Cisco Cisco Firepower Management Center 4000
35-11
FireSIGHT System User Guide
Chapter 35 Introduction to Network Discovery
Understanding Discovery Data Collection
The system identifies applications in your network traffic either using ASCII or hexadecimal patterns in
the packet headers, or the port that the traffic uses. Some application detectors use both port and pattern
detection to increase the likelihood of correctly identifying traffic for a particular application. In
addition, Secure Socket Layers (SSL) protocol detectors use information from the secured session to
identify the application from the session. There are two sources of application detectors in the
FireSIGHT System:
the packet headers, or the port that the traffic uses. Some application detectors use both port and pattern
detection to increase the likelihood of correctly identifying traffic for a particular application. In
addition, Secure Socket Layers (SSL) protocol detectors use information from the secured session to
identify the application from the session. There are two sources of application detectors in the
FireSIGHT System:
•
Cisco-provided detectors, which detect web applications, clients, and application protocols
The availability of Cisco-provided detectors for applications (and operating systems, see
) depend on the version of the FireSIGHT System
and the version of the VDB you have installed. Release notes and advisories contain information on
new and updated detectors. You can also import individual detectors authored by Professional
Services. For a complete list of detected applications, see either of the following Support Sites:
new and updated detectors. You can also import individual detectors authored by Professional
Services. For a complete list of detected applications, see either of the following Support Sites:
– Sourcefire:
– Cisco:
•
user-defined application protocol detectors, which you can create to enhance the system’s
application protocol detection capabilities
application protocol detection capabilities
You can also detect application protocols through implied application protocol detection, which implies
the existence of an application protocol based on the detection of a client.
the existence of an application protocol based on the detection of a client.
The system characterizes each application that it detects using the criteria described in the following
table. The system uses these characteristics to create application filters, or groups of applications. You
can use these filters and filters that you create to perform access control, as well as to constrain searches,
reports, and dashboard widgets. For more information, see
table. The system uses these characteristics to create application filters, or groups of applications. You
can use these filters and filters that you create to perform access control, as well as to constrain searches,
reports, and dashboard widgets. For more information, see
.
:
Table 35-2
Application Characteristics
Criterion
Description
Example
Risk
How likely the application is to be used for purposes
that might be against your organization’s security
policy. An application’s risk can range from
that might be against your organization’s security
policy. An application’s risk can range from
Very Low
to
Very High
.
Peer-to-peer applications tend to have
a very high risk.
a very high risk.
Business Relevance
The likelihood that the application is used within the
context of your organization’s business operations, as
opposed to recreationally. An application’s business
relevance can range from
context of your organization’s business operations, as
opposed to recreationally. An application’s business
relevance can range from
Very Low
to
Very High
.
Gaming applications tend to have a
very low business relevance.
very low business relevance.
Type
The type of application:
•
Application Protocols
represent communications
between hosts.
•
Clients
represent software running on a host.
•
Web Applications
represent the content or requested
URL for HTTP traffic.
HTTP and SSH are application
protocols. Web browsers and email
clients are clients. MPEG video and
Facebook are web applications.
protocols. Web browsers and email
clients are clients. MPEG video and
Facebook are web applications.
Category
A general classification for the application that
describes its most essential function. Each application
belongs to at least one category.
describes its most essential function. Each application
belongs to at least one category.
Facebook is in the
social networking
category.
Tag
Additional information about the application.
Applications can have any number of tags, including
none.
Applications can have any number of tags, including
none.
Video streaming web applications
often are tagged
often are tagged
high bandwidth
and
displays ads
.