Cisco Cisco Firepower Management Center 2000 Entwickleranleitung

The eStreamer service uses the Rule Documentation data block to contain information about rules used 
to generate alerts. The block type is 27 in the series 2 set of data blocks. It can be requested with a host 
request message of type 10. See 

 for more information.

The following diagram shows the structure of a rule documentation data block:

String Block Type

uint32

Initiates a String data block containing the descriptive name 
associated with the file. This value is always 

0

.

String Block Length

uint32

The number of bytes included in the name String data block, 
including eight bytes for the block type and header fields plus the 
number of bytes in the Name field.

File Name or 
Disposition

string

The descriptive name or disposition of the file. If the file is clean, 
this value is 

Clean

. If the file’s disposition is unknown, the value 

is 

Neutral

. If the file contains malware, the file name is given.

Disposition

uint8

The malware status of the file. Possible values include:

1

 - CLEAN The file is clean and does not contain malware.

2

 - UNKNOWN It is unknown whether the file contains 

malware.

3

 - MALWARE The file contains malware.

4

 - UNAVAILABLE The software was unable to send a 

request to the Cisco cloud for a disposition, or the Cisco 
cloud services did not respond to the request.

5

 - CUSTOM SIGNATURE The file matches a user-defined 

hash, and is treated in a fashion designated by the user

User Defined

uint8

Indicated how the file name was provided:

0

 - defined by AMP

1

 - user defined

Byte

0

1

2

3

Bit

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

Rule Documentation Block Type (27)

Rule Documentation Block Length

Signature ID

Generator ID

Revision