

    uint32

    The identification number for the source type. This field is the unique key for this record.

    Name Length

    uint32

    The number of bytes included in the source type name.

    Name

    string

    The name of the source type.

    Source Application Record

    The eStreamer service transmits metadata containing information about the source application for a host discovery event within a Source Application record, the format of which is shown below. (Source application information is sent when one of the metadata flags—bits 1, 14, 15, or 20 in the Request Flags field of a request message—is set. See Request Flags.) Note that the Record Type field, which appears after the Message Length field, has a value of 91, indicating a Source Application record.

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

    Header Version (1)

    Message Type (4)

     

    Message Length

     

    Netmap ID

    Record Type (91)

     

    Record Length

     

    Source Application ID

     

    Name Length

     

    Name...

    The following table describes the fields in the Source Application record.

     

    Table 4-11 Source Application Record Fields

    Field
    Data Type
    Description

    Source Application ID

    uint32

    The ID number for the source application. This field is the unique key for this record.

    Name Length

    uint32

    The number of bytes included in the source application name.

    Name

    string

    The name of the source application.

    Source Detector Record

    The eStreamer service transmits metadata containing information about the source application for a host discovery event within a Source Type record, the format of which is shown below. (Source type information is sent when one of the metadata flags—bits 1, 14, 15, or 20 in the Request Flags field of a request message—is set. See Request Flags.) Note that the Record Type field, which appears after the Message Length field, has a value of 96, indicating a Source Detector record.

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

    Header Version (1)

    Message Type (4)

     

    Message Length

     

    Netmap ID

    Record Type (96)

     

    Record Length

     

    Source Detector ID

     

    Name Length

     

    Name...

    The following table describes the fields in the Source Detector record.

     

    Table 4-12 Source Detector Record Fields

    Field
    Data Type
    Description

    Source Detector ID

    uint32

    The ID string for the source detector. This field is the unique key for this record.

    Name Length

    uint32

    The number of bytes included in the source type name.

    Name

    string

    The name of the source detector.

    Third Party Scanner Vulnerability Record

    The eStreamer service transmits metadata containing third-party vulnerability information for an event within a Third Party Scanner Vulnerability record, the format of which is shown below. (Vulnerability information is sent when one of the metadata flags—bits 1, 14, 15, or 20 in the Request Flags field of a request message—is set. See Request Flags.) Note that the Record Type field, which appears after the Message Length field, has a value of 106, indicating a Third Party Scanner Vulnerability record.

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

    Header Version (1)

    Message Type (4)

     

    Message Length

     

    Netmap ID

    Record Type (106)

     

    Record Length

     

    Vulnerability ID

     

    Scanner Type

     

    Title Length

     

    Title...

     

    Description Length

     

    Description...

     

    CVE ID Length

     

    CVE ID...

     

    BugTraq Length

     

    BugTraq ID...

    The following table describes the fields in the Vulnerability record.

     

    Table 4-13 Third Party Scanner Vulnerability Record Fields

    Field
    Data Type
    Description

    Vulnerability ID

    uint32

    The third-party vulnerability ID number. This field, along with Scanner Type, makes up the unique key for this record.

    Scanner Type

    uint32

    The third-party scanner type. This field, along with Vulnerability ID, makes up the unique key for this record.

    Title Length

    uint32

    The length of the title field.

    Title

    string

    The title of the vulnerability.

    Description Length

    uint32

    The length of the description field.

    Description

    string

    A general description of the vulnerability.

    CVE ID Length

    uint32

    The length of the CVE ID field.

    CVE ID

    string

    The Common Vulnerabilities and Exposures (CVE) ID number for the vulnerability.

    BugTraq ID Length

    uint32

    The length of the BugTraq ID field.

    BugTraq ID

    string

    The BugTraq ID number for the vulnerability.

    User Record

    The eStreamer service transmits metadata containing information about users detected by the system within a User record, the format of which is shown below. (User information is sent when the Version 4 metadata and the policy event request flag—bits 20 and 22, respectively, in the Request Flags field of a request message—is set. See Request Flags.) Note that the Record Type field, which appears after the Message Length field, has a value of 98, indicating a User record.

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

    Header Version (1)

    Message Type (4)

     

    Message Length

     

    Netmap ID

    Record Type (98)

     

    Record Length

     

    User Data Block Type (57)

     

    User Data Block Length

     

    User ID

     

    Protocol

     

    String Block Type (0)

     

    String Block Length

     

    Username...

    The following table describes the fields in the User record.

     

    Table 4-14 User Record Fields

    Field
    Data Type
    Description

    User Data Block Type

    uint32

    Initiates an User Data block. This value is always 57. The block type is a series 2 block.

    User Data Block Length

    uint32

    Length of the data block. Includes the number of bytes of data plus the 8 bytes in the two data block header fields.

    User ID

    uint32

    The unique identifier for the user. This field is the unique key for this record.

    Protocol

    uint32

    Protocol used to detect or report the user. Possible values are:

    • 165 - FTP
    • 426 - SIP
    • 547 - AOL Instant Messenger
    • 683 - IMAP
    • 710 - LDAP
    • 767 - NTP
    • 773 - Oracle Database
    • 788 - POP3
    • 1755 - MDNS

    String Block Type

    uint32

    Initiates a String data block containing the username. This value is always 0.

    String Block Length

    uint32

    The number of bytes included in the username String data block, including eight bytes for the block type and header fields plus the number of bytes in the Username field.

    Username

    string

    The name of the user

    Web Application Record

    The system detects the content of HTTP traffic from websites, if available. Web application metadata for a host discovery event may include the specific type of content (for example, WMV or QuickTime).

    The eStreamer service transmits the web application metadata for an event within a Web Application record, the format of which is shown below. (Web application metadata is sent when one of the metadata flags—bits 1, 14, 15, or 20 in the Request Flags field of a request message—is set. See Request Flags.) Note that the Record Type field, which appears after the Message Length field, has a value of 109, indicating a Web Application record.

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

    Header Version (1)

    Message Type (4)

     

    Message Length

     

    Netmap ID

    Record Type (109)

     

    Record Length

     

    Application ID

     

    Name Length

     

    Name...

    The following table describes the fields in the Web Application record.

     

    Table 4-15 Web Application Record Fields

    Field
    Data Type
    Description

    Application ID

    uint32

    Application ID number of the web application. This field is the unique key for this record.

    Name Length

    uint32

    The number of bytes included in the name.

    Name

    string

    The web application content name.

    Intrusion Policy Name Record

    The eStreamer service transmits metadata containing intrusion policy name information for a connection event within an Intrusion Policy Name record, the format of which is shown below. (Intrusion policy name information is sent when one of the metadata flags—version 4 metadata bit 20 in the Request Flags field of a request message—is set. See Request Flags.) Note that the Intrusion Policy Name record field, which appears after the Message Length field, has a value of 118, indicating an Intrusion Policy Name record. It contains a UUID String data block, block type 14 in the series 2 set of data blocks.

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

    Header Version (1)

    Message Type (4)

     

    Message Length

     

    Netmap ID

    Record Type (118)

     

    Record Length

     

    Intrusion Policy Name Data Block (14)

     

    Intrusion Policy Name Data Block Length

     

    Intrusion Policy UUID

     

    Intrusion Policy UUID, continued

     

    Intrusion Policy UUID, continued

     

    Intrusion Policy UUID, continued

     

    String Block Type (0)

     

    String Block Length

     

    Intrusion Policy Name...

    The following table describes the fields in the Intrusion Policy Name data block.

     

    Table 4-16 Intrusion Policy Name Data Block Fields

    Field
    Data Type
    Description

    Intrusion Policy Name Data Block Type

    uint32

    Initiates an Intrusion Policy Name data block. This value is always 14. The block type is a series 2 block.

    Intrusion Policy Name Data Block Length

    uint32

    Length of the data block. Includes the number of bytes of data plus the 8 bytes in the two data block header fields.

    Intrusion Policy UUID

    uint8[16]

    The unique identifier for the intrusion policy associated with the connection event. This field is the unique key for this record.

    String Block Type

    uint32

    Initiates a String data block containing the name of the intrusion policy. This value is always 0.

    String Block Length

    uint32

    The number of bytes included in the intrusion policy name String data block, including eight bytes for the block type and header fields plus the number of bytes in the intrusion policy name.

    Intrusion Policy Name

    string

    The intrusion policy name.

    Access Control Rule Action Record Metadata

    The eStreamer service transmits metadata containing the action associated with a triggered access control rule within an Access Control Rule Action record, the format of which is shown below. (Access Control Rule Action information is sent when the version 4 metadata flag—bit 20 in the Request Flags field of a request message—is set. See Request Flags.) Note that the Access Control Rule Action record field, which appears after the Message Length field, has a value of 120, indicating an Access Control Rule Action record.

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

    Header Version (1)

    Message Type (4)

     

    Message Length

     

    Netmap ID

    Record Type (120)

     

    Record Length

     

    Access Control Rule Action ID

     

    Name Length

     

    Name...

    The following table describes the fields in the Access Control Rule Action record.

     

    Table 4-17 Access Control Rule Action Record Fields

    Field
    Data Type
    Description

    Access Control Rule Action ID

    uint32

    ID number of the access control rule action. This field is the unique key for this record.

    Name Length

    uint32

    The number of bytes included in the name.

    Name

    string

    The firewall rule action name.

    Possible values include:

    • 1 — 'Pending’
    • 2 — 'Allow
    • 3 — 'Trust'
    • 4 — 'Block'
    • 5 — 'Block with Reset’
    • 6 — 'Monitor
    • 7 — 'Interactive Block'
    • 8 — 'Interactive Block with Reset'
    • 14 — 'FastPath'
    • 22 — 'Domain Not Found'
    • 23 — 'Sinkhole'

    URL Category Record Metadata

    The eStreamer service transmits metadata containing the category name associated with a URL in a connection log within a URL Category record, the format of which is shown below. (URL category information is sent when the version 4 metadata flag—bit 20 in the Request Flags field of a request message—is set. See Request Flags.) Note that the record field, which appears after the Message Length field, has a value of 121, indicating a URL Category record.

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

    Header Version (1)

    Message Type (4)

     

    Message Length

     

    Netmap ID

    Record Type (121)

     

    Record Length

     

    URL Category ID

     

    Name Length

     

    Name...

    The following table describes the fields in the URL Category record.

     

    Table 4-18 URL Category Record Fields

    Field
    Data Type
    Description

    URL Category ID

    uint32

    ID number of the URL category. This field is the unique key for this record.

    Name Length

    uint32

    The number of bytes included in the name.

    Name

    string

    The URL category name.

    URL Reputation Record Metadata

    The eStreamer service transmits metadata containing the reputation (that is, risk level) associated with a URL in a connection log within a URL Reputation record, the format of which is shown below. (URL reputation information is sent when the version 4 metadata flag—bit 20 in the Request Flags field of a request message—is set. See Request Flags.) Note that the URL Reputation metadata record field, which appears after the Message Length field, has a value of 122, indicating a URL Reputation metadata record.

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

    Header Version (1)

    Message Type (4)

     

    Message Length

     

    Netmap ID

    Record Type (122)

     

    Record Length

     

    URL Reputation ID

     

    Name Length

     

    Name...

    The following table describes the fields in the URL Reputation record.

     

    Table 4-19 URL Reputation Record Fields

    Field
    Data Type
    Description

    URL Reputation ID

    uint32

    ID number of the URL reputation. This field is the unique key for this record.

    Name Length

    uint32

    The number of bytes included in the name.

    Name

    string

    The URL reputation name.

    Access Control Rule Reason Metadata

    The eStreamer service transmits metadata containing information about the reason an access control rule triggered an intrusion event or connection event within an Access Control Rule Reason record, the format of which is shown below. Access control rule reason metadata is sent when the Version 4 metadata flag—bit 20 in the Request Flags field of a request message—is set. See Request Flags. Note that the Record Type field, which appears after the Message Length field, has a value of 124, indicating an Access Control Rule Reason record. It contains an Access Control Rule Reason Block (as documented in Access Control Rule Reason Data Block 6.0+). The Access Control Rule Reason data block is block type 59 in series 2.

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

    Header Version (1)

    Message Type (4)

     

    Message Length

     

    Netmap ID

    Record Type (124)

     

    Record Length

     

    Access Control Rule Reason Block Type (59)

     

    Access Control Rule Block Length

     

    Access Control Rule Reason

     

     

    String Block Type (0).

     

    String Block Length.

     

    Description...

    The following table describes the fields in the Access Control Rule ID data block.

    Table 4-20 Access Control Rule Reason Metadata Fields

    Field
    Data Type
    Description

    Access Control Rule Reason Block Type

    uint32

    Initiates an Access Control Rule Reason block. This value is always 59. This is a series 2 data block.

    Access Control Rule Reason Block Length

    uint32

    Total number of bytes in the Access Control Rule Reason block, including eight bytes for the Access Control Rule Reason block type and length fields, plus the number of bytes of data that follows.

    Access Control Rule Reason

    uint32

    The reason the Access Control rule logged the connection. This field is the unique key for this record.
    The number of the reason for the rule that triggered the event.

    Rule reasons are a binary bitmap in which multiple bits may be set. There may be several reasons for a rule. The bit values are as follows:

    • 1 — IP Block
    • 2 — IP Monitor
    • 4 — User Bypass
    • 8 — File Monitor
    • 16 — File Block
    • 32 — Intrusion Monitor
    • 64 — Intrusion Block
    • 128 — File Resume Block
    • 256 — File Resume Allow"]
    • 512 — File Custom Detection
    • 1024 — SSL Block
    • 2048 — DNS Block
    • 4096 — DNS Monitor
    • 8192 — URL Block
    • 16384 — URL Monitor
    • 32768 — Content Restriction
    • 65536 — Intelligent App Bypass
    • 131072 — WSA Threat

    String Block Type

    uint32

    Initiates a String data block containing the descriptive name associated with the access control rule reason. This value is always 0.

    String Block Length

    uint32

    The number of bytes included in the name String data block, including eight bytes for the block type and header fields plus the number of bytes in the Description field.

    Description

    string

    Description of the Access Control rule reason.

    Access Control Policy Metadata

    The eStreamer service transmits metadata containing information about the access control policy that triggered an intrusion event or connection event within an Access Control Policy Metadata record, the format of which is shown below. Access control rule policy metadata is sent when the Version 4 metadata flag—bit 20 in the Request Flags field of a request message—is set. See Request Flags. Note that the Record Type field, which appears after the Message Length field, has a value of 145, indicating an Access Control Policy Metadata record. It contains an Access Control Policy Metadata Block (as documented in Access Control Policy Metadata Block 6.0+). The Access Control Policy Metadata block is block type 64 in series 2.

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

    Header Version (1)

    Message Type (4)

     

    Message Length

     

    Netmap ID

    Record Type (145)

     

    Record Length

     

    Access Control Policy Metadata Block Type (64)

     

    Access Control Policy Metadata Block Length

    AC Policy

    UUID

    Access Control Policy UUID

    Access Control Policy UUID, continued

    Access Control Policy UUID, continued

    Access Control Policy UUID, continued

     

    Sensor ID

    Policy Name

    String Block Type (0)

    String Block Length

    Policy Name...

    The following table describes the fields in the Access Control Policy data block.

    Table 4-21 Access Control Policy Metadata Fields

    Field
    Data Type
    Description

    Access Control Policy Metadata Block Type

    uint32

    Initiates an Access Control Policy Metadata block. This value is always 64. This is a series 2 data block.

    Access Control Policy Metadata Block Length

    uint32

    Total number of bytes in the Access Control Policy Metadata block, including eight bytes for the Access Control Policy Metadata block type and length fields, plus the number of bytes of data that follows.

    Access Control Policy UUID

    uint8[16]

    UUID of the Access Control Policy. This field is the unique key for this record.

    Sensor ID

    uint32

    ID Number of the Sensor associated with the Access Control policy. This field is the unique key for this record.

    String Block Type

    uint32

    Initiates a String data block containing the descriptive name associated with the access control policy. This value is always 0.

    String Block Length

    uint32

    The number of bytes included in the name String data block, including eight bytes for the block type and header fields plus the number of bytes in the Name field.

    Name

    string

    Name of the access control policy.

    Prefilter Policy Metadata

    The eStreamer service transmits metadata containing information about the prefilter policy that triggered an intrusion event or connection event within a Prefilter Policy record, the format of which is shown below. Prefilter Policy metadata is sent when the Version 4 metadata flag—bit 20 in the Request Flags field of a request message—is set. See Request Flags. Note that the Record Type field, which appears after the Message Length field, has a value of 146, indicating an Prefilter Policy Metadata record. It contains an Access Control Policy Metadata Block (as documented in Access Control Policy Metadata Block 6.0+). The Access Control Policy Metadata block is block type 64 in series 2.

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

    Header Version (1)

    Message Type (4)

     

    Message Length

     

    Netmap ID

    Record Type (146)

     

    Record Length

     

    Access Control Policy Metadata Block Type (64)

     

    Access Control Policy Metadata Block Length

    AC Policy

    UUID

    Access Control Policy UUID

    Access Control Policy UUID, continued

    Access Control Policy UUID, continued

    Access Control Policy UUID, continued

     

    Sensor ID

    Policy Name

    String Block Type (0)

    String Block Length

    Policy Name...

    The following table describes the fields in the Prefilter Policy Metadata block.

    Table 4-22 Prefilter Policy Metadata Fields

    Field
    Data Type
    Description

    Prefilter Policy Block Type

    uint32

    Initiates an Prefilter Policy block. This value is always 64. This is a series 2 data block.

    Prefilter Policy Block Length

    uint32

    Total number of bytes in the Prefilter Policy block, including eight bytes for the Prefilter Policy block type and length fields, plus the number of bytes of data that follows.

    Access Control Policy UUID

    uint8[16]

    UUID of the Access Control Policy. This field, along with the Sensor ID, makes up the unique key for this record.

    Sensor ID

    uint32

    ID Number of the Sensor associated with the Access Control policy This field, along with the Access Control Policy UUID, makes up the unique key for this record.

    String Block Type

    uint32

    Initiates a String data block containing the descriptive name associated with the prefilter policy. This value is always 0.

    String Block Length

    uint32

    The number of bytes included in the name String data block, including eight bytes for the block type and header fields plus the number of bytes in the Name field.

    Name

    string

    Name of the prefilter policy.

    TTunnel or Prefilter Rule Metadata

    The eStreamer service transmits metadata containing information about the reason a tunnel or prefilter rule triggered an intrusion event or connection event within a Tunnel or Prefilter Rule Reason record, the format of which is shown below. Tunnel or Prefilter rule reason metadata is sent when the Version 4 metadata flag—bit 20 in the Request Flags field of a request message—is set. See Request Flags. Note that the Record Type field, which appears after the Message Length field, has a value of 147, indicating a Tunnel or Prefilter Rule Reason record.
    As they are identical in content, it contains an Access Control Rule Reason Block (as documented in Access Control Rule Data Block). The Access Control Rule Reason data block is block type 59 in series 2.

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

    Header Version (1)

    Message Type (4)

     

    Message Length

     

    Netmap ID

    Record Type (147)

     

    Record Length

     

    Tunnel or Prefilter Rule Metadata Block Type (15)

     

    Tunnel or Prefilter Rule Metadata Block Length

     

    Tunnel or Prefilter Rule ID

     

    String Block Type (0)

     

    String Block Length

     

    Name...

    The following table describes the fields in the Tunnel or Prefilter Rule metadata block.

    Table 4-23 Tunnel or Prefilter Rule Reason Metadata Fields

    Field
    Data Type
    Description

    Tunnel or Prefilter Rule Block Type

    uint32

    Initiates an Access Control Rule block. This value is always 15. Notice that this block is used for Tunnel and Prefilter rules in addition to Access Control rules.

    Tunnel or Prefilter Rule Block Length

    uint32

    Total number of bytes in the Tunnel or Prefilter Rule block, including eight bytes for the Tunnel or Prefilter block type and length fields, plus the number of bytes of data that follows.

    Tunnel or Prefilter Rule ID

    uint32

    The internal Cisco identifier for the tunnel or prefilter rule.

    String Block Type

    uint32

    Initiates a String data block containing the descriptive name associated with the tunnel or prefilter rule UUID and tunnel or prefilter rule ID. This value is always 0.

    String Block Length

    uint32

    The number of bytes included in the name String data block, including eight bytes for the block type and header fields plus the number of bytes in the Name field.

    Name

    string

    The descriptive name.

    Security Intelligence Category Metadata

    The eStreamer service transmits metadata containing information about the Security Intelligence category within a Security Intelligence Category record, the format of which is shown below. Security Intelligence Category metadata is sent when the Version 4 metadata flag—bit 20 in the Request Flags field of a request message—is set. See Request Flags. Note that the Record Type field, which appears after the Message Length field, has a value of 280, indicating a Security Intelligence Category record. It contains a Security Intelligence Category data block (as documented in Security Intelligence Category Data Block 5.1+). The Security Intelligence data block is block type 22 in series 2.

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

    Header Version (1)

    Message Type (4)

     

    Message Length

     

    Netmap ID

    Record Type (280)

     

    Record Length

     

    Security Intelligence Category Block Type (22)

     

    Security Intelligence Category Block Length

     

    Security Intelligence List ID

     

    Access Control Policy UUID

     

    Access Control Policy UUID, continued

     

    Access Control Policy UUID, continued

     

    Access Control Policy UUID, continued

     

    String Block Type (0)

     

    String Block Length

     

    Security Intelligence List Name...

    The following table describes the fields in the Security Intelligence Category record.

     

    Table 4-24 Security Intelligence Category Metadata Fields

    Field
    Data Type
    Description

    Security Intelligence Category Block Type

    uint32

    Initiates an Security Intelligence Category data block. This value is always 22. This is a series 2 data block.

    Security Intelligence Category Block Length

    uint32

    Total number of bytes in the Security Intelligence Category block, including eight bytes for the Security Intelligence Category block type and length fields, plus the number of bytes of data that follows.

    Security Intelligence List ID

    uint32

    The ID of the IP block list or allow list triggered by the connection. This field, along with Access Control Policy UUID, makes up the unique key for this record.

    Access Control Policy UUID

    uint8[16]

    The UUID of the access control policy configured for Security Intelligence. This field, along with Security intelligence List ID, makes up the unique key for this record.

    String Block Type

    uint32

    Initiates a String data block containing the descriptive name associated with the Security Intelligence List. This value is always 0.

    String Block Length

    uint32

    The number of bytes included in the name String data block, including eight bytes for the block type and header fields plus the number of bytes in the Security Intelligence List Name field.

    Security Intelligence List Name

    string

    The name of the IP category block list or allow list triggered by the connection.

    Security Intelligence Source/Destination Record

    The eStreamer service transmits metadata containing whether a Security Intelligence-detected IP address is a source IP address or destination IP address within a Security Intelligence Source/Destination record, the format of which is shown below. (The source/destination IP information is sent when one of the metadata flags—bits 1, 14, 15, or 20 in the Request Flags field of a request message—is set. See Request Flags.) Note that the Record Type field, which appears after the Message Length field, has a value of 281, indicating a Security Intelligence Source/Destination record.

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

    Header Version (1)

    Message Type (4)

     

    Message Length

     

    Netmap ID

    Record Type (281)

     

    Record Length

     

    Security Intelligence Source/Destination ID

     

    Security Intelligence Source/Destination Length

     

    Security Intelligence Source/Destination...

    The following table describes the fields in the Security Intelligence Source/Destination record.

     

    Table 4-25 Security Intelligence Source/Destination Record Fields

    Field
    Data Type
    Description

    Security Intelligence Source/ Destination ID

    uint32

    The Security Intelligence source/destination ID number. This field is the unique key for this record.

    Security Intelligence Source/ Destination Length

    uint32

    The number of bytes included in the Security Intelligence source/destination.

    Security Intelligence Source/ Destination

    string

    Whether the detected IP address is a source or destination IP address.

    IOC State Data Block for 5.3+

    The IOC State data block provides information about an Indication of Compromise (IOC). It is block type of 150 in series 1. It is used by the host tracker to store information about a compromise on a host. The following diagram shows the structure of an IOC State data block:

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

    IOC State Block Type (150)

     

    IOC State Block Length

     

    IOC ID Number

     

    Disabled

    First Seen

     

    First Seen, continued

    First Event ID

    First Event ID, cont.

    First Device ID

     

    First Device ID, cont.

    First Instance ID

    First Connection Time

    First Connection Time, cont.

    First Counter

     

    First Counter, cont.

    Last Seen

     

    Last Seen, cont.

    Last Event ID

     

    Last Event ID, cont.

    Last Device ID

     

    Last Device ID, cont.

    Last Instance ID

    Last Connection Time

     

    Last Connection Time, cont.

    Last Counter

     

    Last Counter, cont.

     

     

    The following table describes the components of the IOC State data block.

    .

    Table 4-26 IOC State Data Block Fields

    Field
    Data Type
    Description

    IOC State Data Block Type

    uint32

    Initiates an IOC State data block. This value is always 150.

    IOC State Data Block Length

    uint32

    Total number of bytes in the IOC State data block, including eight bytes for the IOC State data block type and length fields, plus the number of bytes of data that follows.

    IOC ID Number

    uint32

    Unique ID number for the compromise.

    Disabled

    uint8

    Indicates whether the compromise has been disabled on the host:

    • 0 — The compromise is not disabled.
    • 1 — The compromise is disabled.

    First Seen

    uint32

    Unix timestamp of when this compromise was first seen.

    First Event ID

    uint32

    ID number of the event on which this compromise was first seen.

    First Device ID

    uint32

    ID of the sensor which first detected the IOC.

    First Instance ID

    uint16

    Numerical ID of the Snort instance on the managed device that first detected the compromise.

    First Connection Time

    uint32

    Unix timestamp of the connection where this compromise was first seen.

    First Counter

    uint16

    Counter for the connection on which this compromise was last seen.

    Used to differentiate between multiple connections occurring at the same time.

    Last Seen

    uint32

    Unix timestamp of when this compromise was last seen

    Last Event ID

    uint32

    ID number of the event on which this compromise was last seen.

    Last Device ID

    uint32

    ID of the sensor which most recently detected the IOC.

    Last Instance ID

    uint16

    Numerical ID of the Snort instance on the managed device that last detected the compromise.

    Last Connection Time

    uint32

    Unix timestamp of the connection on which this compromise was last seen.

    Last Counter

    uint16

    Counter for the connection on which this compromise was last seen.

    Used to differentiate between multiple connections occurring at the same time.

    IOC Name Data Block for 5.3+

    This is a data block that provides the category and event type for an Indication of Compromise (IOC). The record type is 161, with a block type of 39 in series 2. It is exposed as metadata for any event that has IOC information. These include malware events, file events, and intrusion events.

    The following diagram shows the structure of an IOC Name data block:

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

    Header Version (1)

    Message Type (4)

     

    Message Length

     

    Netmap ID

    Record Type (161)

     

    Record Length

     

    IOC Name Block Type (39)

     

    IOC Name Block Length

     

    IOC ID Number

    Category

    String Block Type (0)

    String Block Length

    Category...

    Event Type

    String Block Type (0)

    String Block Length

    Event Type...

    The following table describes the fields in the IOC Name data block.

     

    Table 4-27 IOC Name Data Block Fields

    Field
    Data Type
    Description

    IOC Name Data Block Type

    uint32

    Initiates an IOC Name data block. This value is always 39.

    IOC Name Data Block Length

    uint32

    Total number of bytes in the IOC Name data block, including eight bytes for the IOC Name data block type and length fields, plus the number of bytes of data that follows.

    IOC ID Number

    uint32

    Unique ID number for the compromise.

    String Block Type

    uint32

    Initiates a String data block containing the category associated with the compromise. This value is always 0.

    String Block Length

    uint32

    The number of bytes included in the name String data block, including eight bytes for the block type and header fields plus the number of bytes in the Category field.

    Category

    string

    The category for the compromise. Possible values include:

    • CnC Connected
    • Exploit Kit
    • High Impact Attack
    • Low Impact Attack
    • Malware Detected
    • Malware Executed
    • Dropper Infection
    • Java Compromise
    • Word Compromise
    • Adobe Reader Compromise
    • Excel Compromise
    • PowerPoint Compromise
    • QuickTime Compromise

    String Block Type

    uint32

    Initiates a String data block containing the event type associated with the compromise. This value is always 0.

    String Block Length

    uint32

    The number of bytes included in the name String data block, including eight bytes for the block type and header fields plus the number of bytes in the Event Type field.

    Event Type

    string

    The event type for the compromise. Possible values include:

    • Adobe Reader launched shell
    • Dropper Infection Detected by AMP for Endpoints
    • Excel Compromise Detected by AMP for Endpoints
    • Excel launched shell
    • Impact 1 Intrusion Event - attempted-admin
    • Impact 1 Intrusion Event - attempted-user
    • Impact 1 Intrusion Event - successful-admin
    • Impact 1 Intrusion Event - successful-user
    • Impact 1 Intrusion Event - web-application-attack
    • Impact 2 Intrusion Event - attempted-admin
    • Impact 2 Intrusion Event - attempted-user
    • Impact 2 Intrusion Event - successful-admin
    • Impact 2 Intrusion Event - successful-user
    • Impact 2 Intrusion Event - web-application-attack
    • Intrusion Event - exploit-kit
    • Intrusion Event - malware-backdoor
    • Intrusion Event - malware-cnc
    • Java Compromise Detected by AMP for Endpoints
    • Java launched shell
    • PDF Compromise Detected by AMP for Endpoints
    • PowerPoint Compromise Detected by AMP for Endpoints
    • PowerPoint launched shell
    • QuickTime Compromise Detected by AMP for Endpoints
    • QuickTime launched shell
    • Security Intelligence Event - CnC
    • Security Intelligence Event - DNS CnC
    • Security Intelligence Event - DNS Malware
    • Security Intelligence Event - DNS Phishing
    • Security Intelligence Event - Sinkhole CnC
    • Security Intelligence Event - Sinkhole Malware
    • Security Intelligence Event - Sinkhole Phishing
    • Security Intelligence Event - URL CnC
    • Security Intelligence Event - URL Malware
    • Security Intelligence Event - URL Phishing
    • Suspected Botnet Detected by AMP for Endpoints
    • Threat Detected by AMP for Endpoints - Executed
    • Threat Detected by AMP for Endpoints - Not Executed
    • Threat Detected in File Transfer
    • Word Compromise Detected by AMP for Endpoints
    • Word launched shell

    Discovery Event Header 5.2+

    Discovery and connection event messages contain a discovery event header. It conveys the type and subtype of the event, the time the event occurred, the device on which the event occurred, and the structure of the event data in the message. This header is followed by the actual host discovery, user, or connection event data. The structures associated with the different event type/subtype values are described in Host Discovery Structures by Event Type. This header has IPv6 support, and deprecates Discovery Event Header 5.0 - 5.1.1.x.

    The event type and event subtype fields of the discovery event header identify the structure of the transmitted event message. Once the structure of the event data block is determined, your program can parse the message appropriately.

    The shaded rows in the following diagram illustrate the format of the discovery event header.

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

    Header Version (1)

    Message Type (4)

     

    Message Length

     

    Netmap ID

    Record Type

     

    Record Length

     

    eStreamer Server Timestamp (in events, only if bit 23 is set)

     

    Reserved for Future Use (in events, only if bit 23 is set)

    Discovery Event Header

    Device ID

    Legacy IP Address

    MAC Address

    MAC Address, continued

    Has IPv6

    Reserved for future use

    Event Second

    Event Microsecond

    Event Type

    Event Subtype

    File Number (Internal Use Only)

     

    File Position (Internal Use Only)

    IPv6 Address

    IPv6 Address, continued

    IPv6 Address, continued

    IPv6 Address, continued

    The following table describes the discovery event header.

     

    Table 4-28 Discovery Event Header Fields

    Field
    Data Types
    Description

    Device ID

    uint32

    ID number of the device that generated the discovery event. You can obtain the metadata for the device by requesting Version 3 and 4 metadata. See Managed Device Record Metadata for more information.

    Legacy IP Address

    uint32

    This field is reserved but no longer populated. The IPv4 address is stored in the IPv6 Address field. See IP Addresses for more information.

    MAC Address

    uint8[6]

    MAC address of the host involved in the event.

    Has IPv6

    uint8

    Flag indicating that the host has an IPv6 address.

    Reserved for future use

    uint8

    Reserved for future use

    Event Second

    uint32

    UNIX timestamp (seconds since 01/01/1970) that the system generated the event.

    Event Microsecond

    uint32

    Microsecond (one millionth of a second) increment that the system generated the event.

    Event Type

    uint32

    Event type ( 1000 for new events, 1001 for change events, 1002 for user input events, 1050 for full host profile). See Host Discovery Structures by Event Type for a list of available event types.

    Event Subtype

    uint32

    Event subtype. See Host Discovery Structures by Event Type for a list of available event subtypes.

    File Number

    byte[4]

    Serial file number. This field is for Cisco internal use and can be disregarded.

    File Position

    byte[4]

    Event’s position in the serial file. This field is for Cisco internal use and can be disregarded.

    IPv6 Address

    uin8[16]

    IPv6 address. This field is present and used if the Has IPv6 flag is set.

    Discovery and Connection Event Types and Subtypes

    The values in the Event Type and Event Subtype fields identify and classify the event contained in a host discovery or user data message. They also identify the structure of the data in the message.

    The following table lists the event types and event subtypes for discovery and connection events.

     

    Table 4-29 Discovery and Connection Events by Type and Subtype

    Event Name
    Event Type
    Event Subtype

    New Host

    1000

    1

    New TCP Server

    1000

    2

    New Network Protocol

    1000

    3

    New Transport Protocol

    1000

    4

    New IP to IP Traffic

    1000

    5

    New UDP Server

    1000

    6

    New Client Application

    1000

    7

    New OS

    1000

    8

    New IPv6 to IPv6 Traffic

    1000

    9

    Host IP Address Changed

    1001

    1

    OS Information Update

    1001

    2

    Host IP Address Reused

    1001

    3

    Vulnerability Change

    1001

    4

    Hops Change

    1001

    5

    TCP Server Information Update

    1001

    6

    Host Timeout

    1001

    7

    TCP Port Closed

    1001

    8

    UDP Port Closed

    1001

    9

    UDP Server Information Update

    1001

    10

    TCP Port Timeout

    1001

    11

    UDP Port Timeout

    1001

    12

    MAC Information Change

    1001

    13

    Additional MAC Detected for Host

    1001

    14

    Host Last Seen

    1001

    15

    Host Identified as Router/Bridge

    1001

    16

    Connection Statistics

    1001

    17

    VLAN Tag Information Update

    1001

    18

    Host Deleted: Host Limit Reached

    1001

    19

    Client Application Timeout

    1001

    20

    NetBIOS Name Change

    1001

    21

    NetBIOS Domain Change

    1001

    22

    Host Dropped: Host Limit Reached

    1001

    23

    Banner Update

    1001

    24

    TCP Server Confidence Update

    1001

    25

    UDP Server Confidence Update

    1001

    26

    Identity Conflict

    1001

    29

    Identity Timeout

    1001

    30

    Secondary Host Update

    1001

    31

    Client Application Update

    1001

    32

    User Set Valid Vulnerabilities (Legacy)

    1002

    1

    User Set Invalid Vulnerabilities (Legacy)

    1002

    2

    User Delete Address (Legacy)

    1002

    3

    User Delete Server (Legacy)

    1002

    4

    User Set Host Criticality

    1002

    5

    Host Attribute Add

    1002

    6

    Host Attribute Update

    1002

    7

    Host Attribute Delete

    1002

    8

    Host Attribute Set Value (Legacy)

    1002

    9

    Host Attribute Delete Value (Legacy)

    1002

    10

    Add Scan Result

    1002

    11

    User Set Vulnerability Qualification

    1002

    12

    User Policy Control

    1002

    13

    Delete Protocol

    1002

    14

    Delete Client Application

    1002

    15

    User Set Operating System

    1002

    16

    User Account Seen

    1002

    17

    User Account Update

    1002

    18

    User Set Server

    1002

    19

    User Delete Address (Current)

    1002

    20

    User Delete Server (Current)

    1002

    21

    User Set Valid Vulnerabilities (Current)

    1002

    22

    User Set Invalid Vulnerabilities (Current)

    1002

    23

    User Host Criticality

    1002

    24

    Host Attribute Set Value (Current)

    1002

    25

    Host Attribute Delete Value (Current)

    1002

    26

    User Add Host

    1002

    27

    User Add Server

    1002

    28

    User Add Client Application

    1002

    29

    User Add Protocol

    1002

    30

    Reload App

    1002

    31

    Account Delete

    1002

    32

    Connection Statistics

    1003

    1

    Connection Chunks

    1003

    2

    New User Identity

    1004

    1

    User Login

    1004

    2

    Delete User Identity

    1004

    3

    User Identity Dropped: User Limit Reached

    1004

    4

    Failed User Login

    1004

    5

    VPN User Login

    1004

    8

    VPN User Logoff

    1004

    9

    Host IOC Set Type

    1008

    1

    Full Host Profile

    1050

    N/A

    tip.gif

    Tipblank.gif For information about the data structure used for each event type/subtype, see Host Discovery Structures by Event Type.


    Host Discovery Structures by Event Type

    eStreamer builds host discovery event messages based on the event type indicated in the discovery event header. The following sub-sections describe the high-level structure for each event type:

    The data block diagrams in the following sections depict the different record data blocks returned in host discovery event messages.

    New Host and Host Last Seen Messages

    New Host and Host Last Seen event messages have a standard discovery event header and a Host Profile data block (as documented in Host Profile Data Block for 5.2+). The Host Profile data block is block type 139 in series 1.

    Note that the Host Last Seen message includes server information only for servers on the host that have changed within the Update Interval set in the discovery detection policy. In other words, only servers that have changed since the system last reported information will be included in the Host Last Seen message.

    note.gif

    Noteblank.gif The Host Profile data block differs depending on which system version created the message. For information on legacy versions of the Host Profile data block, see Legacy Host Data Structures.


     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

     

     

    Discovery Event Header

     

     

     

     

     

    Host Profile Data Block

     

     

     

    Server Messages

    The following TCP and UDP server event messages have a standard discovery event header (as documented in Discovery Event Header 5.2+) followed by a Server data block (as documented in Host Server Data Block 4.10.0+, block type 103 in series 1):

    • New TCP Server
    • New UDP Server
    • TCP Server Information Update
    • UDP Server Information Update
    • TCP Server Confidence Update
    • UDP Server Confidence Update
    note.gif

    Noteblank.gif The Server data block differs depending on which system version created the message. For information on the legacy versions of the Server data block, see Understanding Legacy Data Structures.


    Each of these events use the following format:

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

     

    Discovery Event Header

     

     

     

     

    Server Data Block

     

     

     

     

    New Network Protocol Message

    A New Network Protocol event message has a standard discovery event header (as documented in Discovery Event Header 5.2+) followed by a two-byte field for the network protocol (using protocol values described in following table).

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

     

     

    Discovery Event Header

     

     

    Network Protocol

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

    New Transport Protocol Message

    A New Transport Protocol event message has a standard discovery event header (as documented in Discovery Event Header 5.2+, block type 4 in series 1) and a one-byte field for the transport protocol number (using values described in following table).

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

     

     

    Discovery Event Header

     

     

    Transport Protocol

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

    Client Application Messages

    New Client Application, Client Application Update, and Client Application Timeout events have the same format and contain a standard discovery event header (as documented in Discovery Event Header 5.2+) followed by a Client Application data block (see Host Client Application Data Block for 5.0+, block type 122 in series 1). The discovery event header has a different record type, event type, and event subtype, depending on the event transmitted.

    note.gif

    Noteblank.gif The Client Application data block differs depending on the system version that created the message. For information on the legacy version of the Client Application data block, see Understanding Legacy Data Structures.


     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

     

     

    Discovery Event Header

     

     

     

     

     

    Client Application Data Block

     

     

    IP Address Change Message

    The following host discovery messages have a standard discovery event header (as documented in Discovery Event Header 5.2+) and two different forms, structures, one with four bytes for the IP address and one with 16 bytes for the IP address.

    Four bytes are used for the IP address (in IP address octets) in the following case:

    • New IPv4 to IPv4 Traffic
    • Host IP Address Changed, when the RNA event version is less than 10
    • Byte

      0

      1

      2

      3

      Bit

      0

      1

      2

      3

      4

      5

      6

      7

      8

      9

      10

      11

      12

      13

      14

      15

      16

      17

      18

      19

      20

      21

      22

      23

      24

      25

      26

      27

      28

      29

      30

      31

       

       

       

      Discovery Event Header

       

       

       

      IP Address

    16 bytes are used for the IP address in the following cases:

    • New IPv6 to IPv6 Traffic
    • Host IP Address Changed, when the RNA event version is 10

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

     

     

    Discovery Event Header

     

     

     

    IP Address

     

    IP Address, continued

     

    IP Address, continued

     

    IP Address, continued

     

    Operating System Update Messages

    The OS Information Update event message has a standard discovery event header (as documented in Discovery Event Header 5.2+) followed by an Operating System data block (as documented in Operating System Data Block 3.5+, block type 53 in series 1).

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

     

     

    Discovery Event Header

     

     

     

     

     

    Operating System Data Block

     

     

    IP Address Reused and Host Timeout/Deleted Messages

    The following host event messages have a standard discovery event header (as documented in Discovery Event Header 5.2+) with no other data:

    • Host IP Address Reused
    • Host Timeout
    • Host Deleted: Host Limit Reached
    • Host Dropped: Host Limit Reached

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

     

     

    Discovery Event Header

     

     

    Hops Change Message

    A Hops Change event message has a standard discovery event header (as documented in Discovery Event Header 5.2+) followed by a one-byte field for the hops count.

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

     

     

    Discovery Event Header

     

     

     

    Hops

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

    TCP and UDP Port Closed/Timeout Messages

    TCP and UDP Port Closed and Port Timeout event messages have a standard discovery event header (as documented in Discovery Event Header 5.2+) followed by a two-byte field for the port number.

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

     

     

    Discovery Event Header

     

     

     

    Port

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

    MAC Address Messages

    MAC Information Change and Additional MAC Detected for Host messages have a standard discovery event header (as documented in Discovery Event Header 5.2+), 1 byte for the TTL value, 6 bytes for the MAC address, and 1 byte to indicate whether the MAC address was detected via ARP/DHCP traffic as the actual MAC address.

    note.gif

    Noteblank.gif If you receive MAC address messages from a system running version 4.9.x, you must check for the length of the MAC address data block and decode accordingly. If the data block is 8 bytes in length (16 bytes with the header), see MAC Address Messages. If the data block is 12 bytes in length (20 bytes with the header), see Host MAC Address 4.9+.


    Note that the MAC address data block header is not used within MAC Information Change and Additional MAC Detected for Host messages.

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

     

     

    Discovery Event Header

     

     

     

    TTL

     

     

    MAC Address

    ARP/DHCP

    Host Identified as a Bridge/Router Message

    A Host Identified as a Bridge/Router event message has a standard discovery event header (as documented in Discovery Event Header 5.2+) followed by a four-byte field for the value that matches the host type:

    • 0 — Host
    • 1 — Router
    • 2 — Bridge

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

     

     

    Discovery Event Header

     

     

     

    Host Type

    VLAN Tag Information Update Messages

    The VLAN Tag Information Update event has a standard discovery event header (as documented in Discovery Event Header 5.2+) followed by VLAN data block (as documented in VLAN Data Block). The VLAN Data block is block type 14 in the series 1 group of blocks.

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

     

     

    Discovery Event Header

     

     

     

     

     

    VLAN Data Block

     

    Change NetBIOS Name Message

    A Change NetBIOS Name event message has a standard discovery event header (as documented in Discovery Event Header 5.2+) followed by a String Information data block (as documented in String Information Data Block). The String Information data block is block type 35 in series 1.

    note.gif

    Noteblank.gif The Change NetBIOS Domain event is not currently generated by the Firepower System.


     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

     

     

    Discovery Event Header

     

     

     

     

     

    String Information Data Block

     

     

    Update Banner Message

    An Update Banner event message has a standard discovery event header (as documented in Discovery Event Header 5.2+) followed by a Server Banner data block (as documented in Server Banner Data Block). The server banner data block is block type 37 in series 1.

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

     

     

    Discovery Event Header

     

     

     

     

     

    Server Banner Data Block

     

     

    Policy Control Message

    The Policy Control Message event has a standard discovery event header (as documented in Discovery Event Header 5.2+) followed by a Policy Control Message data block. The format of the Policy Control Message data block differs depending on the system version. For information on policy control message data block format for the current version, see Policy Engine Control Message Data Block.

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

     

     

    Discovery Event Header

     

     

     

     

    Policy Control Message Data Block

     

    Connection Statistics Data Message

    The Connection Statistics event has a standard discovery event header (as documented in Discovery Event Header 5.2+) followed by a Connection Statistics data block. The documentation of each version of the Connection Statistics data block includes the system versions that use it. For information on the connection statistics data block format for version 6.1+, see Connection Statistics Data Block 6.2+.

    note.gif

    Noteblank.gif The Connection Statistics data block differs depending on which system version created the message. For information on legacy versions, see the Connection Statistics data block in Understanding Legacy Data Structures.


     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

     

     

    Discovery Event Header

     

     

     

     

    Connection Statistics Data Block

     

    Connection Chunk Message

    The Connection Chunk event has a standard discovery event header (as documented in Discovery Event Header 5.2+) followed by a Connection Chunk data block. The format differs depending on the system version. For information on connection chunk data block format for the current version, see Connection Chunk Data Block for 6.1+. The Connection Chunk data block is block type 136 in series 1.

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

     

     

    Discovery Event Header

     

     

     

     

    Connection Chunk Data Block

     

    User Set Vulnerabilities Messages for Version 4.6.1+

    User Set Valid Vulnerabilities, User Set Invalid Vulnerabilities, and User Vulnerability Qualification messages use the same data format: the standard discovery event header (see Discovery Event Header 5.2+) followed by a User Vulnerability change data block (see User Vulnerability Change Data Block 4.7+, block type 80 in series 1). They are differentiated by record type, event type, and event subtype.

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

     

     

    Discovery Event Header

     

     

     

     

     

    User Vulnerability Change Data Block

     

    User Add and Delete Host Messages

    The following host input event messages have the standard discovery event header (see Discovery Event Header 5.2+) followed by a User Hosts data block (see User Hosts Data Block 4.7+, block type 78 in series 1):

    • User Delete Address
    • User Add Hosts

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

     

     

    Discovery Event Header

     

     

     

     

     

    User Hosts Data Block

     

    User Delete Server Message

    User Delete Server messages have the standard discovery event header (see Discovery Event Header 5.2+) followed by a User Server List data block (see User Server List Data Block). The User Server List data block is block type 77 in series 1.

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

     

     

    Discovery Event Header

     

     

     

     

     

    User Server List Data Block

     

    User Set Host Criticality Messages

    User Set Host Criticality messages have the standard discovery event header (see Discovery Event Header 5.2+) followed by a User Criticality Change data block (see User Criticality Change Data Block 4.7+). The User Criticality Change data block is block type 81 in series 1.

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

     

     

    Discovery Event Header

     

     

     

     

     

    User Criticality Change Data Block

     

    Attribute Messages

    The following event messages have a standard discovery event header (as documented in Discovery Event Header 5.2+) followed by an Attribute Definition data block (as documented in Attribute Definition Data Block for 4.7+, block type 55 in series 1):

    • Add Host Attribute
    • Update Host Attribute
    • Delete Host Attribute

    Each of these events use the following format:

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

     

    Discovery Event Header

     

     

     

     

    Attribute Definition Data Block

     

     

     

     

    Attribute Value Messages

    The following event messages have a standard discovery event header (as documented in Discovery Event Header 5.2+) followed by a User Attribute Value data block (as documented in User Attribute Value Data Block 4.7+, block type 82 in series 1):

    • Set Host Attribute Value
    • Delete Host Attribute Value

    Each of these events use the following format:

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

     

    Discovery Event Header

     

     

     

     

    User Attribute Value Data Block

     

     

     

     

    User Server and Operating System Messages

    The following event messages have a standard discovery event header (as documented in Discovery Event Header 5.2+) followed by a User Product data block (as documented in User Product Data Block 5.1+, block type 60 in series 1):

    • Set Operating System Definition
    • Set Server Definition
    • Add Server

    Each of these events use the following format:

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

     

    Discovery Event Header

     

     

     

     

    User Product Data Block

     

     

     

     

    User Protocol Messages

    The following event messages have a standard discovery event header (as documented in Discovery Event Header 5.2+) followed by a User Protocol List data block (as documented in User Protocol List Data Block 4.7+, block type 83 in series 1):

    • Delete Protocol
    • Add Protocol

    Each of these events use the following format:

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

     

    Discovery Event Header

     

     

     

     

    User Protocol List Data Block

     

     

     

     

    User Client Application Messages

    The following event messages have a standard discovery event header (as documented in Discovery Event Header 5.2+) followed by a User Client Application List data block (as documented in User Client Application List Data Block, block type 60 in series 1):

    • Delete Client Application
    • Add Client Application

    Each of these events use the following format:

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

     

    Discovery Event Header

     

     

     

     

    User Client Application List Data Block

     

     

     

     

    Add Scan Result Messages

    The Add Scan Result event message has a standard discovery event header (as documented in Discovery Event Header 5.2+) followed by a Scan Results data block (as documented in Scan Result Data Block 5.2+). The Scan Result data block is block type 142 in series 1.

    This event uses the following format:

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

     

    Discovery Event Header

     

     

     

     

    Scan Result Data Block

     

     

     

     

    New Operating System Messages

    The New OS event message has a standard discovery event header (as documented in Discovery Event Header 5.2+) followed by an Operating System Fingerprint data block (as documented in Operating System Fingerprint Data Block 5.1+).

    This event uses the following format:

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

     

    Discovery Event Header

     

     

     

     

    Operating System Fingerprint Data Block

     

     

     

     

    Identity Conflict and Identity Timeout System Messages

    The Identity Conflict and Identity Timeout event messages each have a standard discovery event header (as documented in Discovery Event Header 5.2+) followed by an Identity data block (as documented in Identity Data Block). The Identity data block is block type 94 in series 1. These messages are generated when there are conflicts or timeouts in a fingerprint source identity.

    This event uses the following format:

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

     

    Discovery Event Header

     

     

     

     

    Identity Data Block

     

     

     

     

    Host IOC Set Messages

    The Host IOC Set message has a standard discovery event header (as documented in Discovery Event Header 5.2+) followed by an integer data block (as documented in Integer (INT32) Data Block). This integer data block contains the ID number of the IOC set for the host.

    This event uses the following format:

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

     

    Discovery Event Header

     

     

     

     

    Integer Data Block

     

     

     

     

    User Data Structures by Event Type

    eStreamer builds user event messages based on the event type indicated in the discovery event header. The following sub-sections describe the high-level structure for each event type:

    User Modification Messages

    When any of the following events occurs through system detection, a user modification message is sent:

    • a new user is detected (a New User Identity event—event type 1004, subtype 1)
    • a user is removed (a Delete User Identity event—event type 1004, subtype 3)
    • a user is dropped (a User Identity Dropped: User Limit Reached event—event type 1004, subtype 4)

    User Modification event messages have a standard discovery event header (as documented in Discovery Event Header 5.2+) and a User Information data block (as documented in User Information Data Block for 6.0+). The User Information data block is block type 120 in series 1.

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

     

     

    Discovery Event Header

     

     

     

     

     

    User Information Data Block

     

     

     

    User Information Update Message Block

    When the login changes for a user (a User Login event—event type 1004, subtype 2) detected by the system, a user information update message is sent. This block is also used when a user login fails (a failed user login event—event type 1004, subtype 5), when a VPN user logs in (a VPN user login event—event type 1004, subtype 8) or a VPN user logs off (a VPN user logoff event—event type 1004, subtype 9).

    User Information Update event messages have a standard discovery event header (as documented in Discovery Event Header 5.2+) and a User Login Information data block (as documented in User Login Information Data Block 6.2+). The User Login Information data block is block type 121 in series 1.

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

     

     

    Discovery Event Header

     

     

     

     

     

    User Login Information Data Block

     

     

     

    Understanding Discovery (Series 1) Blocks

    Most discovery and connection events incorporate one or more data blocks from the series 1 group of data structures. Each series 1 data block type conveys a particular type of information. The block type number appears in the data block header which precedes the data in the block. For information on block header format, see Data Block Header.

    Series 1 Data Block Header

    The series 1 data block header, like the series 2 block header, has two 32-bit integer fields that contain the block’s type number and the block length.

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

    Data Block Type

     

    Data Block Length

    note.gif

    Noteblank.gif The data block length field contains the number of bytes in the entire data block, including the eight bytes of the two data block header fields.


    For some block series 1 types, the block header is followed immediately by raw data. In more complex block types, the header may be followed by standard fixed length fields or by the header of a series 1 primitive block that encapsulates another series 1 data block or list of blocks.

    Series 1 Primitive Data Blocks

    Both series 1 and series 2 blocks include a set of primitives that encapsulate lists of variable-length blocks as well as variable-length strings and BLOBs within messages. These primitive blocks have the standard series 1 block header discussed above. These primitives appear only within other series 1 data blocks. Any number can be included in a given block type. For details on the structure of the primitive blocks, see the following:

    Host Discovery and Connection Data Blocks

    For the list of block types in host discovery and connection events, see Table 4-30. The block types in user events are described in Table 4-86. These are all Series 1 data blocks.

    Each entry in the table below contains a link to the subsection where the data block is defined. For each block type, the status (current or legacy) is indicated. A current data block is the latest version. A legacy data block is one that is used for an older version of the product, and the message format can still be requested from eStreamer.

     

    Table 4-30 Host Discovery and Connection Data Block Types

    Type
    Content
    Data Block Status
    Description

    0

    String

    Current

    Contains string data. See String Data Block for more information.

    1

    Sub-Server

    Current

    Contains information about a sub-server detected on a server. See Sub-Server Data Block for more information.

    4

    Protocol

    Current

    Contains protocol data. See Protocol Data Block for more information.

    7

    Integer Data

    Current

    Contains integer (numeric) data. See Integer (INT32) Data Block for more information.

    10

    BLOB

    Current

    Contains a raw block of binary data and is used specifically for banners. See BLOB Data Block for more information.

    11

    List

    Current

    Contains a list of other data blocks. See List Data Block for more information.

    14

    VLAN

    Current

    Contains VLAN information. See VLAN Data Block for more information.

    20

    Intrusion Impact Alert

    Current

    Contains intrusion impact alert information. Intrusion impact alert events have slightly different headers than other data blocks. See Intrusion Impact Alert Data 5.3+ for more information.

    31

    Generic List

    Current

    Contains generic list information, for example, to encapsulate lists of blocks, such as Client Application blocks, in the Host Profile block. See Generic List Block for more information.

    35

    String Information

    Current

    Contains string information. For example, when used in the Scan Vulnerability data block, the String Information data block contains the CVE identification number data. See String Information Data Block.

    37

    Server Banner

    Current

    Contains server banner data. See Server Banner Data Block for more information.

    38

    Attribute Address

    Legacy

    Contains the host attribute address (as documented in earlier versions of the product). The successor block is 146.

    39

    Attribute List Item

    Current

    Contains a host attribute list item value. See Attribute List Item Data Block for more information.

    42

    Host Client Application

    Legacy

    Contains client application information for New Client Application events (as documented for earlier versions of the product).

    47

    Full Host Profile

    Legacy

    Contains complete host profile information (as documented in earlier versions of the product).

    48

    Attribute Value

    Current

    Contains attribute identification numbers and values for host attributes. See Attribute Value Data Block for more information.

    51

    Full Sub-Server

    Current

    Contains information about a sub-server detected on a server. Referenced in Full Server information blocks and in full host profiles. Includes vulnerability information for each sub-server. See Full Sub-Server Data Block for more information.

    53

    Operating System

    Current

    Contains operating system information for Version 3.5+. See Operating System Data Block 3.5+ for more information.

    54

    Policy Engine Control Message

    Current

    Contains information on user policy control changes. See Policy Engine Control Message Data Block for more information.

    55

    Attribute Definition

    Current

    Contains information on attribute definitions. See Attribute Definition Data Block for 4.7+ for more information.

    56

    Connection Statistics

    Legacy

    Contains information for connection statistics events in 4.7 - 4.9.0 (as documented in earlier versions of the product).

    57

    User Protocol

    Current

    Contains protocol information from user input. See User Protocol Data Block for more information.

    59

    User Client Application

    Legacy

    Contains client application data from user input. See User Client Application Data Block for 5.0 - 5.1 for more information. Superseded by block 138.

    60

    User Client Application List

    Current

    Contains lists of user client application data blocks. See User Client Application List Data Block for more information.

    61

    IP Range Specification

    Legacy

    Contains IP address range specifications. See IP Range Specification Data Block for 5.0 - 5.1.1.x for more information. Superseded by block 141.

    62

    Attribute Specification

    Current

    Contains an attribute name and value. See Attribute Specification Data Block for more information.

    63

    MAC Address Specification

    Current

    Contains MAC address range specifications. See MAC Address Specification Data Block for more information.

    64

    IP Address Specification

    Current

    Contains lists of IP and MAC address specification blocks. See Address Specification Data Block for more information.

    65

    User Product

    Legacy

    Contains host input data imported from a third-party application, including third-party application string mappings. See User Product Data Block for 5.0.x for more information. The successor block type 118 introduced for 5.0 has an identical structure as block type 65.

    66

    Connection Chunk

    Legacy

    Contains connection chunk information. See Connection Chunk Data Block for 5.0 - 5.1 for more information. The successor block type 119 introduced for 5.0 has an identical structure as block type 66.

    67

    Fix List

    Current

    Contains a fix that applies to a host. See Fix List Data Block for more information.

    71

    Generic Scan Results

    Legacy

    Contains results from an Nmap scan (as documented in earlier versions of the product).

    72

    Scan Result

    Legacy

    Contains results from a third-party scan (as documented in earlier versions of the product).

    76

    User Server

    Current

    Contains server information from a user input event. See User Server Data Block for more information.

    77

    User Server List

    Current

    Contains lists of user server blocks. See User Server List Data Block for more information.

    78

    User Hosts

    Current

    Contains information about host ranges from a user host input event. See User Hosts Data Block 4.7+ for more information.

    79

    User Vulnerability

    Legacy

    Contains information about a vulnerability for a host or hosts (as documented in earlier versions of the product). The successor block introduced for version 5.0 has block type 124.

    80

    User Host Vulnerability Change

    Current

    Contains lists of deactivated or activated vulnerabilities. See User Vulnerability Change Data Block 4.7+ for more information.

    81

    User Criticality

    Current

    Contains information on criticality changes for a host or host. See User Criticality Change Data Block 4.7+ for more information.

    82

    User Attribute Value

    Current

    Contains attribute value changes for a host or hosts. See User Attribute Value Data Block 4.7+ for more information.

    83

    User Protocol List

    Current

    Contains lists of protocols for a host or hosts. See User Protocol List Data Block 4.7+ for more information.

    85

    Vulnerability List

    Current

    Contains vulnerabilities that apply to a host. See Host Vulnerability Data Block 4.9.0+ for more information.

    86

    Scan Vulnerability

    Legacy

    Contains information on vulnerabilities detected by a scan (as documented in earlier versions of the product).

    87

    Operating System Fingerprint

    Legacy

    Contains lists of operating system fingerprints. See Operating System Fingerprint Data Block for 5.0 - 5.0.2 for more information. The successor block introduced for version 5.1 has block type 130.

    88

    Server Information

    Legacy

    Contains server information used in server fingerprints (as documented in earlier versions of the product).

    89

    Host Server

    Legacy

    Contains server information for a host (as documented in earlier versions of the product).

    90

    Full Host Server

    Legacy

    Contains server information for a host (as documented in earlier versions of the product).

    91

    Host Profile

    Legacy

    Contains profile information for a host. See Host Profile Data Block for 5.2+ for more information. The successor block introduced for version 5.1 has block type 132.

    92

    Full Host Profile

    Legacy

    Contains complete host profile information (as documented in earlier versions of the product). Supersedes data block 47.

    94

    Identity Data

    Current

    Contains identity data for a host. See Identity Data Block for more information.

    95

    Host MAC Address

    Current

    Contains MAC address information for a host. See Host MAC Address 4.9+ for more information.

    96

    Secondary Host Update

    Current

    Contains lists of MAC address information reported by a secondary Secondary Host Update.

    97

    Web Application

    Legacy

    Contains lists of web application data (as documented in earlier versions of the product). The successor block introduced for version 5.0 has block type 123.

    98

    Host Server

    Legacy

    Contains server information for a host (as documented in earlier versions of the product).

    99

    Full Host Server

    Legacy

    Contains server information for a host (as documented in earlier versions of the product).

    100

    Host Client Application

    Legacy

    Contains client application information for New Client Application events (as documented in earlier versions of the product). The successor block type 122 introduced for version 5.0 has the same structure as block type 100.

    101

    Connection Statistics

    Legacy

    Contains information for connection statistics events in 4.9.1+ (as documented in earlier versions of the product).

    102

    Scan Results

    Legacy

    Contains information about a vulnerability and is used within Add Scan Result events. See Scan Result Data Block 5.0 - 5.1.1.x.

    103

    Host Server

    Current

    Contains server information for a host. See Host Server Data Block 4.10.0+ for more information.

    104

    Full Host Server

    Current

    Contains server information for a host. See Full Host Server Data Block 4.10.0+ for more information.

    105

    Server Information

    Legacy

    Contains server information used in server fingerprints. See Server Information Data Block for 4.10.x, 5.0 - 5.0.2 for more information. The successor block type 117 introduced for 5.0 has an identical structure as block type 105.

    106

    Full Server Information

    Current

    Contains information about a server detected on a host. See Full Server Information Data Block for more information.

    108

    Generic Scan Results

    Current

    Contains results from an Nmap scan. See Generic Scan Results Data Block for 4.10.0+ for more information.

    109

    Scan Vulnerability

    Current

    Contains information on vulnerabilities detected by a third-party scan. See Scan Vulnerability Data Block for 4.10.0+.

    111

    Full Host Profile

    Legacy

    Contains complete host profile information. See Full Host Profile Data Block 5.0 - 5.0.2 for more information. Supersedes data block 92.

    112

    Full Host Client Application

    Current

    Contains client application information for New Client Application events and includes a list of vulnerabilities. See Full Host Client Application Data Block 5.0+ for more information.

    115

    Connection Statistics

    Legacy

    Contains information for connection statistics events in 5.0 - 5.0.2. See Connection Statistics Data Block 5.0 - 5.0.2 for more information. The successor block introduced for version 5.1 has block type 126.

    117

    Server Information

    Current

    Contains server information used in server fingerprints. See Server Information Data Block for 4.10.x, 5.0 - 5.0.2 for more information.

    118

    User Product

    Legacy

    Contains host input data imported from a third-party application, including third-party application string mappings. See User Product Data Block for 5.0.x for more information. The predecessor block type 65, superseded in 5.0, has the same structure as this block type. The successor block introduced for version 5.1 has block type 132.

    119

    Connection Chunk

    Legacy

    Contains connection chunk information for versions 4.10.1 - 5.1. See Connection Chunk Data Block for 5.0 - 5.1 for more information. The successor block is 136.

    122

    Host Client Application

    Current

    Contains client application information for New Client Application events for version 5.0+. See Host Client Application Data Block for 5.0+ for more information. It supersedes block type 100.

    123

    Web Application

    Current

    Contains web application data for version 5.0+. See Web Application Data Block for 5.0+ for more information. It supersedes block type 97.

    124

    User Vulnerability

    Current

    Contains information about a vulnerability for a host or hosts. See User Vulnerability Data Block 5.0+. It supersedes block type 79.

    125

    Connection Statistics

    Legacy

    Contains information for connection statistics events in 4.10.2 (as documented in earlier versions of the product). The successor block introduced for version 5.1 has block type 115.

    126

    Connection Statistics

    Legacy

    Contains information for connection statistics events in 5.1. See Connection Statistics Data Block 5.1 for more information. It supersedes block type 115. This block type is superseded by block type 137.

    130

    Operating System Fingerprint

    Current

    Contains lists of operating system fingerprints. See Operating System Fingerprint Data Block 5.1+ for more information. It supersedes block type 87.

    131

    Mobile Device Information

    Current

    Contains information about a detected mobile device’s hardware. See Mobile Device Information Data Block for 5.1+ for more information.

    132

    Host Profile

    Legacy

    Contains profile information for a host. See Full Host Profile Data Block 5.2.x for more information. It supersedes block type 91. Superseded by block 139.

    134

    User Product

    Current

    Contains host input data imported from a third-party application, including third-party application string mappings. See User Product Data Block 5.1+ for more information. This supersedes the predecessor block type 118.

    135

    Full Host Profile

    Legacy

    Contains complete host profile information. See Full Host Profile Data Block 5.1.1 for more information. Supersedes data block 111.

    136

    Connection Chunk

    Current

    Contains connection chunk information. See Connection Chunk Data Block for 6.1+ for more information. Supersedes block 119.

    137

    Connection Statistics

    Legacy

    Contains information for connection events in 5.1.1. See Connection Chunk Data Block for 5.0 - 5.1 for more information. It supersedes block type 126. It is superseded by block type 144.

    138

    User Client Application

    Current

    Contains client application data from user input. See User Client Application Data Block for 5.1.1+ for more information. It supersedes block type.

    139

    Host Profile

    Current

    Contains profile information for a host. See Host Profile Data Block for 5.2+ for more information. It supersedes block type 132.

    140

    Full Host Profile

    Legacy

    Contains complete host profile information. See Full Host Profile Data Block 5.3+ for more information. Supersedes data block 135.

    141

    IP Range Specification

    Current

    Contains IP address range specifications. See IP Address Range Data Block for 5.2+ for more information. It supersedes block 61.

    142

    Scan Results

    Current

    Contains information about a vulnerability and is used within Add Scan Result events. See Scan Result Data Block 5.2+. It supersedes block 102.

    143

    Host IP

    Current

    Contains a host’s IP address and last seen information. See Host IP Address Data Block for more information.

    144

    Connection Statistics

    Legacy

    Contains information for connection events in 5.2.x. See Connection Statistics Data Block 5.2.x for more information. It supersedes block type 137.

    146

    Attribute Address

    Current

    Contains the host attribute address for 5.2+. See Attribute Address Data Block 5.2+ for more information. It supersedes block type 38.

    148

    User IOC Change

    Current

    Contains information about user changes to IOCs. See User IOC Change Data Block 5.3+ for more information.

    149

    Full Host Profile

    Current

    Contains complete host profile information. See Full Host Profile Data Block 5.3+ for more information. Supersedes data block 135.

    152

    Connection Statistics

    Legacy

    Contains information for connection events in 5.3+. See Connection Statistics Data Block 5.3 for more information. It supersedes block type 144.

    154

    Connection Statistics

    Legacy

    Contains information for connection events in 5.3. See Connection Statistics Data Block 5.3.1 for more information. It supersedes block type 152.

    155

    Connection Statistics

    Legacy

    Contains information for connection events in 5.4. See Connection Statistics Data Block 5.4 for more information. It supersedes block type 154.

    157

    Connection Statistics

    Legacy

    Contains information for connection events in 5.4.1. See Connection Statistics Data Block 5.4.1 for more information. It supersedes block type 155.

    160

    Connection Statistics

    Legacy

    Contains information for connection events in 5.4.1. See Connection Statistics Data Block 6.0.x for more information. It supersedes block type 157.

    163

    Connection Statistics

    Current

    Contains information for connection events in 6.0+. See Connection Statistics Data Block 6.2+ for more information. It supersedes block type 160.

    String Data Block

    The String data block is used for sending string data in series 1 blocks. It commonly appears within other series 1 data blocks to describe, for example, operating system or server names.

    Empty string data blocks (string data blocks containing no string data) have a block length value of 8 and are followed by zero bytes of string data. An empty string data block is returned when there is no content for the string value, as might happen, for example, in the OS vendor string field in an Operating System data block when the vendor of the operating system is unknown.

    The String data block has a block type of 0 in the series 1 group of blocks.

    note.gif

    Noteblank.gif Strings returned in this data block are not always null-terminated (that is, they are not always terminated with a 0).


    The following diagram shows the format of the String data block:

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

    String Block Type (0)

     

    String Block Length

     

    String Data...

    The following table describes the fields of the String data block.

     

    Table 4-31 String Data Block Fields

    Field
    Data Type
    Description

    String Block Type

    uint32

    Initiates a String data block. This value is always 0.

    String Block Length

    uint32

    Combined length of the string data block header and string data.

    String Data

    string

    Contains the string data and may contain a terminating character (null byte) at the end of the string.

    BLOB Data Block

    The BLOB data block can be used to convey binary data. For example, it is used to hold the server banner captured by the system. The BLOB data block has a block type of 10 in the series 1 group of blocks.

    The following diagram shows the format of the BLOB data block:

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

    BLOB Block Type (10)

     

    BLOB Block Length

     

    BLOB Binary Data...

    The following table describes the fields of the BLOB data block.

     

    Table 4-32 BLOB Data Block Fields

    Field
    Data Type
    Description

    BLOB Block Type

    uint32

    Initiates a BLOB data block. This value is always 10.

    BLOB Block Length

    uint32

    Number of bytes in the BLOB data block, including eight bytes for the BLOB block type and length fields, plus the length of the binary data that follows.

    Binary Data

    variable

    Contains binary data, typically a server banner.

    List Data Block

    The List data block is used to encapsulate a list of series 1 data blocks. For example, if a list of TCP servers is being transmitted, the Server data blocks containing the data are encapsulated in a List data block. The List data block has a block type of 11 in the series 1 group of blocks.

    The following diagram shows the basic format of a List data block:

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

    List Block Type (11)

     

    List Block Length

     

    Encapsulated Data Blocks...

    The following table describes the fields of the List data block.

     

    Table 4-33 List Data Block Fields

    Field
    Data Type
    Description

    List Block Type

    uint32

    Initiates a List data block. This value is always 11.

    List Block Length

    uint32

    Number of bytes in the list block and encapsulated data. For example, if there were three sub-server data blocks included in the list, the value here would include the number of bytes in the sub-server blocks, plus eight bytes for the list block header.

    Encapsulated Data Blocks

    variable

    Encapsulated data blocks up to the maximum number of bytes in the list block length.

    Generic List Block

    The Generic List data block is used to encapsulate a list of series 1 data blocks. For example, when client application information is transmitted within a Host Profile data block, a list of Client Application data blocks are encapsulated by the Generic List data block. The Generic List data block has a block type of 31 in the series 1 group of blocks.

    The following diagram shows the basic structure of a Generic List data block:

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

    Generic List Block Type (31)

     

    Generic List Block Length

     

    Encapsulated Data Blocks...

    The following table describes the fields of the Generic List data block.

     

    Table 4-34 Generic List Data Block Fields

    Field
    Number of Bytes
    Description

    Generic List Block Type

    uint32

    Initiates a Generic List data block. This value is always 31.

    Generic List Block Length

    uint32

    Number of bytes in the Generic List block and encapsulated data blocks. This number includes the eight bytes of the generic list block header fields, plus the number of bytes in all of the encapsulated data blocks.

    Encapsulated Data Blocks

    variable

    Encapsulated data blocks up to the maximum number of bytes in the list block length.

    Sub-Server Data Block

    The Sub-Server data block conveys information about an individual sub-server, which is a server called by another server on the same host and has associated vulnerabilities. The Sub-Server data block has a block type of 1 in the series 1 group of blocks.

    The following diagram shows the format of the Sub-Server data block:

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

    Sub-Server Block Type (1)

    Sub-Server Block Length

    Sub-Server
    Name

    String Block Type (0)

    String Block Length

    Sub-Server Name...

    Vendor

    Name

    String Block Type (0)

    String Block Length

    Vendor Name...

    Version

    Version

    String Block Type (0)

    String Block Length

    Version...

    The following table describes the fields of the Sub-Server data block.

     

    Table 4-35 Sub-Server Data Block Fields

    Field
    Data Type
    Description

    Sub-Server Block Type

    uint32

    Initiates a Sub-Server data block. This value is always 1.

    Sub-Server Block Length

    uint32

    Total number of bytes in the Sub-Server data block, including eight bytes for the Sub-Server block type and length fields, plus the number of bytes of data that follows.

    String Block Type

    uint32

    Initiates a String data block containing the sub-server name. This value is always 0.

    String Block Length

    uint32

    Number of bytes in the sub-server name String data block, including the string block type and length fields, plus the number of bytes in the sub-server name.

    Sub-Server Name

    string

    Name of the sub-server.

    String Block Type

    uint32

    Initiates a String data block that contains the sub-server vendor. This value is always 0.

    String Block Length

    uint32

    Number of bytes in the vendor name String data block, including the string block type and length fields, plus the number of bytes in the vendor name.

    Vendor Name

    string

    Sub-server vendor name.

    String Block Type

    uint32

    Initiates a String data block that contains the sub-server version. This value is always 0.

    String Block Length

    uint32

    Number of bytes in the Sub-Server version String data block, including the string block type and length fields, plus the number of bytes in the version.

    Version

    string

    Sub-server version.

    Protocol Data Block

    The Protocol data block defines protocols. It is a very simple data block, with only the block type, block length, and the IANA protocol number identifying the protocol. The Protocol data block has a block type of 4 in the series 1 group of blocks.

    The following graphic shows the format of the Protocol data block:

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

    Protocol Block Type (4)

     

    Protocol Block Length

     

    Protocol

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

    The following table describes the fields of the Protocol data block.

     

    Table 4-36 Protocol Data Block Fields

    Field
    Data Type
    Description

    Protocol Block Type

    uint32

    Initiates a Protocol data block. This value is always 4.

    Protocol Block Length

    uint32

    Number of bytes in the Protocol data block. This value is always 10.

    Protocol

    uint16

    IANA protocol number or Ethertype. This is handled differently for Transport and Network layer protocols.

    Transport layer protocols are identified by the IANA protocol number. For example:

    • 6 — TCP
    • 17 — UDP

    Network layer protocols are identified by the decimal form of the IEEE Registration Authority Ethertype. For example:

    • 2048 — IP

    Integer (INT32) Data Block

    The Integer (INT32) data block is used in List data blocks to convey 32-bit integer data.

    The Integer data block has a block type of 7 in the series 1 group of blocks.

    The following diagram shows the format of the integer data block:

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

    Integer Block Type (7)

     

    Integer Block Length

     

    Integer

    The following table describes the fields of the Integer data block:

     

    Table 4-37 Integer Data Block Fields

    Field
    Data Type
    Description

    Integer Block Type

    uint32

    Initiates an Integer data block. The value is always 7.

    Integer Block Length

    uint32

    Number of bytes in the Integer data block. This value is always 12.

    Integer

    uint32

    Contains the integer value.

    VLAN Data Block

    The VLAN data block contains VLAN tag information for a host. The VLAN data block has a block type of 14 in the series 1 group of blocks.The following diagram shows the format of the VLAN data block:

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

    VLAN Block Type (14)

     

    VLAN Block Length

     

    VLAN ID

    VLAN Type

    VLAN Priority

    The following table describes the fields of the VLAN data block.

     

    Table 4-38 VLAN Data Block Fields

    Field
    Data Type
    Description

    VLAN Block Type

    uint32

    Initiates a VLAN data block. This value is always 14.

    VLAN Block Length

    uint32

    Number of bytes in the VLAN data block. This value is always 12.

    VLAN ID

    uint16

    Contains the VLAN identification number that indicates which VLAN the host is a member of.

    VLAN Type

    uint8

    Type of packet encapsulated in the VLAN tag.

    • 0 — Ethernet
    • 1 — Token Ring

    VLAN Priority

    uint8

    Priority value included in the VLAN tag.

    Server Banner Data Block

    The Server Banner data block provides information about the banner for a server running on a host. It contains the server port, protocol, and the banner data. The Server Banner data block has a block type of 37 in the series 1 group of blocks.

    The following diagram shows the format of the Server Banner data block.

    note.gif

    Noteblank.gif An asterisk(*) next to a block type field in the following diagram indicates the message may contain zero or more instances of the series 1 data block.


     

    Byte

    0

    1

    2

    3

     

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

     

    Server Banner Block Type (37)

     

     

    Server Banner Block Length

     

     

    Port

    Protocol

    BLOB Block Type

    Svr Banner (Blob)

     

    BLOB Block Type (10), cont.

    BLOB Length

     

    BLOB Length, cont.

    Server Banner Data...

     

    Server Banner Data, cont.....

    The following table describes the fields of the Server Banner data block.

     

    Table 4-39 Server Banner Data Block Fields

    Field
    Data Type
    Description

    Server Banner Block Type

    uint32

    Initiates a Server Banner data block. This value is always 37.

    Server Banner Block Length

    uint32

    Total number of bytes in the Server Banner data block, including the eight bytes in the server banner block type and length fields, plus the number of bytes of data that follows.

    Port

    uint16

    Port number on which the server runs.

    Protocol

    uint8

    Protocol number for the server.

    BLOB Block Type

    uint32

    Initiates a BLOB data block containing server banner data. This value is always 10.

    Length

    uint32

    Total number of bytes in the BLOB data block (typically 264 bytes).

    Banner

    byte[ n ]

    First n bytes of the packet involved in the server event, where n is equal to or less than 256.

    String Information Data Block

    The String Information data block contains string data. For example, the String Information data block is used to convey the Common Vulnerabilities and Exposures (CVE) identification string within a Scan Vulnerability data block. The String Information data block has a block type of 35 in the series 1 group of blocks.

    The following diagram shows the format of the String Information data block:

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

    String Information Block Type (35)

     

    String Information Block Length

    CVE ID

    String Block Type (0)

    String Block Length

    Value...

     

    The following table describes the fields of the String Information data block.

     

    Table 4-40 String Information Data Block Fields

    Field
    Data Type
    Description

    String Information Block Type

    uint32

    Initiates a String Information data block. This value is always 35.

    String Information Block Length

    uint32

    Combined length of the String Information data block header and String Information data.

    String Block Type

    uint32

    Initiates a string data block for the value.

    String Block Length

    uint32

    Number of bytes in the string data block for the value, including eight bytes for the string block type and length, plus the number of bytes in the value.

    Value

    string

    The value of the Common Vulnerabilities and Exposures (CVE) identification number for the vulnerability data block where the String Information data block is used.

    Attribute Address Data Block 5.2+

    The Attribute Address data block contains an attribute list item and is used within an Attribute Definition data block. It has a block type of 146 in the series 1 group of blocks.

    The following diagram shows the basic structure of an Attribute Address data block:

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

    Attribute Address Block Type (146)

     

    Attribute Address Block Length

     

    Attribute ID

     

    IP Address

     

    IP Address, continued

     

    IP Address, continued

     

    IP Address, continued

     

    Bits

    The following table describes the fields of the Attribute Address data block.

     

    Table 4-41 Attribute Address Data Block 5.2+ Fields

    Field
    Data Type
    Description

    Attribute Address Block Type

    uint32

    Initiates an Attribute Address data block. This value is always 146.

    Attribute Address Block Length

    uint32

    Number of bytes in the Attribute Address data block, including eight bytes for the attribute address block type and length, plus the number of bytes in the attribute address data that follows.

    Attribute ID

    uint32

    Identification number of the affected attribute, if applicable.

    IP Address

    uint8[16]

    IP address of the host, if the address was automatically assigned. The address can be IPv4 or IPv6.

    Bits

    uint32

    Contains the significant bits used to calculate the netmask if an IP address was automatically assigned.

    User IOC Change Data Block 5.3+

    The User IOC Change data block contains information regarding IOC changes made by a user. It is used within the User Host IOC Delete, User Host IOC Enable, and User Host IOC Disable records. It has a block type of 148 in the series 1 group of blocks.

    The following diagram shows the basic structure of a User IOC Change data block:

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

    User IOC Change Block Type (148)

     

    User ID

     

    Source Type

    IP Address

    Ranges

    Generic List Block Type (31)

    Generic List Block Length

    IP Range Specification Data Blocks*

     

    IOC ID

     

    Target UID

    The following table describes the fields of the User IOC Change data block.

     

    Table 4-42 User IOC Change Data Block 5.3+ Fields

    Field
    Data Type
    Description

    User IOC Change Block Type

    uint32

    Initiates a User IOC Change data block. This value is always 148.

    User ID

    uint32

    ID number of the user who made the IOC change.

    Source Type

    uint32

    Number that maps to the type of data source:

    • 0 if the client data was detected by RNA
    • 1 if the client data was provided by a user
    • 2 if the client data was detected by a third-party scanner
    • 3 if the client data was provided by a command line tool such as nmimport.pl or the Host Input API client

    Generic List Block Type

    uint32

    Initiates a Generic List data block comprising IP Range Specification data blocks conveying IP address range data. This value is always 31.

    Generic List Block Length

    uint32

    Number of bytes in the Generic List data block, including the list header and all encapsulated IP Range Specification data blocks.

    IP Range Specification Data Blocks *

    variable

    IP Range Specification data blocks containing information about the IP address ranges for the user input. See IP Address Range Data Block for 5.2+ for a description of this data block.

    IOC ID

    uint32

    ID number of the IOC being changed.

    Target UID

    unit32

    Not used in events supported for eStreamer output.

    Attribute List Item Data Block

    The Attribute List Item data block contains an attribute list item and is used within an Attribute Definition data block. It has a block type of 39 in the series 1 group of blocks.

    The following diagram shows the basic structure of an Attribute List Item data block:

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

    Attribute List Item Block Type (39)

     

    Attribute List Item Block Length

     

    Attribute ID

    Attr Name

    String Block Type (0)

    String Block Length

    Name...

    The following table describes the fields of the Attribute List Item data block.

     

    Table 4-43 Attribute List Item Data Block Fields

    Field
    Data Type
    Description

    Attribute List Item Block Type

    uint32

    Initiates an Attribute List Item data block. This value is always 39.

    Attribute List Item Block Length

    uint32

    Number of bytes in the Attribute List Item data block, including eight bytes for the attribute list item block type and length, plus the number of bytes in the attribute list item data that follows.

    Attribute ID

    uint32

    Identification number of the affected attribute, if applicable.

    String Block Type

    uint32

    Initiates a String data block for the attribute list item name. This value is always 0.

    String Block Length

    uint32

    Number of bytes in the String data block for the attribute list item name, including eight bytes for the string block type and length, plus the number of bytes in the attribute list item name.

    Name

    string

    Attribute list item name.

    Attribute Value Data Block

    The Attribute Value data block conveys attribute identification numbers and values for host attributes. An Attribute Value data block for each attribute applied to the host in the event is included in a list in the Full Host Profile data block. The Attribute Value data block has a block type of 48 in the series 1 group of blocks.

    The following diagram shows the format of the Attribute Value data block:

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

    Attribute Value Block Type (48)

    Attribute Value Block Length

     

    Attribute ID

    Attribute Type

     

    Attribute Integer Value

    String Data Block (0)

     

    String Block Length

     

    Attribute Value String...

    The following table describes the components of the Attribute Value data block.

     

    Table 4-44 Attribute Value Data Block Fields

    Field
    Data Type
    Description

    Attribute Value Block Type

    uint32

    Initiates an Attribute Value data block. This value is always 48.

    Attribute Value Block Length

    uint32

    Total number of bytes in the Attribute Value data block, including eight bytes for the attribute value block type and length fields, plus the number of bytes of attribute block data that follows.

    Attribute ID

    uint32

    The identification number for the attribute.

    Attribute Type

    uint32

    Type of affected attribute. Possible values are:

    • 0 — Attribute with text as value; this uses string data
    • 1 — Attribute with value in range; this uses integer data
    • 2 — Attribute with a list of possible values, this uses integer data
    • 3 — Attribute with a URL as value; this uses string data
    • 4 — Attribute with binary BLOB as value; this uses string data

    Attribute Integer Value

    uint32

    Integer value for the attribute, if applicable.

    String Block Type

    uint32

    Initiates a String data block containing the attribute name. This value is always 0.

    String Block Length

    uint32

    Number of bytes in the String data block, including the string block type and length fields, plus the number of bytes in the attribute name.

    Attribute Value

    string

    Value of the attribute.

    Full Sub-Server Data Block

    The Full Sub-Server data block conveys information about a sub-server associated with a server detected on a host, and includes information about the sub-server such as its vendor and version and any related VDB and third-party vulnerabilities for the sub-server on the host. A sub-server is a loadable module of a server that has its own associated vulnerabilities. A Full Host Server data block includes a Full Sub-Server data block for each sub-server detected on the host. The Full Sub-Server data block has a block type of 51 in the series 1 group of blocks.

    note.gif

    Noteblank.gif An asterisk (*) next to a series 1 data block name in the following diagram indicates that multiple instances of the data block may occur.


    The following diagram shows the format of the Full Sub-Server data block:

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

    Full Sub-Server Block Type (51)

     

    Full Sub-Server Block Length

     

    String Block Type (0)

    String Block Length

    Sub-Server Name String...

     

    String Block Type (0)

    String Block Length

    Sub-Server Vendor Name String...

     

    String Block Type (0)

    String Block Length

    Sub-Server Version String...

     

    Generic List Block Type (31)

     

    Generic List Block Length

     

    (VDB) Host Vulnerability Data Blocks*

     

    Generic List Block Type (31)

     

    Generic List Block Length

     

    (Third-Party Scan) Host Vulnerability Data Blocks*

    The following table describes the components of the Full Sub-Server data block.

     

    Table 4-45 Full Sub-Server Data Block Fields

    Field
    Data Type
    Description

    Full Sub-Server Block Type

    uint32

    Initiates a Full Sub-Server data block. This value is always 51.

    Full Sub-Server Block Length

    uint32

    Total number of bytes in the Full Sub-Server data block, including eight bytes for the Full Sub-Server block type and length fields, plus the number of bytes in the full sub-server data that follows.

    String Block Type

    uint32

    Initiates a String data block containing the sub-server name. This value is always 0.

    String Block Length

    uint32

    Number of bytes in the sub-server name String data block, including eight bytes for the block type and length fields, plus the number of bytes in the sub-server name.

    Sub-Server Name

    string

    Sub-server name.

    String Block Type

    uint32

    Initiates a String data block containing the sub-server vendor’s name. This value is always 0.

    String Block Length

    uint32

    Number of bytes in the vendor name String data block, including eight bytes for the block type and length fields, plus the number of bytes in the sub-server vendor name.

    Sub-Server Vendor Name

    string

    Name of the sub-server vendor.

    String Block Type

    uint32

    Initiates a String data block that contains the sub-server version. This value is always 0.

    String Block Length

    uint32

    Number of bytes in the sub-server version String data block, including eight bytes for the block type and length fields, plus the number of bytes in the sub-server version.

    Sub-Server Version

    string

    Sub-server version.

    Generic List Block Type

    uint32

    Initiates a Generic List data block comprising Host Vulnerability data blocks conveying VDB Vulnerability data. This value is always 31.

    Generic List Block Length

    uint32

    Number of bytes in the Generic List data block, including the list header and all encapsulated Host Vulnerability data blocks.

    VDB Host Vulnerability Data Blocks *

    variable

    Host Vulnerability data blocks containing information about host vulnerabilities identified by Cisco. See Host Vulnerability Data Block 4.9.0+ for a description of this data block.

    Generic List Block Type

    uint32

    Initiates a Generic List data block comprising Host Vulnerability data blocks conveying Third-Party Scan Vulnerability data. This value is always 31.

    Generic List Block Length

    uint32

    Number of bytes in the Generic List data block, including the list header and all encapsulated Host Vulnerability data blocks.

    Third-Party Scan Host Vulnerability Data Blocks *

    variable

    Host Vulnerability data blocks containing information about host vulnerabilities identified by a third-party vulnerability scanner. See Host Vulnerability Data Block 4.9.0+ for a description of this data block.

    Operating System Data Block 3.5+

    The operating system data block for Version 3.5+ has a block type of 53 in the series 1 group of blocks. The block includes a fingerprint Universally Unique Identifier (UUID). The following diagram shows the format of an operating system data block in 3.5+.

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

    Operating System Block Type (53)

     

    Operating System Block Length

     

    Confidence

    OS Fingerprint

    UUID

    Fingerprint UUID

    Fingerprint UUID, continued

    Fingerprint UUID, continued

    Fingerprint UUID, continued

    The following table describes the fields of the v3.5 operating system data block.

     

    Table 4-46 Operating System Data Block 3.5+ Fields

    Field
    Data Type
    Description

    Operating System Data Block Type

    uint32

    Initiates the operating system data block. This value is always 53.

    Operating System Data Block Length

    uint32

    Number of bytes in the Operating System data block. This value should always be 28 : eight bytes for the data block type and length fields, plus four bytes for the confidence value and sixteen bytes for the fingerprint UUID value.

    Confidence

    uint32

    Confidence percentage value.

    Fingerprint UUID

    uint8[16]

    Fingerprint identification number, in octets, that acts as a unique identifier for the operating system. The fingerprint UUID maps to the operating system name, vendor, and version in the Cisco database.

    Policy Engine Control Message Data Block

    The Policy Engine Control Message data block conveys the control message content for policy types. The Policy Engine Control Message data block has a block type of 54 in the series 1 group of blocks.

    The following diagram shows the format of the Policy Engine Control Message data block:

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

    Policy Engine Control Message Block Type (54)

     

    Policy Engine Control Message Block Length

     

    Type

    Control

    Message

    String Block Type (0)

    String Block Length

    Control Message...

    The following table describes the components of the Policy Engine Control Message data block.

     

    Table 4-47 Policy Engine Control Message Data Block Fields

    Field
    Data Type
    Description

    Policy Engine Control Message Block Type

    uint32

    Initiates a Policy Engine Control Message data block. This value is always 54.

    Policy Engine Control Message Length

    uint32

    Total number of bytes in the Policy Engine Control Message data block, including eight bytes for the policy engine control block type and length fields, plus the number of bytes of policy engine control data that follows.

    Type

    uint32

    Indicates the type of policy for the event.

    String Block Type

    uint32

    Initiates a String data block that contains the control message. This value is always 0.

    String Block Length

    uint32

    Number of bytes in the control message String data block, including eight bytes for the block type and length fields, plus the number of bytes in the control message.

    Control Message

    uint32

    The control message from the policy engine.

    Attribute Definition Data Block for 4.7+

    The Attribute Definition data block contains the attribute definition in an attribute creation, change, or deletion event and is used within Host Attribute Add events (event type 1002, subtype 6), Host Attribute Update events (event type 1002, subtype 7), and Host Attribute Delete events (event type 1002, subtype 8). It has a block type of 55 in the series 1 group of blocks.

    For more information on those events, see Attribute Messages.

    The following diagram shows the basic structure of an Attribute Definition data block:

     

    Byte

    0

    1

    2

    3

     

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

     

    Attribute Definition Block Type (55)

     

     

    Attribute Definition Block Length

     

     

    Source ID

     

     

    UUID

     

     

    UUID, continued

     

     

    UUID, continued

     

     

    UUID, continued

     

     

    ID

     

    Name

    String Block Type (0)

     

    String Block Length

     

    Name...

     

     

    Attribute Type

     

     

    Attribute Category

     

     

    Starting Value for Integer Range

     

     

    Ending Value for Integer Range

     

     

    Auto-Assigned IP Address Flag

     

     

    Attribute List Item Block Type (39)

    List of Attribute

    List Items

     

    Attribute List Item Block Length

    List Item

    List Block Type (11)

    List Block Length

    Attribute List Items...

     

    Attribute Address Block Type (38)

    List of Attribute

    Addresses

     

     

    Attribute Address Block Length

    Address List

    List Block Type (11)

    List Block Length

    Attribute Address List...

    The following table describes the fields of the Attribute Definition data block.

     

    Table 4-48 Attribute Definition Data Block Fields

    Field
    Data Type
    Description

    Attribute Definition Block Type

    uint32

    Initiates an Attribute Definition data block. This value is always 55.

    Attribute Definition Block Length

    uint32

    Number of bytes in the Attribute Definition data block, including eight bytes for the attribute definition block type and length, plus the number of bytes in the attribute definition data that follows.

    Source ID

    uint32

    Identification number that maps to the source of the attribute data. Depending on the source type, this may map to RNA, a user, a scanner, or a third-party application.

    UUID

    uint8[16]

    An ID number that acts as a unique identifier for the affected attribute.

    Attribute ID

    uint32

    Identification number of the affected attribute, if applicable.

    String Block Type

    uint32

    Initiates a String data block for the attribute definition name. This value is always 0.

    String Block Length

    uint32

    Number of bytes in the String data block for the attribute definition name, including eight bytes for the string block type and length, plus the number of bytes in the attribute definition name.

    Name

    string

    Attribute definition name.

    Attribute Type

    uint32

    Type of attribute. Possible values are:

    • 0 — Attribute with text as value; this uses string data
    • 1 — Attribute with value in range; this uses integer data
    • 2 — Attribute with a list of possible values; this uses integer data
    • 3 — Attribute with a URL as value; this uses string data
    • 4 — Attribute with binary BLOB as value; this uses string data

    Attribute Category

    uint32

    Attribute category.

    Starting Value for Range

    uint32

    First integer in the integer range for the defined attribute.

    Ending Value for Range

    uint32

    Last integer in the integer range for the defined attribute.

    Auto-Assigned IP Address Flag

    uint32

    Flag indicating if an IP address is auto-assigned based on the attribute.

    List Block Type

    uint32

    Initiates a List data block comprising Attribute List Item data blocks conveying attribute list items. This value is always 11.

    List Block Length

    uint32

    Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus all encapsulated Attribute List Item data blocks.

    This field is followed by zero or more Attribute List Item data blocks.

    Attribute List Item Block Type

    uint32

    Initiates the first Attribute List Item data block. This data block can be followed by other Attribute List Item data blocks up to the limit defined in the list block length field.

    Attribute List Item Block Length

    uint32

    Number of bytes in the Attribute List Item String data block, including eight bytes for the block type and header fields, plus the number of bytes in the attribute list item.

    Attribute List Item

    variable

    Attribute List Item data as documented in Attribute List Item Data Block.

    List Block Type

    uint32

    Initiates a List data block comprising Attribute Address data blocks conveying IP addresses for hosts with the attribute. This value is always 11.

    List Block Length

    uint32

    Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus all encapsulated Attribute Address data blocks.

    This field is followed by zero or more Attribute Address data blocks.

    Attribute Address Block Type

    uint32

    Initiates the first Attribute Address data block. This data block can be followed by other Attribute Address data blocks up to the limit defined in the list block length field.

    Attribute Address Block Length

    uint32

    Number of bytes in the Attribute Address data block, including eight bytes for the block type and header fields, plus the number of bytes in the attribute address.

    Attribute Address

    variable

    Attribute Address data as documented in Attribute Address Data Block 5.2+.

    User Protocol Data Block

    The User Protocol data block is used to contain information about added protocols, the type of the protocol, and lists of IP address and MAC address ranges for the hosts with the protocol. The User Protocol data block has a block type of 57 in the series 1 group of blocks.

    The following diagram shows the basic structure of a User Protocol data block:

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

    User Protocol Block Type (57)

     

    User Protocol Block Length

    IP Address

    Ranges

    Generic List Block Type (31)

    Generic List Block Length

    IP Range Specification Data Blocks*

    MAC Add.

    Ranges

    Generic List Block Type (31)

    Generic List Block Length

    MAC Range Specification Data Blocks...

     

    Protocol Type

    Protocol

     

    The following table describes the fields of the User Protocol data block.

     

    Table 4-49 User Protocol Data Block Fields

    Field
    Number of Bytes
    Description

    User Protocol Block Type

    uint32

    Initiates a User Protocol data block. This value is always 57.

    User Protocol Block Length

    uint32

    Total number of bytes in the User Protocol data block, including eight bytes for the user protocol block type and length fields, plus the number of bytes of user protocol data that follows.

    Generic List Block Type

    uint32

    Initiates a Generic List data block comprising IP Range Specification data blocks conveying IP address range data. This value is always 31.

    Generic List Block Length

    uint32

    Number of bytes in the Generic List data block, including the list header and all encapsulated IP Range Specification data blocks.

    IP Range Specification Data Blocks *

    variable

    IP Range Specification data blocks containing information about the IP address ranges for the user input. See IP Address Range Data Block for 5.2+ for a description of this data block.

    Generic List Block Type

    uint32

    Initiates a Generic List data block comprising MAC Range Specification data blocks conveying MAC address range data. This value is always 31.

    Generic List Block Length

    uint32

    Number of bytes in the Generic List data block, including the list header and all encapsulated MAC Range Specification data blocks.

    MAC Range Specification Data Blocks *

    variable

    MAC Range Specification data blocks containing information about the MAC address ranges for the user input. See MAC Address Specification Data Block for a description of this data block.

    Protocol Type

    uint8

    Indicates the type of the protocol. The protocol can be either 0, for a network layer protocol such as IP, or 1 for a transport layer protocol such as TCP or UDP.

    Protocol

    uint16

    Indicates the protocol for the data contained in the data block.

    User Client Application Data Block for 5.1.1+

    The User Client Application data block contains information about the source of the client application data, the identification number for the user who added the data, and the lists of IP address range data blocks. The payload ID, which was added in Version 6.3, specifies the application instance associated with the record. The User Client Application data block has a block type of 138 in the series 1 group of blocks. It replaces block type 59.

    The following diagram shows the basic structure of a User Client Application data block:

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

    User Client Application Block Type (138)

     

    User Client Application Block Length

    IP Range

    Specification

    Generic List Block Type (31)

    Generic List Block Length

    IP Range Specification Data Blocks*

     

    Application Protocol ID

     

    Client Application ID

    Version

    String Block Type (0)

    String Block Length

    Version...

     

    Payload Type

     

    Web Application ID

    The following table describes the fields of the User Client Application data block.

     

    Table 4-50 User Client Application Data Block Fields

    Field
    Number of Bytes
    Description

    User Client Application Block Type

    uint32

    Initiates a User Client Application data block. This value is always 138.

    User Client Application Block Length

    uint32

    Total number of bytes in the User Client Application data block, including eight bytes for the user client application block type and length fields, plus the number of bytes of user client application data that follows.

    Generic List Block Type

    uint32

    Initiates a Generic List data block comprising IP Range Specification data blocks conveying IP address range data. This value is always 31.

    Generic List Block Length

    uint32

    Number of bytes in the Generic List data block, including the list header and all encapsulated IP Range Specification data blocks.

    IP Range Specification Data Blocks *

    variable

    IP Range Specification data blocks containing information about the IP address ranges for the user input. See IP Address Range Data Block for 5.2+ for a description of this data block.

    Application Protocol ID

    uint32

    The internal identification number for the application protocol, if applicable.

    Client Application ID

    uint32

    The internal identification number of the detected client application, if applicable.

    String Block Type

    uint32

    Initiates a String data block that contains the client application version. This value is always 0.

    String Block Length

    uint32

    Number of bytes in the client application version String data block, including the string block type and length fields, plus the number of bytes in the version.

    Version

    string

    Client application version.

    Payload Type

    uint32

    This field is included for backwards compatibility. It is always 0.

    Web Application ID

    uint32

    The internal identification number for the web application, if applicable.

    User Client Application List Data Block

    The User Client Application List data block contains information about the source of the client application data, the identification number for the user who added the data, and the lists of client application blocks. The User Client Application List data block has a block type of 60 in the series 1 group of blocks.

    The following diagram shows the basic structure of a User Client Application List data block:

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

    User Client Application Block Type (60)

     

    User Client Application Block Length

     

    Source Type

     

    Source ID

    User Client

    App List

    Blocks

    Generic List Block Type (31)

    Generic List Block Length

    User Client Application List Data Blocks...

    The following table describes the fields of the User Client Application List data block.

     

    Table 4-51 User Client Application List Data Block Fields

    Field
    Number of Bytes
    Description

    User Client Application List Block Type

    uint32

    Initiates a User Client Application List data block. This value is always 60.

    User Client Application List Block Length

    uint32

    Total number of bytes in the User Client Application List data block, including eight bytes for the user client application list block type and length fields, plus the number of bytes of user client application list data that follows.

    Source Type

    uint32

    Number that maps to the type of data source:

    • 0 if the client data was detected by RNA
    • 1 if the client data was provided by a user
    • 2 if the client data was detected by a third-party scanner
    • 3 if the client data was provided by a command line tool such as nmimport.pl or the Host Input API client

    Source ID

    uint32

    Identification number that maps to the source that added the affected client application. Depending on the source type, this may map to RNA, a user, a scanner, or a third-party application.

    Generic List Block Type

    uint32

    Initiates a Generic List data block. This value is always 31.

    Generic List Block Length

    uint32

    Number of bytes in the Generic List block and encapsulated data blocks. This number includes the eight bytes of the generic list block header fields, plus the number of bytes in all of the encapsulated data blocks.

    User Client Application Blocks

    variable

    Encapsulated User Client Application data blocks up to the maximum number of bytes in the list block length. For more information on the User Client Application data block, see User Client Application Data Block for 5.1.1+.

    IP Address Range Data Block for 5.2+

    The IP Address Range data block for 5.2+ conveys a range of IP addresses. IP Address Range data blocks are used in User Protocol, User Client Application, Address Specification, User Product, User Server, User Hosts, User Vulnerability, User Criticality, and User Attribute Value data blocks. The IP Address Range data block has a block type of 141 in the series 1 group of blocks.

    The following diagram shows the format of the IP Address Range data block:

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

    IP Address Range Block Type (141)

    IP Address Range Block Length

     

    IP Address Range Start

     

    IP Address Range Start, continued

     

    IP Address Range Start, continued

     

    IP Address Range Start, continued

     

    IP Address Range End

     

    IP Address Range End, continued

     

    IP Address Range End, continued

     

    IP Address Range End, continued

    The following table describes the components of the IP Address Range Specification data block.

     

    Table 4-52 IP Address Range Data Block Fields

    Field
    Data Type
    Description

    IP Address Range Block Type

    uint32

    Initiates a IP Address Range data block. This value is always 61.

    IP Address Range Block Length

    uint32

    Total number of bytes in the IP Address Range data block, including eight bytes for the IP Address Range block type and length fields, plus the number of bytes of IP Address Range data that follows.

    IP Address Range Start

    uint8[16]

    The starting IP address for the IP address range.

    IP Address Range End

    uint8[16]

    The ending IP address for the IP address range.

    Attribute Specification Data Block

    The Attribute Specification data block conveys the attribute name and value. The Attribute Specification data block has a block type of 62 in the series 1 group of blocks.

    The following diagram shows the format of the Attribute Specification data block:

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

    Attribute Specification Block Type (62)

    Attribute

    Name

    String Block Type (0)

    String Block Length

    Attribute Name...

    Attribute

    Value

    String Block Type (0)

    String Block Length

    Attribute Value...

    The following table describes the components of the Attribute Specification data block.

     

    Table 4-53 Attribute Specification Data Block Fields

    Field
    Data Type
    Description

    Attribute Specification Block Type

    uint32

    Initiates an Attribute Specification data block. This value is always 62.

    String Block Type

    uint32

    Initiates a String data block that contains the attribute name. This value is always 0.

    String Block Length

    uint32

    Number of bytes in the attribute name String data block, including eight bytes for the block type and length fields, plus the number of bytes in the attribute name.

    Attribute Value

    uint32

    The value of the attribute.

    String Block Type

    uint32

    Initiates a String data block that contains the attribute name. This value is always 0.

    String Block Length

    uint32

    Number of bytes in the attribute name String data block, including eight bytes for the block type and length fields, plus the number of bytes in the attribute name.

    Attribute Name

    uint32

    The name of the attribute.

    Host IP Address Data Block

    The Host IP Address data block conveys an individual IP address. The IP address may be either an IPv4 or IPv6 address. Host IP Address data blocks are used in User Protocol, Address Specification, and User Host data blocks. The Host IP data block has a block type of 143 in the series 1 group of blocks.

    The following diagram shows the format of the Host IP Address data block:

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

    Host IP Address Specification Block Type (143)

    Host IP Address Block Length

     

    IP Address

     

    IP Address, continued

     

    IP Address, continued

     

    IP Address, continued

     

    Last Seen

    The following table describes the components of the Host IP Address data block.

     

    Table 4-54 Host IP Address Data Block Fields

    Field
    Data Type
    Description

    Host IP Address Block Type

    uint32

    Initiates a Host IP Address data block. This value is always 143.

    Host IP Block Length

    uint32

    Total number of bytes in the Host IP Address data block, including eight bytes for the Host IP block type and length fields, plus the number of bytes of Host IP Address data that follows.

    IP Address

    uint8[16]

    The IP address. This can be IPv4 or IPv6.

    Last Seen

    uint32

    UNIX timestamp that represents the last time the IP address was detected.

    MAC Address Specification Data Block

    The MAC Address Specification data block conveys an individual MAC address. MAC Address Specification data blocks are used in User Protocol, Address Specification, and User Hosts data blocks. The MAC Address Specification data block has a block type of 63 in the series 1 group of blocks.

    The following diagram shows the format of the MAC Address Specification data block:

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

    MAC Address Specification Block Type (63)

    MAC Address Specification Block Length

     

    MAC Block 1

    MAC Block 2

    MAC Block 3

    MAC Block 4

     

    MAC Block 5

    MAC Block 6

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

    The following table describes the components of the MAC Address Specification data block.

     

    Table 4-55 MAC Address Specification Data Block Fields

    Field
    Data Type
    Description

    MAC Address Specification Block Type

    uint32

    Initiates a MAC Address Specification data block. This value is always 63.

    MAC Address Specification Block Length

    uint32

    Total number of bytes in the MAC Address Specification data block, including eight bytes for the MAC Address Specification block type and length fields, plus the number of bytes of MAC address specification data that follows.

    MAC Address Blocks 1 - 6

    uint8

    The blocks of the MAC address in sequential order.

     

    Address Specification Data Block

    The Address Specification data block is used to contain lists of IP address range specifications and MAC address specifications. The Address Specification data block has a block type of 64 in the series 1 group of blocks.

    The following diagram shows the basic structure of an Address Specification data block:

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

    Address Specification Data Block Type (64)

     

    Address Specification Block Length

    IP Address

    Range

    Blocks

    Generic List Block Type (31)

    Generic List Block Length

    IP Address Range Specification Data Blocks...

    MAC

    Address

    Blocks

    Generic List Block Type (31)

    Generic List Block Length

    MAC Address Specification Data Blocks...

    The following table describes the fields of the Address Specification data block.

     

    Table 4-56 Address Specification Data Block Fields

    Field
    Number of Bytes
    Description

    Address Specification Data Block Type

    uint32

    Initiates an Address Specification data block. This value is always 64.

    Address Specification Block Length

    uint32

    Total number of bytes in the Address Specification data block, including eight bytes for the address specification block type and length fields, plus the number of bytes of address specification data that follows.

    Generic List Block Type

    uint32

    Initiates a Generic List data block. This value is always 31.

    Generic List Block Length

    uint32

    Number of bytes in the Generic List block and encapsulated data blocks. This number includes the eight bytes of the generic list block header fields, plus the number of bytes in all of the encapsulated data blocks.

    IP Address Range Specification Data Blocks

    variable

    Encapsulated IP Address Range Specification data blocks up to the maximum number of bytes in the list block length. For more information, see IP Address Range Data Block for 5.2+.

    Generic List Block Type

    uint32

    Initiates a Generic List data block. This value is always 31.

    Generic List Block Length

    uint32

    Number of bytes in the Generic List block and encapsulated data blocks. This number includes the eight bytes of the generic list block header fields, plus the number of bytes in all of the encapsulated data blocks.

    MAC Address Specification Data Blocks

    variable

    Encapsulated MAC Address Specification data blocks up to the maximum number of bytes in the list block length. For more information, see MAC Address Specification Data Block.

    Connection Chunk Data Block for 6.1+

    The Connection Chunk data block conveys connection data. It stores connection log data that aggregates over a five-minute period. The version for 6.1+ introduces the new field Original Client IP Address. The Connection Chunk data block has a block type of 164 in the series 1 group of blocks. It supersedes block type 136.

    The following diagram shows the format of the Connection Chunk data block:

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

    Connection Chunk Block Type (136)

     

    Connection Chunk Block Length

     

    Initiator IP Address

     

    Responder IP Address

     

    Original Client IP Address

     

    Start Time

     

    Application Protocol

     

    Responder Port

    Protocol

    Connection Type

     

    NetFlow Detector IP Address

     

    Packets Sent

    Packets Sent, continued

     

     

    Packets Received

    Packets Received, continued

     

     

    Bytes Sent

    Bytes Sent, continued

     

     

    Bytes Received

    Bytes Received, continued

     

     

    Connections

    The following table describes the components of the Connection Chunk data block.

     

    Table 4-57 Connection Chunk Data Block Fields

    Field
    Data Type
    Description

    Connection Chunk Block Type

    uint32

    Initiates a Connection Chunk data block. This value is always 164.

    Connection Chunk Block Length

    uint32

    Total number of bytes in the Connection Chunk data block, including eight bytes for the connection chunk block type and length fields, plus the number of bytes in the connection chunk data that follows.

    Initiator IP Address

    uint8(4)

    IP address of the initiator of this type of connection. This is used with the original client and responder IP addresses to identify identical connections.

    Responder IP Address

    uint8(4)

    IP address of the responder to this type of connection. This is used with the initiator and original client IP addresses to identify identical connections.

    Original Client IP Address

    uint8(4)

    IP address of the host behind the proxy that originated the request. This is used with the initiator and responder IP addresses to identify identical connections.

    Start Time

    uint32

    The starting time for the connection chunk.

    Application Protocol

    uint32

    Identification number for the protocol used in the connection.

    Responder Port

    uint16

    The port used by the responder in the connection chunk.

    Protocol

    uint8

    The protocol for the packet containing the user information.

    Connection Type

    uint8

    The type of connection.

    NetFlow Detector IP Address

    uint8[4]

    IP address of the NetFlow device that detected the connection, in IP address octets.

    Packets Sent

    uint64

    The number of packets sent in the connection chunk.

    Packets Received

    uint64

    The number of packets received in the connection chunk.

    Bytes Sent

    uint64

    The number of bytes sent in the connection chunk.

    Bytes Received

    uint64

    The number of bytes received in the connection chunk.

    Connections

    uint32

    The number of connections over a five-minute period.

    Fix List Data Block

    The Fix List data block conveys a fix that applies to a host. A Fix List data block for each fix applied to the affected host is included in a User Product data block. The Fix List data block has a block type of 67 in the series 1 group of blocks.

    The following diagram shows the format of the Fix List data block:

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

    Fix List Block Type (67)

    Fix List Block Length

     

    Fix...

    The following table describes the components of the Fix List data block.

     

    Table 4-58 Fix List Data Block Fields

    Field
    Data Type
    Description

    Fix List Block Type

    uint32

    Initiates a Fix List data block. This value is always 67.

    Fix List Block Length

    uint32

    Total number of bytes in the Fix List data block, including eight bytes for the Fix List block type and length fields, plus the number of bytes of fix identification data that follows.

    Fix ID

    uint32

    The identification number for the fix.

    User Server Data Block

    The User Server data block contains server details from a user input event. The User Server data block has a block type of 76 in the series 1 group of blocks.

    The following diagram shows the basic structure of a User Server data block:

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9

    10

    11

    12

    13

    14

    15

    16

    17

    18

    19

    20

    21

    22

    23

    24

    25

    26

    27

    28

    29

    30

    31

     

    User Server Data Block Type (76)

     

    User Server Block Length

    IP Range

    Specification

    Generic List Block Type (31)

    Generic List Block Length

    IP Address Range Specification Data Blocks*

     

    Port

    Protocol

    The following table describes the fields of the User Server data block.

     

    Table 4-59 User Server Data Block Fields

    Field
    Number of Bytes
    Description

    User Server Data Block Type

    uint32

    Initiates a User Server data block. This value is always 76.

    User Server Block Length

    uint32

    Total number of bytes in the User Server data block, including eight bytes for the user server block type and length fields, plus the number of bytes of user server data that follows.

    Generic List Block Type

    uint32

    Initiates a Generic List data block. This value is always 31.

    Generic List Block Length

    uint32

    Number of bytes in the Generic List block and encapsulated data blocks. This number includes the eight bytes of the generic list block header fields, plus the number of bytes in all of the encapsulated data blocks.

    IP Address Range Specification Data Blocks

    variable

    Encapsulated IP Address Range Specification data blocks up to the maximum number of bytes in the list block length.

    Port

    uint16

    Port used by the server.

    Protocol

    uint16

    IANA protocol number or Ethertype. This is handled differently for Transport and Network layer protocols.

    Transport layer protocols are identified by the IANA protocol number. For example:

    • 6 — TCP
    • 17 — UDP

    Network layer protocols are identified by the decimal form of the IEEE Registration Authority Ethertype. For example:

    • 2048 — IP

    User Server List Data Block

    The User Server List data block contains a list of server data blocks from a user input event. The User Server List data block has a block type of 77 in the series 1 group of blocks. The following diagram shows the basic structure of a User Server List data block:

     

    Byte

    0

    1

    2

    3

    Bit

    0

    1

    2

    3

    4

    5

    6

    7

    8

    9