Cisco Cisco FirePOWER Appliance 7115
Version 5.3
Sourcefire 3D System User Guide
1662
Creating Traffic Profiles
Adding a Host Profile Qualification
Chapter 38
2. Build the host profile qualification’s conditions.
You can create a single, simple condition, or you can create more elaborate
constructs by combining and nesting conditions. See
on page 1668 for information building
conditions.
The syntax you can use to build conditions is described in
The syntax you can use to build conditions is described in
TIP!
To remove a host profile qualification, click Remove Host Profile
Qualification.
Syntax for Host Profile Qualifications
L
ICENSE
: FireSIGHT
When you build a host profile qualification condition, you must first select the
host you want to use to constrain your traffic profile. You can select either
Responder Host or Initiator Host. After you select the host role, continue building
Although you can configure the network discovery policy to add hosts to the
network map based on data exported by NetFlow-enabled devices, the available
information about these hosts is limited. For example, there is no operating
system data available for these hosts, unless you provide it using the host input
feature. In addition, if your traffic profile uses connection data exported by
NetFlow-enabled devices, keep in mind that NetFlow records do not contain
information about which host in the connection is the initiator and which is the
responder. When the system processes NetFlow records, it uses an algorithm to
determine this information based on the ports each host is using, and whether
those ports are well-known. For more information, see
To match against implied or generic clients, create a host profile qualification
based on the application protocol used by the server responding to the client.
When the client list on a host that acts as the initiator or source of a connection
includes an application protocol name followed by client, that client may actually
be an implied client. In other words, the system reports that client based on
server response traffic that uses the application protocol for that client, not on
detected client traffic.
For example, if the system reports HTTPS client as a client on a host, create a host
For example, if the system reports HTTPS client as a client on a host, create a host
profile qualification for Responder Host where Application Protocol is set to HTTPS,