Cisco Cisco Firepower Management Center 4000 Entwickleranleitung
3-16
FireSIGHT eStreamer Integration Guide
Chapter 3 Understanding Intrusion and Correlation Data Structures
Intrusion Event and Metadata Record Types
Rule Message Record for 4.6.1+
Rule message information for an event is transmitted within a Rule Message record, the format of which
is shown below. The eStreamer service transmits the Rule Message record for 4.6.1+ when you request
Version 2 or Version 3 metadata. The Rule Message record for 4.6.1+ contains the same fields as the
Rule Message record for 4.6 and lower but also has new UUID and Revision UUID fields. (Version 2,
Version 3, or Version 4 metadata information is sent when the appropriate metadata flag—bit 14 for
Version 2, bit 15 for Version 3, or bit 20 for Version 4 in the Request Flags field of a request message—is
set. See
is shown below. The eStreamer service transmits the Rule Message record for 4.6.1+ when you request
Version 2 or Version 3 metadata. The Rule Message record for 4.6.1+ contains the same fields as the
Rule Message record for 4.6 and lower but also has new UUID and Revision UUID fields. (Version 2,
Version 3, or Version 4 metadata information is sent when the appropriate metadata flag—bit 14 for
Version 2, bit 15 for Version 3, or bit 20 for Version 4 in the Request Flags field of a request message—is
set. See
.) Note that the Record Type field, which appears after the Message
Length field, has a value of
66
, indicating a Rule Message Version 2 record.
Byte
0
1
2
3
Bit
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Header Version (1)
Message Type (4)
Message Length
Record Type (66)
Record Length
Signature
Key
Generator ID
Rule ID
Revision Number
Rendered Signature ID
Message Length
Rule UUID
Rule
UUID
Rule UUID cont.
Rule UUID cont.
Rule UUID cont.
Rule UUID cont.
Rule Revision UUID
Rule Revision
UUID
Rule Revision UUID cont.
Rule Revision UUID cont.
Rule Revision UUID cont.
Rule Revision UUID cont.
Message...