Firepower eStreamer Integration GuideVersion 6.2.1December 13, 2017

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

Cisco Systems, Inc.www.cisco.comCisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco website at www.cisco.com/go/offices.

http://www.cisco.comhttp://www.cisco.com/go/offices

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCBs public domain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED AS IS WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1721R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

2017 Cisco Systems, Inc. All rights reserved.

https://www.cisco.com/go/trademarks

C O N T E N T S

C H A P T E R 1 Introduction 1-1

Major Changes in eStreamer Version 6.2 1-1

Using this Guide 1-1

Prerequisites 1-2

Product Versions for Firepower System Releases 1-2

Document Conventions 1-4

C H A P T E R 2 Understanding the eStreamer Application Protocol 2-1

Connection Specifications 2-1

Understanding eStreamer Communication Stages 2-2Establishing an Authenticated Connection 2-2Requesting Data from eStreamer 2-3Accepting Data from eStreamer 2-5Terminating Connections 2-5

Understanding eStreamer Message Types 2-6eStreamer Message Header 2-7

Null Message Format 2-7

Error Message Format 2-8

Event Stream Request Message Format 2-10Initial Timestamp 2-11Request Flags 2-11

Event Data Message Format 2-17Understanding the Organization of Event Data Messages 2-17Intrusion Event and Metadata Message Format 2-18Discovery Event Message Format 2-19Connection Event Message Format 2-21Correlation Event Message Format 2-21Event Extra Data Message Format 2-23Data Block Header 2-24

Host Request Message Format 2-25

Host Data and Multiple Host Data Message Format 2-28

Streaming Information Message Format 2-28

3Firepower eStreamer Integration Guide

Contents

Streaming Request Message Format 2-29

Streaming Service Request Structure 2-30

2-31

Domain Streaming Request Message Format 2-31

Streaming Event Type Structure 2-32

Sample Extended Request Messages 2-35Streaming Information Message 2-35Streaming Request Message 2-35

Message Bundle Format 2-36

Understanding Metadata 2-37Metadata Transmission 2-37

C H A P T E R 3 Understanding Intrusion and Correlation Data Structures 3-1

Intrusion Event and Metadata Record Types 3-1Packet Record 4.8.0.2+ 3-5Priority Record 3-6Intrusion Event Record 6.0+ 3-7Intrusion Impact Alert Data 5.3+ 3-16User Record 3-19Rule Message Record for 4.6.1+ 3-20Classification Record for 4.6.1+ 3-22Correlation Policy Record 3-23Correlation Rule Record 3-25Intrusion Event Extra Data Record 3-26Intrusion Event Extra Data Metadata 3-28Security Zone Name Record 3-29Interface Name Record 3-31Access Control Policy Name Record 3-32Access Control Rule ID Record Metadata 3-33Managed Device Record Metadata 3-34Malware Event Record 5.1.1+ 3-35Cisco Advanced Malware Protection Cloud Name Metadata 3-35Malware Event Type Metadata 3-37Malware Event Subtype Metadata 3-38AMP for Endpoints Detector Type Metadata 3-39AMP for Endpoints File Type Metadata 3-39Security Context Name 3-40Correlation Event for 5.4+ 3-41

Understanding Series 2 Data Blocks 3-52

4Firepower eStreamer Integration Guide

Contents

Series 2 Primitive Data Blocks 3-55String Data Block 3-55BLOB Data Block 3-56List Data Block 3-57Generic List Data Block 3-58UUID String Mapping Data Block 3-58Name Description Mapping Data Block 3-59Access Control Policy Rule ID Metadata Block 3-61ICMP Type Data Block 3-62ICMP Code Data Block 3-63Security Intelligence Category Metadata for 5.4.1+ 3-64Realm Metadata for 6.0+ 3-65Endpoint Profile Data Block for 6.0+ 3-66Security Group Metadata for 6.0+ 3-67Sinkhole Metadata for 6.0+ 3-68Netmap Domain Metadata for 6.0+ 3-69Access Control Policy Rule Reason Data Block for 6.0+ 3-69Access Control Policy Name Data Block 3-70IP Reputation Category Data Block 3-72File Event for 6.0+ 3-73Malware Event Data Block 6.0+ 3-83File Event SHA Hash for 5.3+ 3-93File Type ID Metadata for 5.3+ 3-95Rule Documentation Data Block for 5.2+ 3-96Filelog Storage Metadata for 6.0+ 3-100Filelog Sandbox Metadata for 6.0+ 3-100Filelog Spero Metadata for 6.0+ 3-101Filelog Archive Metadata for 6.0+ 3-102Filelog Static Analysis Metadata for 6.0+ 3-103Geolocation Data Block for 5.2+ 3-103File Policy Name for 6.0+ 3-104SSL Policy Name 3-105SSL Rule ID 3-106SSL Cipher Suite 3-107SSL Version 3-108SSL Server Certificate Status 3-109SSL Actual Action 3-110SSL Expected Action 3-111SSL Flow Status 3-111SSL URL Category 3-112

5Firepower eStreamer Integration Guide

Contents

SSL Certificate Details Data Block for 5.4+ 3-113Network Analysis Policy Name Record 3-118

C H A P T E R 4 Understanding Discovery &Connection Data Structures 4-1

Discovery and Connection Event Data Messages 4-2Discovery and Connection Event Record Types 4-2

Metadata for Discovery Events 4-6Discovery Event Header 5.2+ 4-38Discovery and Connection Event Types and Subtypes 4-40Host Discovery Structures by Event Type 4-42Identity Conflict and Identity Timeout System Messages 4-58User Data Structures by Event Type 4-58

Understanding Discovery (Series 1) Blocks 4-60Series 1 Data Block Header 4-60Series 1 Primitive Data Blocks 4-60

Host Discovery and Connection Data Blocks 4-60String Data Block 4-68BLOB Data Block 4-69List Data Block 4-70Generic List Block 4-70Sub-Server Data Block 4-71Protocol Data Block 4-72Integer (INT32) Data Block 4-73VLAN Data Block 4-74Server Banner Data Block 4-74String Information Data Block 4-75Attribute Address Data Block 5.2+ 4-76Attribute List Item Data Block 4-77Attribute Value Data Block 4-78Full Sub-Server Data Block 4-79Operating System Data Block 3.5+ 4-82Policy Engine Control Message Data Block 4-82Attribute Definition Data Block for 4.7+ 4-83User Protocol Data Block 4-86User Client Application Data Block for 5.1.1+ 4-88User Client Application List Data Block 4-89IP Address Range Data Block for 5.2+ 4-91Attribute Specification Data Block 4-92

6Firepower eStreamer Integration Guide

Contents

Host IP Address Data Block 4-93MAC Address Specification Data Block 4-94Address Specification Data Block 4-95Connection Chunk Data Block for 6.1+ 4-96Fix List Data Block 4-98User Server Data Block 4-98User Server List Data Block 4-100User Hosts Data Block 4.7+ 4-101User Vulnerability Change Data Block 4.7+ 4-102User Criticality Change Data Block 4.7+ 4-104User Attribute Value Data Block 4.7+ 4-105User Protocol List Data Block 4.7+ 4-107Host Vulnerability Data Block 4.9.0+ 4-108Identity Data Block 4-109Host MAC Address 4.9+ 4-111Secondary Host Update 4-112Web Application Data Block for 5.0+ 4-113Connection Statistics Data Block 6.2+ 4-114Scan Result Data Block 5.2+ 4-130Host Server Data Block 4.10.0+ 4-133Full Host Server Data Block 4.10.0+ 4-135Server Information Data Block for 4.10.x, 5.0 - 5.0.2 4-139Full Server Information Data Block 4-141Generic Scan Results Data Block for 4.10.0+ 4-143Scan Vulnerability Data Block for 4.10.0+ 4-145Full Host Client Application Data Block 5.0+ 4-148Host Client Application Data Block for 5.0+ 4-150User Vulnerability Data Block 5.0+ 4-152Operating System Fingerprint Data Block 5.1+ 4-154Mobile Device Information Data Block for 5.1+ 4-156Host Profile Data Block for 5.2+ 4-157User Product Data Block 5.1+ 4-165

User Data Blocks 4-172User Account Update Message Data Block 4-174User Information Data Block for 6.0+ 4-183User Login Information Data Block 6.1+ 4-185