Some of the events there is difference of between MRT and ET for my sourcefire connector. Any advice.
We struggled with our sourcefire IPS connector but I couldn't find a lot of info about the issues we experienced so I would like to give you a few hints in case you would face the same issues.
1) the name was empty : solved by changing the value of request.meta.data.version from 1 to 2 in agent.properties
2) after a connector restart, the request sent to the eStreamer API was resulting in all events stored in the DB being sent back to the connector (aaargh). It seems to come from a problem with the timestamp incorrectly interpreted by eStreamer due to an undocumented code change. Sourcefire released a fix for that so if you experience it --> contact sourcefire support.
In order to retrieve events collected by sourcefire during a connector downtime, you should also add :
3) the deviceHostName and deviceAddress are empty : still need to be fully validated but it seems the externalId field is used to store a value which uniquely identifies the sensor. Values look like 1,2,3, ... so you first need to identify which value is related to which sensor (very convenient indeed) then you can use map files to create your deviceAddress and deviceHostName
4) categorization doens't work. Probably due to the deviceEventClassId not being properly populated while the values can be found in the raw events. AS support is working on this.