Cisco Cisco Firepower Management Center 4000
35-12
FireSIGHT System User Guide
Chapter 35 Introduction to Network Discovery
Understanding Discovery Data Collection
To supplement the application data gathered by the system, you can use records generated by
NetFlow-enabled devices, Nmap active scans, and the Cisco host input feature.
NetFlow-enabled devices, Nmap active scans, and the Cisco host input feature.
For more information, see:
•
•
•
•
•
•
•
•
Understanding the Application Protocol Detection Process
License:
FireSIGHT
When the system detects application traffic, it first determines whether the application protocol is
running on a port identified by a detector that uses that specific port as its only detection criterion. If the
application protocol is running on one of those ports, the system positively identifies the application
protocol using the well-known port detector.
running on a port identified by a detector that uses that specific port as its only detection criterion. If the
application protocol is running on one of those ports, the system positively identifies the application
protocol using the well-known port detector.
Note
Because you can create and activate user-defined port-based application protocol detectors on ports used
by Cisco-provided detectors, it is possible to override Cisco’s detection capabilities. For example, if your
user-defined detector identifies all application protocol traffic on port 22 as the
by Cisco-provided detectors, it is possible to override Cisco’s detection capabilities. For example, if your
user-defined detector identifies all application protocol traffic on port 22 as the
myapplication
application protocol, SSH traffic on port 22 will be misidentified as
myapplication
traffic.
If the application protocol is not running on one of those ports, the system employs a more robust method
to identify it based on port and pattern matches. If two detectors both positively identify the traffic, the
detector that employs the longer pattern match has precedence. Similarly, detectors with multiple pattern
matches have precedence over single pattern matches.
to identify it based on port and pattern matches. If two detectors both positively identify the traffic, the
detector that employs the longer pattern match has precedence. Similarly, detectors with multiple pattern
matches have precedence over single pattern matches.
Note that the system identifies only those application protocols running on hosts in your monitored
networks, as defined in the network discovery policy. For example, if an internal host accesses an FTP
server on a remote site that you are not monitoring, the system does not identify the application protocol
as FTP. On the other hand, if a remote or internal host accesses an FTP server on a host you are
monitoring, the system can positively identify the application protocol.
networks, as defined in the network discovery policy. For example, if an internal host accesses an FTP
server on a remote site that you are not monitoring, the system does not identify the application protocol
as FTP. On the other hand, if a remote or internal host accesses an FTP server on a host you are
monitoring, the system can positively identify the application protocol.
An exception occurs if the system can identify the client used in connections between a monitored host
accessing a non-monitored server. In that case, the system positively identifies the appropriate
application protocol that corresponds with the client in the connection, but does not add the application
protocol to the network map. For more information, see
accessing a non-monitored server. In that case, the system positively identifies the appropriate
application protocol that corresponds with the client in the connection, but does not add the application
protocol to the network map. For more information, see
. Note that client sessions must include a response from the server for
application detection to occur.
The following table outlines how the FireSIGHT System identifies detected application protocols in the
Defense Center web interface: the network map, host profiles, event views, and so on.
Defense Center web interface: the network map, host profiles, event views, and so on.