Cisco Cisco Firepower Management Center 4000 Guide Du Développeur

The following table describes each rule-specific field.

The eStreamer service transmits the classification information for an event in a Classification record for 
4.6.1+, the format of which is shown below. The Classification record for 4.6.1+ contains the same fields 
as the Classification record for 4.6 and lower but also has new UUID and Revision UUID fields. 
(Classification information is sent when the Version 3 or Version 4 metadata flag—bit 15 or bit 20 in the 
Request Flags field of a request message—is set. See 

.) Note that the Record 

Type field, which appears after the Message Length field, has a value of 

67

, indicating a Classification 

Version 2 record.

Generator ID

uint32

The generator identification number.

Rule ID

uint32

The rule identification number for the local computer.

Rule Revision

uint32

The rule revision number. This is currently set to 

0

 for all rule 

messages.

Rendered Signature 
ID

uint32

The rule identification number rendered to the FireSIGHT 
System interface.

Message Length

uint16

The number of bytes included in the rule text.

UUID

uint8[16]

A rule ID number that acts as a unique identifier for the rule.

Revision UUID

uint8[16]

A rule revision ID number that acts as a unique identifier for the 
revision.

Message

variable

Rule message that triggered the event.

Byte

0

1

2

3

Bit

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

Header Version (1)

Message Type (4)

Message Length

Record Type (67)

Record Length

Classification ID

Name Length

Name...

Name, continued...

Description Length

Description...

Description, continued...