Cisco Cisco Firepower Management Center 4000
42-17
FireSIGHT System User Guide
Chapter 42 Enhancing Network Discovery
Working with Application Detectors
To edit active fingerprints:
Access:
Admin/Discovery Admin
Step 1
Select
Policies
>
Network Discovery
, then click
Custom Operating Systems
.
The Custom Fingerprint page appears.
Step 2
Click the edit icon (
) next to the fingerprint you want to edit.
The Edit Custom Fingerprint Product Mappings page appears.
Step 3
Modify the fingerprint name, description, and custom OS display, if necessary.
Step 4
If you want to delete a vulnerability mapping, click
Delete
next to the mapping in the Pre-Defined OS
Product Maps section of the page.
Step 5
If you want to add additional operating systems for vulnerability mapping, select the
Product
and, if
applicable, the
Major Version
,
Minor Version
,
Revision Version
,
Build
,
Patch
, and
Extension
and then click
Add
OS Definition
.
The vulnerability mapping is added to the Pre-Defined OS Product Maps list.
Step 6
Click
Save
to save your changes.
Working with Application Detectors
License:
FireSIGHT
When the FireSIGHT System analyzes IP traffic, it uses detectors to identify the commonly used
applications on your network. You use the Detectors page (
applications on your network. You use the Detectors page (
Policies > Application Detectors
) to customize
the detection capability of the FireSIGHT System.
The page provides information about each detector, including:
•
the name of the detector
•
the protocol (TCP, UDP, or both) of traffic that the detector inspects
•
whether the type of the detector is application protocol, client, web application, or internal detector
•
for port-based application detectors, the port used by the application traffic
•
details regarding the detected application, including the name, description, risk, business relevance,
tags, and categories associated with the application detected by the detector
tags, and categories associated with the application detected by the detector
•
the state (active or inactive) of the detector
The system uses only active detectors to analyze application traffic.
You may notice that the listed detectors have different properties. For example, you can view the settings
for some detectors but not others. Similarly, you can delete some detectors but not others. This is because
there are several different types of Cisco-provided detectors, as described in the following sections.
for some detectors but not others. Similarly, you can delete some detectors but not others. This is because
there are several different types of Cisco-provided detectors, as described in the following sections.
Cisco-Provided Internal Detectors
Internal detectors are application detectors that are only delivered with updates to the FireSIGHT
System. Internal detectors detect client, web application, or application protocol traffic, depending
on the detector, but they are categorized as internal detectors rather than one of the other types
because they are built-in detectors and cannot be deactivated.
System. Internal detectors detect client, web application, or application protocol traffic, depending
on the detector, but they are categorized as internal detectors rather than one of the other types
because they are built-in detectors and cannot be deactivated.