Cisco Cisco FirePOWER Appliance 7115
Version 5.3
Sourcefire 3D System User Guide
1319
Introduction to Network Discovery
Understanding Discovery Data Collection
Chapter 32
one of those ports, the system positively identifies the application protocol using
the well-known port detector.
IMPORTANT!
Because you can create and activate user-defined port-based
application protocol detectors on ports used by Sourcefire-provided detectors, it
is possible to override Sourcefire’s detection capabilities. For example, if your
user-defined detector identifies all application protocol traffic on port 22 as the
myapplication
application protocol, SSH traffic on port 22 will be misidentified
as
myapplication
traffic.
If the application protocol is not running on one of those ports, the system
employs a more robust method to identify it based on port and pattern matches.
If two detectors both positively identify the traffic, the detector that employs the
longer pattern match has precedence. Similarly, detectors with multiple pattern
matches have precedence over single pattern matches.
Note that the system identifies only those application protocols running on hosts
Note that the system identifies only those application protocols running on hosts
in your monitored networks, as defined in the network discovery policy. For
example, if an internal host accesses an FTP server on a remote site that you are
not monitoring, the system does not identify the application protocol as FTP. On
the other hand, if a remote or internal host accesses an FTP server on a host you
are monitoring, the system can positively identify the application protocol.
An exception occurs if the system can identify the client used in connections
An exception occurs if the system can identify the client used in connections
between a monitored host accessing a non-monitored server. In that case, the
system positively identifies the appropriate application protocol that corresponds
with the client in the connection, but does not add the application protocol to the
network map. For more information, see
Note that client sessions must include a response from the server for application
detection to occur.