Cisco Cisco Firepower Management Center 2000 Guía Del Desarrollador
Version 5.3
Sourcefire 3D System eStreamer Integration Guide
151
Understanding Intrusion and Correlation Data Structures
Understanding Series 2 Data Blocks
Chapter 3
Rule Documentation Data Block for 5.2+
The eStreamer service uses the Rule Documentation data block to contain
information about rules used to generate alerts. The block type is 27. It can be
requested with a host request message of type 10. See
on page 47 for more information.
The following diagram shows the structure of a rule documentation data block:
File Name or
Disposition
string
The descriptive name or disposition of the file.
If the file is clean, this value is
Clean
. If the
file’s disposition is unknown, the value is
Neutral
. If the file contains malware, the file
name is given.
Disposition
uint8
The malware status of the file. Possible values
include:
•
•
1
— CLEAN — The file is clean and does not
contain malware.
•
2
— UNKNOWN — It is unknown whether
the file contains malware.
•
3
— MALWARE — The file contains
malware.
•
4
— UNAVAILABLE — The software was
unable to send a request to the Sourcefire
cloud for a disposition, or the Sourcefire
cloud services did not respond to the
request.
•
5
— CUSTOM SIGNATURE — The file
matches a user-defined hash, and is treated
in a fashion designated by the user
User Defined
uint8
Indicated how the file name was provided:
•
0
— defined by AMP
•
1
— user defined
File Event SHA Hash Data Block Fields (Continued)
F
IELD
D
ATA
T
YPE
D
ESCRIPTION
Byte
0
1
2
3
Bit
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Rule Documentation Block Type (27)
Rule Documentation Block Length
Signature ID
Generator ID