Cisco Cisco FirePOWER Appliance 7115
Version 5.3
Sourcefire 3D System User Guide
1320
Introduction to Network Discovery
Understanding Discovery Data Collection
Chapter 32
The following table outlines how the Sourcefire 3D System identifies detected
application protocols in the Defense Center web interface: the network map, host
profiles, event views, and so on.
Implied Application Protocol Detection from Client Detection
L
ICENSE
: FireSIGHT
If the system can identify the client used in a connection between a monitored
host accessing a non-monitored server, the Defense Center infers that the
connection is using the application protocol that corresponds with the client.
(Because the system tracks applications only on monitored networks, connection
logs usually do not include application protocol information for connections where
a monitored host is accessing a non-monitored server.)
Sourcefire 3D System Identification of Application Protocols
A
PPLICATION
D
ESCRIPTION
the application
protocol name
The Defense Center identifies an application protocol with its name if the
application protocol was:
• positively identified by the system
• positively identified by the system
• identified using NetFlow data and there is a port-application protocol
correlation in
/etc/sf/services
• manually identified using the host input feature
• identified by Nmap or another active source
pending
The Defense Center identifies an application protocol as
pending
if the
system can neither positively nor negatively identify the application.
Most often, the system needs to collect and analyze more connection data
Most often, the system needs to collect and analyze more connection data
(from which applications are identified) before it can identify a pending
application.
In the Application Details and Servers tables and in the host profile, the
In the Application Details and Servers tables and in the host profile, the
pending
status appears only for application protocols where specific
application protocol traffic was detected (rather than implied by detected
client or web application traffic).
unknown
The Defense Center identifies an application protocol as
unknown
if the
application:
• does not match any of the system’s detectors
• does not match any of the system’s detectors
• the application protocol was identified using NetFlow data, but there is no
port-application protocol correlation in
/etc/sf/services
blank
All available detected data has been examined and no application protocol
was identified. In the Application Details and Servers tables and in the host
profile, the application protocol is left blank for non-HTTP generic client
traffic with no detected application protocol.